diff options
Diffstat (limited to 'js/public/Proxy.h')
-rw-r--r-- | js/public/Proxy.h | 768 |
1 files changed, 768 insertions, 0 deletions
diff --git a/js/public/Proxy.h b/js/public/Proxy.h new file mode 100644 index 0000000000..45ba4a1376 --- /dev/null +++ b/js/public/Proxy.h @@ -0,0 +1,768 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef js_Proxy_h +#define js_Proxy_h + +#include "mozilla/Maybe.h" + +#include "jstypes.h" // for JS_PUBLIC_API, JS_PUBLIC_DATA + +#include "js/Array.h" // JS::IsArrayAnswer +#include "js/CallNonGenericMethod.h" +#include "js/Class.h" +#include "js/HeapAPI.h" // for ObjectIsMarkedBlack +#include "js/Id.h" // for jsid +#include "js/Object.h" // JS::GetClass +#include "js/RootingAPI.h" // for Handle, MutableHandle (ptr only) +#include "js/shadow/Object.h" // JS::shadow::Object +#include "js/TypeDecls.h" // for HandleObject, HandleId, HandleValue, MutableHandleIdVector, MutableHandleValue, MutableHand... +#include "js/Value.h" // for Value, AssertValueIsNotGray, UndefinedValue, ObjectOrNullValue + +namespace js { + +class RegExpShared; + +class JS_PUBLIC_API Wrapper; + +/* + * [SMDOC] Proxy Objects + * + * A proxy is a JSObject with highly customizable behavior. ES6 specifies a + * single kind of proxy, but the customization mechanisms we use to implement + * ES6 Proxy objects are also useful wherever an object with weird behavior is + * wanted. Proxies are used to implement: + * + * - the scope objects used by the Debugger's frame.eval() method + * (see js::GetDebugEnvironment) + * + * - the khuey hack, whereby a whole compartment can be blown away + * even if other compartments hold references to objects in it + * (see js::NukeCrossCompartmentWrappers) + * + * - XPConnect security wrappers, which protect chrome from malicious content + * (js/xpconnect/wrappers) + * + * - DOM objects with special property behavior, like named getters + * (dom/bindings/Codegen.py generates these proxies from WebIDL) + * + * ### Proxies and internal methods + * + * ES2019 specifies 13 internal methods. The runtime semantics of just about + * everything a script can do to an object is specified in terms of these + * internal methods. For example: + * + * JS code ES6 internal method that gets called + * --------------------------- -------------------------------- + * obj.prop obj.[[Get]](obj, "prop") + * "prop" in obj obj.[[HasProperty]]("prop") + * new obj() obj.[[Construct]](<empty argument List>) + * + * With regard to the implementation of these internal methods, there are three + * very different kinds of object in SpiderMonkey. + * + * 1. Native objects cover most objects and contain both internal slots and + * properties. JSClassOps and ObjectOps may be used to override certain + * default behaviors. + * + * 2. Proxy objects are composed of internal slots and a ProxyHandler. The + * handler contains C++ methods that can implement these standard (and + * non-standard) internal methods. JSClassOps and ObjectOps for the base + * ProxyObject invoke the handler methods as appropriate. + * + * 3. Objects with custom layouts like TypedObjects. These rely on JSClassOps + * and ObjectOps to implement internal methods. + * + * Native objects with custom JSClassOps / ObjectOps are used when the object + * behaves very similar to a normal object such as the ArrayObject and it's + * length property. Most usages wrapping a C++ or other type should prefer + * using a Proxy. Using the proxy approach makes it much easier to create an + * ECMAScript and JIT compatible object, particularly if using an appropriate + * base class. + * + * Just about anything you do to a proxy will end up going through a C++ + * virtual method call. Possibly several. There's no reason the JITs and ICs + * can't specialize for particular proxies, based on the handler; but currently + * we don't do much of this, so the virtual method overhead typically is + * actually