diff options
Diffstat (limited to 'js/src/jscompartment.h')
-rw-r--r-- | js/src/jscompartment.h | 1110 |
1 files changed, 1110 insertions, 0 deletions
diff --git a/js/src/jscompartment.h b/js/src/jscompartment.h new file mode 100644 index 000000000..7bfeee1f6 --- /dev/null +++ b/js/src/jscompartment.h @@ -0,0 +1,1110 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- + * vim: set ts=8 sts=4 et sw=4 tw=99: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef jscompartment_h +#define jscompartment_h + +#include "mozilla/LinkedList.h" +#include "mozilla/Maybe.h" +#include "mozilla/MemoryReporting.h" +#include "mozilla/Tuple.h" +#include "mozilla/Variant.h" +#include "mozilla/XorShift128PlusRNG.h" + +#include "builtin/RegExp.h" +#include "gc/Barrier.h" +#include "gc/NurseryAwareHashMap.h" +#include "gc/Zone.h" +#include "vm/GlobalObject.h" +#include "vm/PIC.h" +#include "vm/SavedStacks.h" +#include "vm/Time.h" +#include "wasm/WasmCompartment.h" + +namespace js { + +namespace jit { +class JitCompartment; +} // namespace jit + +namespace gc { +template <typename Node, typename Derived> class ComponentFinder; +} // namespace gc + +class LexicalEnvironmentObject; +class ScriptSourceObject; +struct NativeIterator; + +/* + * A single-entry cache for some base-10 double-to-string conversions. This + * helps date-format-xparb.js. It also avoids skewing the results for + * v8-splay.js when measured by the SunSpider harness, where the splay tree + * initialization (which includes many repeated double-to-string conversions) + * is erroneously included in the measurement; see bug 562553. + */ +class DtoaCache { + double d; + int base; + JSFlatString* s; // if s==nullptr, d and base are not valid + + public: + DtoaCache() : s(nullptr) {} + void purge() { s = nullptr; } + + JSFlatString* lookup(int base, double d) { + return this->s && base == this->base && d == this->d ? this->s : nullptr; + } + + void cache(int base, double d, JSFlatString* s) { + this->base = base; + this->d = d; + this->s = s; + } + +#ifdef JSGC_HASH_TABLE_CHECKS + void checkCacheAfterMovingGC() { MOZ_ASSERT(!s || !IsForwarded(s)); } +#endif +}; + +class CrossCompartmentKey +{ + public: + enum DebuggerObjectKind : uint8_t { DebuggerSource, DebuggerEnvironment, DebuggerObject, + DebuggerWasmScript, DebuggerWasmSource }; + using DebuggerAndObject = mozilla::Tuple<NativeObject*, JSObject*, DebuggerObjectKind>; + using DebuggerAndScript = mozilla::Tuple<NativeObject*, JSScript*>; + using WrappedType = mozilla::Variant< + JSObject*, + JSString*, + DebuggerAndScript, + DebuggerAndObject>; + + explicit CrossCompartmentKey(JSObject* obj) : wrapped(obj) { MOZ_RELEASE_ASSERT(obj); } + explicit CrossCompartmentKey(JSString* str) : wrapped(str) { MOZ_RELEASE_ASSERT(str); } + explicit CrossCompartmentKey(const JS::Value& v) + : wrapped(v.isString() ? WrappedType(v.toString()) : WrappedType(&v.toObject())) + {} + explicit CrossCompartmentKey(NativeObject* debugger, JSObject* obj, DebuggerObjectKind kind) + : wrapped(DebuggerAndObject(debugger, obj, kind)) + { + MOZ_RELEASE_ASSERT(debugger); + MOZ_RELEASE_ASSERT(obj); + } + explicit CrossCompartmentKey(NativeObject* debugger, JSScript* script) + : wrapped(DebuggerAndScript(debugger, script)) + { + MOZ_RELEASE_ASSERT(debugger); + MOZ_RELEASE_ASSERT(script); + } + + bool operator==(const CrossCompartmentKey& other) const { return wrapped == other.wrapped; } + bool operator!=(const CrossCompartmentKey& other) const { return wrapped != other.wrapped; } + + template <typename T> bool is() const { return wrapped.is<T>(); } + template <typename T> const T& as() const { return wrapped.as<T>(); } + + template <typename F> + auto applyToWrapped(F f) -> decltype(f(static_cast<JSObject**>(nullptr))) { + using ReturnType = decltype(f(static_cast<JSObject**>(nullptr))); + struct WrappedMatcher { + F f_; + explicit WrappedMatcher(F f) : f_(f) {} + ReturnType match(JSObject*& obj) { return f_(&obj); } + ReturnType match(JSString*& str) { return f_(&str); } + ReturnType match(DebuggerAndScript& tpl) { return f_(&mozilla::Get<1>(tpl)); } + ReturnType match(DebuggerAndObject& tpl) { return f_(&mozilla::Get<1>(tpl)); } + } matcher(f); + return wrapped.match(matcher); + } + + template <typename F> + auto applyToDebugger(F f) -> decltype(f(static_cast<NativeObject**>(nullptr))) { + using ReturnType = decltype(f(static_cast<NativeObject**>(nullptr))); + struct DebuggerMatcher { + F f_; + explicit DebuggerMatcher(F f) : f_(f) {} + ReturnType match(JSObject*& obj) { return ReturnType(); } + ReturnType match(JSString*& str) { return ReturnType(); } + ReturnType match(DebuggerAndScript& tpl) { return f_(&mozilla::Get<0>(tpl)); } + ReturnType match(DebuggerAndObject& tpl) { return f_(&mozilla::Get<0>(tpl)); } + } matcher(f); + return wrapped.match(matcher); + } + + // Valid for JSObject* and Debugger keys. Crashes immediately if used on a + // JSString* key. + JSCompartment* compartment() { + struct GetCompartmentFunctor { + JSCompartment* operator()(JSObject** tp) const { return (*tp)->compartment(); } + JSCompartment* operator()(JSScript** tp) const { return (*tp)->compartment(); } + JSCompartment* operator()(JSString** tp) const { + MOZ_CRASH("invalid ccw key"); return nullptr; + } + }; + return applyToWrapped(GetCompartmentFunctor()); + } + + struct Hasher : public DefaultHasher<CrossCompartmentKey> + { + struct HashFunctor { + HashNumber match(JSObject* obj) { return DefaultHasher<JSObject*>::hash(obj); } + HashNumber match(JSString* str) { return DefaultHasher<JSString*>::hash(str); } + HashNumber match(const DebuggerAndScript& tpl) { + return DefaultHasher<NativeObject*>::hash(mozilla::Get<0>(tpl)) ^ + DefaultHasher<JSScript*>::hash(mozilla::Get<1>(tpl)); + } + HashNumber match(const DebuggerAndObject& tpl) { + return DefaultHasher<NativeObject*>::hash(mozilla::Get<0>(tpl)) ^ + DefaultHasher<JSObject*>::hash(mozilla::Get<1>(tpl)) ^ + (mozilla::Get<2>(tpl) << 5); + } + }; + static HashNumber hash(const CrossCompartmentKey& key) { + return key.wrapped.match(HashFunctor()); + } + + static bool match(const CrossCompartmentKey& l, const CrossCompartmentKey& k) { + return l.wrapped == k.wrapped; + } + }; + + bool isTenured() const { + struct IsTenuredFunctor { + using ReturnType = bool; + ReturnType operator()(JSObject** tp) { return !IsInsideNursery(*tp); } + ReturnType operator()(JSScript** tp) { return true; } + ReturnType operator()(JSString** tp) { return true; } + }; + return const_cast<CrossCompartmentKey*>(this)->applyToWrapped(IsTenuredFunctor()); + } + + void trace(JSTracer* trc); + bool needsSweep(); + + private: + CrossCompartmentKey() = delete; + WrappedType wrapped; +}; + + +using WrapperMap = NurseryAwareHashMap<CrossCompartmentKey, JS::Value, + CrossCompartmentKey::Hasher, SystemAllocPolicy>; + +// We must ensure that all newly allocated JSObjects get their metadata +// set. However, metadata builders may require the new object be in a sane +// state (eg, have its reserved slots initialized so they can get the +// sizeOfExcludingThis of the object). Therefore, for objects of certain +// JSClasses (those marked with JSCLASS_DELAY_METADATA_BUILDER), it is not safe +// for the allocation paths to call the object metadata builder +// immediately. Instead, the JSClass-specific "constructor" C++ function up the +// stack makes a promise that it will ensure that the new object has its +// metadata set after the object is initialized. +// +// To help those constructor functions keep their promise of setting metadata, +// each compartment is in one of three states at any given time: +// +// * ImmediateMetadata: Allocators should set new object metadata immediately, +// as usual. +// +// * DelayMetadata: Allocators should *not* set new object metadata, it will be +// handled after reserved slots are initialized by custom code +// for the object's JSClass. The newly allocated object's +// JSClass *must* have the JSCLASS_DELAY_METADATA_BUILDER flag +// set. +// +// * PendingMetadata: This object has been allocated and is still pending its +// metadata. This should never be the case when we begin an +// allocation, as a constructor function was supposed to have +// set the metadata of the previous object *before* +// allocating another object. +// +// The js::AutoSetNewObjectMetadata RAII class provides an ergonomic way for +// constructor functions to navigate state transitions, and its instances +// collectively maintain a stack of previous states. The stack is required to +// support the lazy resolution and allocation of global builtin constructors and +// prototype objects. The initial (and intuitively most common) state is +// ImmediateMetadata. +// +// Without the presence of internal errors (such as OOM), transitions between +// the states are as follows: +// +// ImmediateMetadata .----- previous state on stack +// | | ^ +// | via constructor | | +// | | | via setting the new +// | via constructor | | object's metadata +// | .