incurred. + * + * ### The proxy handler hierarchy + * + * A major use case for proxies is to forward each internal method call to + * another object, known as its target. The target can be an arbitrary JS + * object. Not every proxy has the notion of a target, however. + * + * To minimize code duplication, a set of abstract proxy handler classes is + * provided, from which other handlers may inherit. These abstract classes are + * organized in the following hierarchy: + * + * BaseProxyHandler + * | + * ForwardingProxyHandler // has a target and forwards internal methods + * | + * Wrapper // can be unwrapped to reveal target + * | // (see js::CheckedUnwrap) + * | + * CrossCompartmentWrapper // target is in another compartment; + * // implements membrane between compartments + * + * Example: Some DOM objects (including all the arraylike DOM objects) are + * implemented as proxies. Since these objects don't need to forward operations + * to any underlying JS object, BaseDOMProxyHandler directly subclasses + * BaseProxyHandler. + * + * Gecko's security wrappers are examples of cross-compartment wrappers. + * + * ### Proxy prototype chains + * + * While most ECMAScript internal methods are handled by simply calling the + * handler method, the [[GetPrototypeOf]] / [[SetPrototypeOf]] behaviors may + * follow one of two models: + * + * 1. A concrete prototype object (or null) is passed to object construction + * and ordinary prototype read and write applies. The prototype-related + * handler hooks are never called in this case. The [[Prototype]] slot is + * used to store the current prototype value. + * + * 2. TaggedProto::LazyProto is passed to NewProxyObject (or the + * ProxyOptions::lazyProto flag is set). Each read or write of the + * prototype will invoke the handler. This dynamic prototype behavior may + * be useful for wrapper-like objects. If this mode is used the + * getPrototype handler at a minimum must be implemented. + * + * NOTE: In this mode the [[Prototype]] internal slot is unavailable and + * must be simulated if needed. This is non-standard, but an + * appropriate handler can hide this implementation detail. + * + * One subtlety here is that ECMAScript has a notion of "ordinary" prototypes. + * An object that doesn't override [[GetPrototypeOf]] is considered to have an + * ordinary prototype. The getPrototypeIfOrdinary handler must be implemented + * by you or your base class. Typically model 1 will be considered "ordinary" + * and model 2 will not. + */ + +/* + * BaseProxyHandler is the most generic kind of proxy handler. It does not make + * any assumptions about the target. Consequently, it does not provide any + * default implementation for most methods. As a convenience, a few high-level + * methods, like get() and set(), are given default implementations that work by + * calling the low-level methods, like getOwnPropertyDescriptor(). + * + * Important: If you add a method here, you should probably also add a + * Proxy::foo entry point with an AutoEnterPolicy. If you don't, you need an + * explicit override for the method in SecurityWrapper. See bug 945826 comment + * 0. + */ +class JS_PUBLIC_API BaseProxyHandler { + /* + * Sometimes it's desirable to designate groups of proxy handlers as + * "similar". For this, we use the notion of a "family": A consumer-provided + * opaque pointer that designates the larger group to which this proxy + * belongs. + * + * If it will never be important to differentiate this proxy from others as + * part of a distinct group, nullptr may be used instead. + */ + const void* mFamily; + + /* + * Proxy handlers can use mHasPrototype to request the following special + * treatment from the JS engine: + * + * - When mHasPrototype is true, the engine never calls these methods: + * has, set, enumerate, iterate. Instead, for these operations, + * it calls the "own" methods like