-----------------------' | +// | | | +// V V | +// DelayMetadata -------------------------> PendingMetadata +// via allocation +// +// In the presence of internal errors, we do not set the new object's metadata +// (if it was even allocated) and reset to the previous state on the stack. + +struct ImmediateMetadata { }; +struct DelayMetadata { }; +using PendingMetadata = JSObject*; + +using NewObjectMetadataState = mozilla::Variant<ImmediateMetadata, + DelayMetadata, + PendingMetadata>; + +class MOZ_RAII AutoSetNewObjectMetadata : private JS::CustomAutoRooter +{ + MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER; + + JSContext* cx_; + NewObjectMetadataState prevState_; + + AutoSetNewObjectMetadata(const AutoSetNewObjectMetadata& aOther) = delete; + void operator=(const AutoSetNewObjectMetadata& aOther) = delete; + + protected: + virtual void trace(JSTracer* trc) override { + if (prevState_.is<PendingMetadata>()) { + TraceRoot(trc, + &prevState_.as<PendingMetadata>(), + "Object pending metadata"); + } + } + + public: + explicit AutoSetNewObjectMetadata(ExclusiveContext* ecx MOZ_GUARD_OBJECT_NOTIFIER_PARAM); + ~AutoSetNewObjectMetadata(); +}; + +} /* namespace js */ + +namespace js { +class DebugEnvironments; +class ObjectWeakMap; +class WatchpointMap; +class WeakMapBase; +} // namespace js + +struct JSCompartment +{ + const JS::CompartmentCreationOptions creationOptions_; + JS::CompartmentBehaviors behaviors_; + + private: + JS::Zone* zone_; + JSRuntime* runtime_; + + public: + /* + * The principals associated with this compartment. Note that the + * same several compartments may share the same principals and + * that a compartment may change principals during its lifetime + * (e.g. in case of lazy parsing). + */ + inline JSPrincipals* principals() { + return principals_; + } + inline void setPrincipals(JSPrincipals* principals) { + if (principals_ == principals) + return; + + // If we change principals, we need to unlink immediately this + // compartment from its PerformanceGroup. For one thing, the + // performance data we collect should not be improperly associated + // with a group to which we do not belong anymore. For another thing, + // we use `principals()` as part of the key to map compartments + // to a `PerformanceGroup`, so if we do not unlink now, this will + // be too late once we have updated `principals_`. + performanceMonitoring.unlink(); + principals_ = principals; + } + inline bool isSystem() const { + return isSystem_; + } + inline void setIsSystem(bool isSystem) { + if (isSystem_ == isSystem) + return; + + // If we change `isSystem*(`, we need to unlink immediately this + // compartment from its PerformanceGroup. For one thing, the + // performance data we collect should not be improperly associated + // to a group to which we do not belong anymore. For another thing, + // we use `isSystem()` as part of the key to map compartments + // to a `PerformanceGroup`, so if we do not unlink now, this will + // be too late once we have updated `isSystem_`. + performanceMonitoring.unlink(); + isSystem_ = isSystem; + } + + bool isAtomsCompartment() const { + return isAtomsCompartment_; + } + void setIsAtomsCompartment() { + isAtomsCompartment_ = true; + } + + // Used to approximate non-content code when reporting telemetry. + inline bool isProbablySystemOrAddonCode() const { + if (creationOptions_.addonIdOrNull()) + return true; + + return isSystem_; + } + private: + JSPrincipals* principals_; + bool isSystem_; + bool isAtomsCompartment_; + + public: + bool isSelfHosting; + bool marked; + bool warnedAboutExprClosure; + bool warnedAboutForEach; + +#ifdef DEBUG + bool firedOnNewGlobalObject; +#endif + + void mark() { marked = true; } + + private: + friend struct JSRuntime; + friend struct JSContext; + friend class js::ExclusiveContext; + js::ReadBarrieredGlobalObject global_; + + unsigned enterCompartmentDepth; + int64_t startInterval; + + public: + js::PerformanceGroupHolder performanceMonitoring; + + void enter() { + enterCompartmentDepth++; + } + void leave() { + enterCompartmentDepth--; + } + bool hasBeenEntered() { return !!enterCompartmentDepth; } + + JS::Zone* zone() { return zone_; } + const JS::Zone* zone() const { return zone_; } + + const JS::CompartmentCreationOptions& creationOptions() const { return creationOptions_; } + JS::CompartmentBehaviors& behaviors() { return behaviors_; } + const JS::CompartmentBehaviors& behaviors() const { return behaviors_; } + + JSRuntime* runtimeFromMainThread() const { + MOZ_ASSERT(CurrentThreadCanAccessRuntime(runtime_)); + return runtime_; + } + + // Note: Unrestricted access to the zone's runtime from an arbitrary + // thread can easily lead to races. Use this method very carefully. + JSRuntime* runtimeFromAnyThread() const { + return runtime_; + } + + JSContext* contextFromMainThread() const { + return runtime_->contextFromMainThread(); + } + + /* + * Nb: global_ might be nullptr, if (a) it's the atoms compartment, or + * (b) the compartment's global has been collected. The latter can happen + * if e.g. a string in a compartment is rooted but no object is, and thus + * the global isn't rooted, and thus the global can be finalized while the + * compartment lives on. + * + * In contrast, JSObject::global() is infallible because marking a JSObject + * always marks its global as well. + * TODO: add infallible JSScript::global() + */ + inline js::GlobalObject* maybeGlobal() const; + + /* An unbarriered getter for use while tracing. */ + inline js::GlobalObject* unsafeUnbarrieredMaybeGlobal() const; + + inline void initGlobal(js::GlobalObject& global); + + public: + void* data; + + private: + const js::AllocationMetadataBuilder *allocationMetadataBuilder; + + js::SavedStacks savedStacks_; + + js::WrapperMap crossCompartmentWrappers; + + using CCKeyVector = mozilla::Vector<js::CrossCompartmentKey, 0, js::SystemAllocPolicy>; + CCKeyVector nurseryCCKeys; + + // The global environment record's [[VarNames]] list that contains all + // names declared using FunctionDeclaration, GeneratorDeclaration, and + // VariableDeclaration declarations in global code in this compartment. + // Names are only removed from this list by a |delete IdentifierReference| + // that successfully removes that global property. + JS::GCHashSet<JSAtom*, + js::DefaultHasher<JSAtom*>, + js::SystemAllocPolicy> varNames_; + + public: + /* Last time at which an animation was played for a global in this compartment. */ + int64_t lastAnimationTime; + + js::RegExpCompartment regExps; + + /* + * For generational GC, record whether a write barrier has added this + * compartment's global to the store buffer since the last minor GC. + * + * This is used to avoid calling into the VM every time a nursery object is + * written to a property of the global. + */ + uint32_t globalWriteBarriered; + + // Non-zero if the storage underlying any typed object in this compartment + // might be detached. + int32_t detachedTypedObjects; + + private: + friend class js::AutoSetNewObjectMetadata; + js::NewObjectMetadataState objectMetadataState; + + public: + // Recompute the probability with which this compartment should record + // profiling data (stack traces, allocations log, etc.) about each + // allocation. We consult the probabilities requested by the Debugger + // instances observing us, if any. + void chooseAllocationSamplingProbability() { savedStacks_.chooseSamplingProbability(this); } + + bool hasObjectPendingMetadata() const { return objectMetadataState.is<js::PendingMetadata>(); } + + void setObjectPendingMetadata(JSContext* cx, JSObject* obj) { + MOZ_ASSERT(objectMetadataState.is<js::DelayMetadata>()); + objectMetadataState = js::NewObjectMetadataState(js::PendingMetadata(obj)); + } + + void setObjectPendingMetadata(js::ExclusiveContext* ecx, JSObject* obj) { + if (JSContext* cx = ecx->maybeJSContext()) + setObjectPendingMetadata(cx, obj); + } + + public: + void addSizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf, + size_t* tiAllocationSiteTables, + size_t* tiArrayTypeTables, + size_t* tiObjectTypeTables, + size_t* compartmentObject, + size_t* compartmentTables, + size_t* innerViews, + size_t* lazyArrayBuffers, + size_t* objectMetadataTables, + size_t* crossCompartmentWrappers, + size_t* regexpCompartment, + size_t* savedStacksSet, + size_t* varNamesSet, + size_t* nonSyntacticLexicalScopes, + size_t* jitCompartment, + size_t* privateData); + + // Object group tables and other state in the compartment. + js::ObjectGroupCompartment objectGroups; + +#ifdef JSGC_HASH_TABLE_CHECKS + void checkWrapperMapAfterMovingGC(); + void checkScriptMapsAfterMovingGC(); +#endif + + /* + * Lazily initialized script source object to use for scripts cloned + * from the self-hosting global. + */ + js::ReadBarrieredScriptSourceObject selfHostingScriptSource; + + // Keep track of the metadata objects which can be associated with each JS + // object. Both keys and values are in this compartment. + js::ObjectWeakMap* objectMetadataTable; + + // Map from array buffers to views sharing that storage. + JS::WeakCache<js::InnerViewTable> innerViews; + + // Inline transparent typed objects do not initially have an array buffer, + // but can have that buffer created lazily if it is accessed later. This + // table manages references from such typed objects to their buffers. + js::ObjectWeakMap* lazyArrayBuffers; + + // All unboxed layouts in the compartment. + mozilla::LinkedList<js::UnboxedLayout> unboxedLayouts; + + // WebAssembly state for the compartment. + js::wasm::Compartment wasm; + + private: + // All non-syntactic lexical environments in the compartment. These are kept in + // a map because when loading scripts into a non-syntactic environment, we need + // to use the same lexical