getOwnPropertyDescriptor, hasOwn, + * defineProperty, getOwnEnumerablePropertyKeys, etc., + * and consults the prototype chain if needed. + * + * - When mHasPrototype is true, the engine calls handler->get() only if + * handler->hasOwn() says an own property exists on the proxy. If not, + * it consults the prototype chain. + * + * This is useful because it frees the ProxyHandler from having to implement + * any behavior having to do with the prototype chain. + */ + bool mHasPrototype; + + /* + * All proxies indicate whether they have any sort of interesting security + * policy that might prevent the caller from doing something it wants to + * the object. In the case of wrappers, this distinction is used to + * determine whether the caller may strip off the wrapper if it so desires. + */ + bool mHasSecurityPolicy; + + public: + explicit constexpr BaseProxyHandler(const void* aFamily, + bool aHasPrototype = false, + bool aHasSecurityPolicy = false) + : mFamily(aFamily), + mHasPrototype(aHasPrototype), + mHasSecurityPolicy(aHasSecurityPolicy) {} + + bool hasPrototype() const { return mHasPrototype; } + + bool hasSecurityPolicy() const { return mHasSecurityPolicy; } + + inline const void* family() const { return mFamily; } + static size_t offsetOfFamily() { return offsetof(BaseProxyHandler, mFamily); } + + virtual bool finalizeInBackground(const JS::Value& priv) const { + /* + * Called on creation of a proxy to determine whether its finalize + * method can be finalized on the background thread. + */ + return true; + } + + virtual bool canNurseryAllocate() const { + /* + * Nursery allocation is allowed if and only if it is safe to not + * run |finalize| when the ProxyObject dies. + */ + return false; + } + + /* Policy enforcement methods. + * + * enter() allows the policy to specify whether the caller may perform |act| + * on the proxy's |id| property. In the case when |act| is CALL, |id| is + * generally JS::PropertyKey::isVoid. The |mayThrow| parameter indicates + * whether a handler that wants to throw custom exceptions when denying + * should do so or not. + * + * The |act| parameter to enter() specifies the action being performed. + * If |bp| is false, the method suggests that the caller throw (though it + * may still decide to squelch the error). + * + * We make these OR-able so that assertEnteredPolicy can pass a union of them. + * For example, get{,Own}PropertyDescriptor is invoked by calls to ::get() + * ::set(), in addition to being invoked on its own, so there are several + * valid Actions that could have been entered. + */ + typedef uint32_t Action; + enum { + NONE = 0x00, + GET = 0x01, + SET = 0x02, + CALL = 0x04, + ENUMERATE = 0x08, + GET_PROPERTY_DESCRIPTOR = 0x10 + }; + + virtual bool enter(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + Action act, bool mayThrow, bool* bp) const; + + /* Standard internal methods. */ + virtual bool getOwnPropertyDescriptor( + JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) const = 0; + virtual bool defineProperty(JSContext* cx, JS::HandleObject proxy, + JS::HandleId id, + JS::Handle<JS::PropertyDescriptor> desc, + JS::ObjectOpResult& result) const = 0; + virtual bool ownPropertyKeys(JSContext* cx, JS::HandleObject proxy, + JS::MutableHandleIdVector props) const = 0; + virtual bool delete_(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + JS::ObjectOpResult& result) const = 0; + + /* + * These methods are standard, but the engine does not normally call them. + * They're opt-in. See "Proxy prototype chains" above. + * + * getPrototype() crashes if called. setPrototype() throws a TypeError. + */ + virtual bool getPrototype(JSContext* cx, JS::HandleObject proxy, + JS::MutableHandleObject protop) const; + virtual bool setPrototype(JSContext* cx, JS::HandleObject proxy, + JS::HandleObject proto, + JS::ObjectOpResult& result) const; + + /* Non-standard but conceptual kin to {g,s}etPrototype, so these live