environment to persist lexical bindings. + js::ObjectWeakMap* nonSyntacticLexicalEnvironments_; + + public: + /* During GC, stores the index of this compartment in rt->compartments. */ + unsigned gcIndex; + + /* + * During GC, stores the head of a list of incoming pointers from gray cells. + * + * The objects in the list are either cross-compartment wrappers, or + * debugger wrapper objects. The list link is either in the second extra + * slot for the former, or a special slot for the latter. + */ + JSObject* gcIncomingGrayPointers; + + private: + enum { + IsDebuggee = 1 << 0, + DebuggerObservesAllExecution = 1 << 1, + DebuggerObservesAsmJS = 1 << 2, + DebuggerObservesCoverage = 1 << 3, + DebuggerNeedsDelazification = 1 << 4 + }; + + unsigned debugModeBits; + friend class AutoRestoreCompartmentDebugMode; + + static const unsigned DebuggerObservesMask = IsDebuggee | + DebuggerObservesAllExecution | + DebuggerObservesCoverage | + DebuggerObservesAsmJS; + + void updateDebuggerObservesFlag(unsigned flag); + + bool getNonWrapperObjectForCurrentCompartment(JSContext* cx, js::MutableHandleObject obj); + bool getOrCreateWrapper(JSContext* cx, js::HandleObject existing, js::MutableHandleObject obj); + + public: + JSCompartment(JS::Zone* zone, const JS::CompartmentOptions& options); + ~JSCompartment(); + + MOZ_MUST_USE bool init(JSContext* maybecx); + + MOZ_MUST_USE inline bool wrap(JSContext* cx, JS::MutableHandleValue vp); + + MOZ_MUST_USE bool wrap(JSContext* cx, js::MutableHandleString strp); + MOZ_MUST_USE bool wrap(JSContext* cx, JS::MutableHandleObject obj); + MOZ_MUST_USE bool wrap(JSContext* cx, JS::MutableHandle<js::PropertyDescriptor> desc); + MOZ_MUST_USE bool wrap(JSContext* cx, JS::MutableHandle<JS::GCVector<JS::Value>> vec); + MOZ_MUST_USE bool rewrap(JSContext* cx, JS::MutableHandleObject obj, JS::HandleObject existing); + + MOZ_MUST_USE bool putWrapper(JSContext* cx, const js::CrossCompartmentKey& wrapped, + const js::Value& wrapper); + + js::WrapperMap::Ptr lookupWrapper(const js::Value& wrapped) const { + return crossCompartmentWrappers.lookup(js::CrossCompartmentKey(wrapped)); + } + + void removeWrapper(js::WrapperMap::Ptr p) { + crossCompartmentWrappers.remove(p); + } + + struct WrapperEnum : public js::WrapperMap::Enum { + explicit WrapperEnum(JSCompartment* c) : js::WrapperMap::Enum(c->crossCompartmentWrappers) {} + }; + + js::LexicalEnvironmentObject* + getOrCreateNonSyntacticLexicalEnvironment(JSContext* cx, js::HandleObject enclosing); + js::LexicalEnvironmentObject* getNonSyntacticLexicalEnvironment(JSObject* enclosing) const; + + /* + * This method traces data that is live iff we know that this compartment's + * global is still live. + */ + void trace(JSTracer* trc); + /* + * This method traces JSCompartment-owned GC roots that are considered live + * regardless of whether the JSCompartment itself is still live. + */ + void traceRoots(JSTracer* trc, js::gc::GCRuntime::TraceOrMarkRuntime traceOrMark); + /* + * This method clears out tables of roots in preparation for the final GC. + */ + void finishRoots(); + /* + * These methods mark pointers that cross compartment boundaries. They are + * called in per-zone GCs to prevent the wrappers' outgoing edges from + * dangling (full GCs naturally follow pointers across compartments) and + * when compacting to update cross-compartment pointers. + */ + void traceOutgoingCrossCompartmentWrappers(JSTracer* trc); + static void traceIncomingCrossCompartmentEdgesForZoneGC(JSTracer* trc); + + /* Whether to preserve JIT code on non-shrinking GCs. */ + bool preserveJitCode() { return creationOptions_.preserveJitCode(); } + + void sweepAfterMinorGC(JSTracer* trc); + + void sweepCrossCompartmentWrappers(); + void sweepSavedStacks(); + void sweepGlobalObject(js::FreeOp* fop); + void sweepSelfHostingScriptSource(); + void sweepJitCompartment(js::FreeOp* fop); + void sweepRegExps(); + void sweepDebugEnvironments(); + void sweepNativeIterators(); + void sweepTemplateObjects(); + void sweepVarNames(); + + void purge(); + void clearTables(); + + static void fixupCrossCompartmentWrappersAfterMovingGC(JSTracer* trc); + void fixupAfterMovingGC(); + void fixupGlobal(); + void fixupScriptMapsAfterMovingGC(); + + bool hasAllocationMetadataBuilder() const { return allocationMetadataBuilder; } + const js::AllocationMetadataBuilder* getAllocationMetadataBuilder() const { + return allocationMetadataBuilder; + } + void setAllocationMetadataBuilder(const js::AllocationMetadataBuilder* builder); + void forgetAllocationMetadataBuilder() { + allocationMetadataBuilder = nullptr; + } + void setNewObjectMetadata(JSContext* cx, JS::HandleObject obj); + void clearObjectMetadata(); + const