here. */ + virtual bool getPrototypeIfOrdinary(JSContext* cx, JS::HandleObject proxy, + bool* isOrdinary, + JS::MutableHandleObject protop) const = 0; + virtual bool setImmutablePrototype(JSContext* cx, JS::HandleObject proxy, + bool* succeeded) const; + + virtual bool preventExtensions(JSContext* cx, JS::HandleObject proxy, + JS::ObjectOpResult& result) const = 0; + virtual bool isExtensible(JSContext* cx, JS::HandleObject proxy, + bool* extensible) const = 0; + + /* + * These standard internal methods are implemented, as a convenience, so + * that ProxyHandler subclasses don't have to provide every single method. + * + * The base-class implementations work by calling getOwnPropertyDescriptor() + * and going up the [[Prototype]] chain if necessary. The algorithm for this + * follows what is defined for Ordinary Objects in the ES spec. + * They do not follow any standard. When in doubt, override them. + */ + virtual bool has(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + bool* bp) const; + virtual bool get(JSContext* cx, JS::HandleObject proxy, + JS::HandleValue receiver, JS::HandleId id, + JS::MutableHandleValue vp) const; + virtual bool set(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + JS::HandleValue v, JS::HandleValue receiver, + JS::ObjectOpResult& result) const; + + // Use the ProxyExpando object for private fields, rather than taking the + // normal get/set/defineField paths. + virtual bool useProxyExpandoObjectForPrivateFields() const { return true; } + + // For some exotic objects (WindowProxy, Location), we want to be able to + // throw rather than allow private fields on these objects. + // + // As a simplfying assumption, if throwOnPrivateFields returns true, + // we should also return true to useProxyExpandoObjectForPrivateFields. + virtual bool throwOnPrivateField() const { return false; } + + /* + * [[Call]] and [[Construct]] are standard internal methods but according + * to the spec, they are not present on every object. + * + * SpiderMonkey never calls a proxy's call()/construct() internal method + * unless isCallable()/isConstructor() returns true for that proxy. + * + * BaseProxyHandler::isCallable()/isConstructor() always return false, and + * BaseProxyHandler::call()/construct() crash if called. So if you're + * creating a kind of that is never callable, you don't have to override + * anything, but otherwise you probably want to override all four. + */ + virtual bool call(JSContext* cx, JS::HandleObject proxy, + const JS::CallArgs& args) const; + virtual bool construct(JSContext* cx, JS::HandleObject proxy, + const JS::CallArgs& args) const; + + /* SpiderMonkey extensions. */ + virtual bool enumerate(JSContext* cx, JS::HandleObject proxy, + JS::MutableHandleIdVector props) const; + virtual bool hasOwn(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + bool* bp) const; + virtual bool getOwnEnumerablePropertyKeys( + JSContext* cx, JS::HandleObject proxy, + JS::MutableHandleIdVector props) const; + virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl, const JS::CallArgs& args) const; + virtual bool getBuiltinClass(JSContext* cx, JS::HandleObject proxy, + ESClass* cls) const; + virtual bool isArray(JSContext* cx, JS::HandleObject proxy, + JS::IsArrayAnswer* answer) const; + virtual const char* className(JSContext* cx, JS::HandleObject proxy) const; + virtual JSString* fun_toString(JSContext* cx, JS::HandleObject proxy, + bool isToSource) const; + virtual RegExpShared* regexp_toShared(JSContext* cx, + JS::HandleObject proxy) const; + virtual bool boxedValue_unbox(JSContext* cx, JS::HandleObject proxy, + JS::MutableHandleValue vp) const; + virtual void trace(JSTracer* trc, JSObject* proxy) const; + virtual void finalize(JS::GCContext* gcx, JSObject* proxy) const; + virtual size_t objectMoved(JSObject* proxy, JSObject* old) const; + + // Allow proxies, wrappers in particular, to specify callability at