void* addressOfMetadataBuilder() const { + return &allocationMetadataBuilder; + } + + js::SavedStacks& savedStacks() { return savedStacks_; } + + // Add a name to [[VarNames]]. Reports OOM on failure. + MOZ_MUST_USE bool addToVarNames(JSContext* cx, JS::Handle<JSAtom*> name); + + void removeFromVarNames(JS::Handle<JSAtom*> name) { + varNames_.remove(name); + } + + // Whether the given name is in [[VarNames]]. + bool isInVarNames(JS::Handle<JSAtom*> name) { + return varNames_.has(name); + } + + void findOutgoingEdges(js::gc::ZoneComponentFinder& finder); + + js::DtoaCache dtoaCache; + + // Random number generator for Math.random(). + mozilla::Maybe<mozilla::non_crypto::XorShift128PlusRNG> randomNumberGenerator; + + // Initialize randomNumberGenerator if needed. + void ensureRandomNumberGenerator(); + + private: + mozilla::non_crypto::XorShift128PlusRNG randomKeyGenerator_; + + public: + js::HashNumber randomHashCode(); + + mozilla::HashCodeScrambler randomHashCodeScrambler(); + + static size_t offsetOfRegExps() { + return offsetof(JSCompartment, regExps); + } + + private: + JSCompartment* thisForCtor() { return this; } + + public: + // + // The Debugger observes execution on a frame-by-frame basis. The + // invariants of JSCompartment's debug mode bits, JSScript::isDebuggee, + // InterpreterFrame::isDebuggee, and BaselineFrame::isDebuggee are + // enumerated below. + // + // 1. When a compartment's isDebuggee() == true, relazification and lazy + // parsing are disabled. + // + // Whether AOT wasm is disabled is togglable by the Debugger API. By + // default it is disabled. See debuggerObservesAsmJS below. + // + // 2. When a compartment's debuggerObservesAllExecution() == true, all of + // the compartment's scripts are considered debuggee scripts. + // + // 3. A script is considered a debuggee script either when, per above, its + // compartment is observing all execution, or if it has breakpoints set. + // + // 4. A debuggee script always pushes a debuggee frame. + // + // 5. A debuggee frame calls all slow path Debugger hooks in the + // Interpreter and Baseline. A debuggee frame implies that its script's + // BaselineScript, if extant, has been compiled with debug hook calls. + // + // 6. A debuggee script or a debuggee frame (i.e., during OSR) ensures + // that the compiled BaselineScript is compiled with debug hook calls + // when attempting to enter Baseline. + // + // 7. A debuggee script or a debuggee frame (i.e., during OSR) does not + // attempt to enter Ion. + // + // Note that a debuggee frame may exist without its script being a + // debuggee script. e.g., Debugger.Frame.prototype.eval only marks the + // frame in which it is evaluating as a debuggee frame. + // + + // True if this compartment's global is a debuggee of some Debugger + // object. + bool isDebuggee() const { return !!(debugModeBits & IsDebuggee); } + void setIsDebuggee() { debugModeBits |= IsDebuggee; } + void unsetIsDebuggee(); + + // True if this compartment's global is a debuggee of some Debugger + // object with a live hook that observes all execution; e.g., + // onEnterFrame. + bool debuggerObservesAllExecution() const { + static const unsigned Mask = IsDebuggee | DebuggerObservesAllExecution; + return (debugModeBits & Mask) == Mask; + } + void updateDebuggerObservesAllExecution() { + updateDebuggerObservesFlag(DebuggerObservesAllExecution); + } + + // True if this compartment's global is a debuggee of some Debugger object + // whose allowUnobservedAsmJS flag is false. + // + // Note that since AOT wasm functions cannot bail out, this flag really + // means "observe wasm from this point forward". We cannot make + // already-compiled wasm code observable to Debugger. + bool debuggerObservesAsmJS() const { + static const unsigned Mask = IsDebuggee | DebuggerObservesAsmJS; + return (debugModeBits & Mask) == Mask; + } + void updateDebuggerObservesAsmJS() { + updateDebuggerObservesFlag(DebuggerObservesAsmJS); + } + + // True if this compartment's global is a debuggee of some Debugger object + // whose collectCoverageInfo flag is true. + bool debuggerObservesCoverage() const { + static const unsigned Mask = DebuggerObservesCoverage; + return (debugModeBits & Mask) == Mask; + } + void updateDebuggerObservesCoverage(); + + // The code coverage can be enabled either for each compartment, with the + // Debugger API, or for the entire runtime. + bool collectCoverage() const; + bool collectCoverageForDebug() const; + bool collectCoverageForPGO() const; + void clearScriptCounts(); + + bool needsDelazificationForDebugger() const { + return debugModeBits & DebuggerNeedsDelazification; + } + + /* + * Schedule the compartment to be delazified. Called from + * LazyScript::Create. + */ + void scheduleDelazificationForDebugger() { debugModeBits |= DebuggerNeedsDelazification; } + + /* + * If we scheduled delazification for turning on debug mode, delazify all + * scripts. + */ + bool ensureDelazifyScriptsForDebugger(JSContext* cx); + + void clearBreakpointsIn(js::FreeOp* fop, js::Debugger* dbg, JS::HandleObject handler); + + private: + void sweepBreakpoints(js::FreeOp* fop); + + public: + js::WatchpointMap* watchpointMap; + + js::ScriptCountsMap* scriptCountsMap; + + js::DebugScriptMap* debugScriptMap; + + /* Bookkeeping information for debug scope objects. */ + js::DebugEnvironments* debugEnvs; + + /* + * List of potentially active iterators that may need deleted property + * suppression. + */ + js::NativeIterator* enumerators; + + /* Native iterator most recently started. */ + js::PropertyIteratorObject* lastCachedNativeIterator; + + private: + /* Used by memory reporters and invalid otherwise. */ + JS::CompartmentStats* compartmentStats_; + + public: + // This should only be called when it is non-null, i.e. during memory + // reporting. + JS::CompartmentStats& compartmentStats() { + // We use MOZ_RELEASE_ASSERT here because in bug 1132502 there was some + // (inconclusive) evidence that compartmentStats_ can be nullptr + // unexpectedly. + MOZ_RELEASE_ASSERT(compartmentStats_); + return *compartmentStats_; + } + void nullCompartmentStats() { + MOZ_ASSERT(compartmentStats_); + compartmentStats_ = nullptr; + } + void setCompartmentStats(JS::CompartmentStats* newStats) { + MOZ_ASSERT(!compartmentStats_ && newStats); + compartmentStats_ = newStats; + } + + // These flags help us to discover if a compartment that shouldn't be alive + // manages to outlive a GC. + bool scheduledForDestruction; + bool maybeAlive; + + private: + js::jit::JitCompartment* jitCompartment_; + + js::ReadBarriered<js::ArgumentsObject*> mappedArgumentsTemplate_; + js::ReadBarriered<js::ArgumentsObject*> unmappedArgumentsTemplate_; + + public: + bool ensureJitCompartmentExists(JSContext* cx); + js::jit::JitCompartment* jitCompartment() { + return jitCompartment_; + } + + enum DeprecatedLanguageExtension { + DeprecatedForEach = 0, // JS 1.6+ + // NO LONGER USING 1 + DeprecatedLegacyGenerator = 2, // JS 1.7+ + DeprecatedExpressionClosure = 3, // Added in JS 1.8 + // NO LONGER USING 4 + // NO LONGER USING 5 + // NO LONGER USING 6 + // NO LONGER USING 7 + // NO LONGER USING 8 + // NO LONGER USING 9 + DeprecatedBlockScopeFunRedecl = 10, + DeprecatedLanguageExtensionCount + }; + + js::ArgumentsObject* getOrCreateArgumentsTemplateObject(JSContext* cx, bool mapped); + + js::ArgumentsObject* maybeArgumentsTemplateObject(bool mapped) const; + + private: + // Used for collecting telemetry on SpiderMonkey's deprecated language extensions. + bool sawDeprecatedLanguageExtension[DeprecatedLanguageExtensionCount]; + + void reportTelemetry(); + + public: + void addTelemetry(const char* filename, DeprecatedLanguageExtension e); + + public: + // Aggregated output used to collect JSScript hit counts when code coverage + // is enabled. + js::coverage::LCovCompartment lcovOutput; +}; + +inline bool +JSRuntime::isAtomsZone(const JS::Zone* zone) const +{ + return zone == atomsCompartment_->zone(); +} + +namespace js { + +// We only set the maybeAlive flag for objects and scripts. It's assumed that, +// if a compartment is alive, then it will have at least some live object or +// script it in. Even if we get this wrong, the worst that will happen is that +// scheduledForDestruction will be set on the compartment, which will cause +// some extra GC activity to try to free the compartment. +template<typename T> inline void SetMaybeAliveFlag(T* thing) {} +template<> inline void SetMaybeAliveFlag(JSObject* thing) {thing->compartment()->maybeAlive = true;} +template<> inline void SetMaybeAliveFlag(JSScript* thing) {thing->compartment()->maybeAlive = true;} + +inline js::Handle<js::GlobalObject*> +ExclusiveContext::global() const +{ + /* + * It's safe to use |unsafeGet()| here because any compartment that is + * on-stack will be marked automatically, so there's no need for a read + * barrier on it. Once the compartment is popped, the handle is no longer + * safe to use. + */ + MOZ_ASSERT(compartment_, "Caller needs to enter a compartment first"); + return Handle<GlobalObject*>::fromMarkedLocation(compartment_->global_.unsafeGet()); +} + +class MOZ_RAII AssertCompartmentUnchanged +{ + public: + explicit AssertCompartmentUnchanged(JSContext* cx + MOZ_GUARD_OBJECT_NOTIFIER_PARAM) + : cx(cx), oldCompartment(cx->compartment()) + { + MOZ_GUARD_OBJECT_NOTIFIER_INIT; + } + + ~AssertCompartmentUnchanged() { + MOZ_ASSERT(cx->compartment() == oldCompartment); + } + + protected: + JSContext * const cx; + JSCompartment * const oldCompartment; + MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER +}; + +class AutoCompartment +{ + ExclusiveContext * const cx_; + JSCompartment * const origin_; + const js::AutoLockForExclusiveAccess* maybeLock_; + + public: + inline AutoCompartment(ExclusiveContext* cx, JSObject* target, + js::AutoLockForExclusiveAccess* maybeLock = nullptr); + inline AutoCompartment(ExclusiveContext* cx, JSCompartment* target, + js::AutoLockForExclusiveAccess* maybeLock = nullptr); + inline ~AutoCompartment(); + + ExclusiveContext* context() const { return cx_; } + JSCompartment* origin() const { return origin_; } + + private: + AutoCompartment(const AutoCompartment&) = delete; + AutoCompartment & operator=(const AutoCompartment&) = delete; +}; + +/* + * Use this to change the behavior of an AutoCompartment slightly on error. If + * the exception happens to be an Error object, copy it to the origin compartment + * instead of wrapping it. + */ +class ErrorCopier +{ + mozilla::Maybe<AutoCompartment>& ac; + + public: + explicit ErrorCopier(mozilla::Maybe<AutoCompartment>& ac) + : ac(ac) {} + ~ErrorCopier(); +}; + +/* + * AutoWrapperVector and AutoWrapperRooter can be used to store wrappers that + * are obtained from the cross-compartment map. However, these classes should + * not be used if the wrapper will escape. For example, it should not be stored + * in the heap. + * + * The AutoWrapper rooters are different from other autorooters because their + * wrappers are marked on every GC slice rather than just the first one. If + * there's some wrapper that we want to use temporarily without causing it to be + * marked, we can use these AutoWrapper classes. If we get unlucky and a GC + * slice runs during the code using the wrapper, the GC will mark the wrapper so + * that it doesn't get swept out from under us. Otherwise, the wrapper needn't + * be marked. This is useful in functions like JS_TransplantObject that + * manipulate wrappers in compartments that may no longer be alive. + */ + +/* + * This class stores the data for AutoWrapperVector and AutoWrapperRooter. It + * should not be used in any other situations. + */ +struct WrapperValue +{ + /* + * We use unsafeGet() in the constructors to avoid invoking a read barrier + * on the wrapper, which may be dead (see the comment about bug 803376 in + * jsgc.cpp regarding this). If there is an incremental GC while the wrapper + * is in use, the AutoWrapper rooter will ensure the wrapper gets marked. + */ + explicit WrapperValue(const WrapperMap::Ptr& ptr) + : value(*ptr->value().unsafeGet()) + {} + + explicit WrapperValue(const WrapperMap::Enum& e) + : value(*e.front().value().unsafeGet()) + {} + + Value& get() { return value; } + Value get() const { return value; } + operator const Value&() const { return value; } + JSObject& toObject() const { return value.toObject(); } + + private: + Value value; +}; + +class MOZ_RAII AutoWrapperVector : public JS::AutoVectorRooterBase<WrapperValue> +{ + public: + explicit AutoWrapperVector(JSContext* cx + MOZ_GUARD_OBJECT_NOTIFIER_PARAM) + : AutoVectorRooterBase<WrapperValue>(cx, WRAPVECTOR) + { + MOZ_GUARD_OBJECT_NOTIFIER_INIT; + } + + MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER +}; + +class MOZ_RAII AutoWrapperRooter : private JS::AutoGCRooter { + public: + AutoWrapperRooter(JSContext* cx, const WrapperValue& v + MOZ_GUARD_OBJECT_NOTIFIER_PARAM) + : JS::AutoGCRooter(cx, WRAPPER), value(v) + { + MOZ_GUARD_OBJECT_NOTIFIER_INIT; + } + + operator JSObject*() const { + return value.get().toObjectOrNull(); + } + + friend void JS::AutoGCRooter::trace(JSTracer* trc); + + private: + WrapperValue value; + MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER +}; + +class MOZ_RAII AutoSuppressAllocationMetadataBuilder { + JS::Zone* zone; + bool saved; + + public: + explicit AutoSuppressAllocationMetadataBuilder(ExclusiveContext* cx) + : AutoSuppressAllocationMetadataBuilder(cx->compartment()->zone()) + { } + + explicit AutoSuppressAllocationMetadataBuilder(JS::Zone* zone) + : zone(zone), + saved(zone->suppressAllocationMetadataBuilder) + { + zone->suppressAllocationMetadataBuilder = true; + } + + ~AutoSuppressAllocationMetadataBuilder() { + zone->suppressAllocationMetadataBuilder = saved; + } +}; + +} /* namespace js */ + +namespace JS { +template <> +struct GCPolicy<js::CrossCompartmentKey> : public StructGCPolicy<js::CrossCompartmentKey> { + static bool isTenured(const js::CrossCompartmentKey& key) { return key.isTenured(); } +}; +} // namespace JS + +#endif /* jscompartment_h */ |