runtime. + // Note: These do not take const JSObject*, but they do in spirit. + // We are not prepared to do this, as there's little const correctness + // in the external APIs that handle proxies. + virtual bool isCallable(JSObject* obj) const; + virtual bool isConstructor(JSObject* obj) const; + + virtual bool getElements(JSContext* cx, JS::HandleObject proxy, + uint32_t begin, uint32_t end, + ElementAdder* adder) const; + + virtual bool isScripted() const { return false; } +}; + +extern JS_PUBLIC_DATA const JSClass ProxyClass; + +inline bool IsProxy(const JSObject* obj) { + return reinterpret_cast<const JS::shadow::Object*>(obj)->shape->isProxy(); +} + +namespace detail { + +// Proxy slot layout +// ----------------- +// +// Every proxy has a ProxyValueArray that contains the following Values: +// +// - The expando slot. This is used to hold private fields should they be +// stamped into a non-forwarding proxy type. +// - The private slot. +// - The reserved slots. The number of slots is determined by the proxy's Class. +// +// Proxy objects store a pointer to the reserved slots (ProxyReservedSlots*). +// The ProxyValueArray and the private slot can be accessed using +// ProxyValueArray::fromReservedSlots or ProxyDataLayout::values. +// +// Storing a pointer to ProxyReservedSlots instead of ProxyValueArray has a +// number of advantages. In particular, it means JS::GetReservedSlot and +// JS::SetReservedSlot can be used with both proxies and native objects. This +// works because the ProxyReservedSlots* pointer is stored where native objects +// store their dynamic slots pointer. + +struct ProxyReservedSlots { + JS::Value slots[1]; + + static constexpr ptrdiff_t offsetOfPrivateSlot(); + + static inline int offsetOfSlot(size_t slot) { + return offsetof(ProxyReservedSlots, slots[0]) + slot * sizeof(JS::Value); + } + + void init(size_t nreserved) { + for (size_t i = 0; i < nreserved; i++) { + slots[i] = JS::UndefinedValue(); + } + } + + ProxyReservedSlots(const ProxyReservedSlots&) = delete; + void operator=(const ProxyReservedSlots&) = delete; +}; + +struct ProxyValueArray { + JS::Value expandoSlot; + JS::Value privateSlot; + ProxyReservedSlots reservedSlots; + + void init(size_t nreserved) { + expandoSlot = JS::ObjectOrNullValue(nullptr); + privateSlot = JS::UndefinedValue(); + reservedSlots.init(nreserved); + } + + static MOZ_ALWAYS_INLINE ProxyValueArray* fromReservedSlots( + ProxyReservedSlots* slots) { + uintptr_t p = reinterpret_cast<uintptr_t>(slots); + return reinterpret_cast<ProxyValueArray*>(p - offsetOfReservedSlots()); + } + static constexpr size_t offsetOfReservedSlots() { + return offsetof(ProxyValueArray, reservedSlots); + } + + static size_t allocCount(size_t nreserved) { + static_assert(offsetOfReservedSlots() % sizeof(JS::Value) == 0); + return offsetOfReservedSlots() / sizeof(JS::Value) + nreserved; + } + static size_t sizeOf(size_t nreserved) { + return allocCount(nreserved) * sizeof(JS::Value); + } + + ProxyValueArray(const ProxyValueArray&) = delete; + void operator=(const ProxyValueArray&) = delete; +}; + +/* static */ +constexpr ptrdiff_t ProxyReservedSlots::offsetOfPrivateSlot() { + return -ptrdiff_t(ProxyValueArray::offsetOfReservedSlots()) + + offsetof(ProxyValueArray, privateSlot); +} + +// All proxies share the same data layout. Following the object's shape and +// type, the proxy has a ProxyDataLayout structure with a pointer to an array +// of values and the proxy's handler. This is designed both so that proxies can +// be easily swapped with other objects (via RemapWrapper) and to mimic the +// layout of other objects (proxies and other objects have the same size) so +// that common code can access either type of object. +// +// See GetReservedOrProxyPrivateSlot below. +struct ProxyDataLayout { + ProxyReservedSlots* reservedSlots; + const BaseProxyHandler* handler; + + MOZ_ALWAYS_INLINE ProxyValueArray* values() const { + return ProxyValueArray::fromReservedSlots(reservedSlots); + } +}; + +#ifdef JS_64BIT +constexpr uint32_t ProxyDataOffset = 1 * sizeof(void*); +#else +constexpr uint32_t ProxyDataOffset = 2 * sizeof(void*); +#endif + +inline ProxyDataLayout* GetProxyDataLayout(JSObject* obj) { + MOZ_ASSERT(IsProxy(obj)); + return reinterpret_cast<ProxyDataLayout*>(reinterpret_cast<uint8_t*>(obj) + + ProxyDataOffset); +} + +inline const ProxyDataLayout* GetProxyDataLayout(const JSObject* obj) { + MOZ_ASSERT(IsProxy(obj)); + return reinterpret_cast<const ProxyDataLayout*>( + reinterpret_cast<const uint8_t*>(obj) + ProxyDataOffset); +} + +JS_PUBLIC_API void SetValueInProxy(JS::Value* slot, const JS::Value& value); + +inline void SetProxyReservedSlotUnchecked(JSObject* obj, size_t n, + const JS::Value& extra) { + MOZ_ASSERT(n < JSCLASS_RESERVED_SLOTS(JS::GetClass(obj))); + + JS::Value* vp = &GetProxyDataLayout(obj)->reservedSlots->slots[n]; + + // Trigger a barrier before writing the slot. + if (vp->isGCThing() || extra.isGCThing()) { + SetValueInProxy(vp, extra); + } else { + *vp = extra; + } +} + +} // namespace detail + +inline const BaseProxyHandler* GetProxyHandler(const JSObject* obj) { + return detail::GetProxyDataLayout(obj)->handler; +} + +inline const JS::Value& GetProxyPrivate(const JSObject* obj) { + return detail::GetProxyDataLayout(obj)->values()->privateSlot; +} + +inline const JS::Value& GetProxyExpando(const JSObject* obj) { + return detail::GetProxyDataLayout(obj)->values()->expandoSlot; +} + +inline JSObject* GetProxyTargetObject(const JSObject* obj) { + return GetProxyPrivate(obj).toObjectOrNull(); +} + +inline const JS::Value& GetProxyReservedSlot(const JSObject* obj, size_t n) { + MOZ_ASSERT(n < JSCLASS_RESERVED_SLOTS(JS::GetClass(obj))); + return detail::GetProxyDataLayout(obj)->reservedSlots->slots[n]; +} + +inline void SetProxyHandler(JSObject* obj, const BaseProxyHandler* handler) { + detail::GetProxyDataLayout(obj)->handler = handler; +} + +inline void SetProxyReservedSlot(JSObject* obj, size_t n, + const JS::Value& extra) { +#ifdef DEBUG + if (gc::detail::ObjectIsMarkedBlack(obj)) { + JS::AssertValueIsNotGray(extra); + } +#endif + + detail::SetProxyReservedSlotUnchecked(obj, n, extra); +} + +inline void SetProxyPrivate(JSObject* obj, const JS::Value& value) { +#ifdef DEBUG + if (gc::detail::ObjectIsMarkedBlack(obj)) { + JS::AssertValueIsNotGray(value); + } +#endif + + JS::Value* vp = &detail::GetProxyDataLayout(obj)->values()->privateSlot; + + // Trigger a barrier before writing the slot. + if (vp->isGCThing() || value.isGCThing()) { + detail::SetValueInProxy(vp, value); + } else { + *vp = value; + } +} + +inline bool IsScriptedProxy(const JSObject* obj) { + return IsProxy(obj) && GetProxyHandler(obj)->isScripted(); +} + +class MOZ_STACK_CLASS ProxyOptions { + protected: + /* protected constructor for subclass */ + explicit ProxyOptions(bool lazyProtoArg) + : lazyProto_(lazyProtoArg), clasp_(&ProxyClass) {} + + public: + ProxyOptions() : ProxyOptions(false) {} + + bool lazyProto() const { return lazyProto_; } + ProxyOptions& setLazyProto(bool flag) { + lazyProto_ = flag; + return *this; + } + + const JSClass* clasp() const { return clasp_; } + ProxyOptions& setClass(const JSClass* claspArg) { + clasp_ = claspArg; + return *this; + } + + private: + bool lazyProto_; + const JSClass* clasp_; +}; + +JS_PUBLIC_API JSObject* NewProxyObject( + JSContext* cx, const BaseProxyHandler* handler, JS::HandleValue priv, + JSObject* proto, const ProxyOptions& options = ProxyOptions()); + +JSObject* RenewProxyObject(JSContext* cx, JSObject* obj, + BaseProxyHandler* handler, const JS::Value& priv); + +class JS_PUBLIC_API AutoEnterPolicy { + public: + typedef BaseProxyHandler::Action Action; + AutoEnterPolicy(JSContext* cx, const BaseProxyHandler* handler, + JS::HandleObject wrapper, JS::HandleId id, Action act, + bool mayThrow) +#ifdef JS_DEBUG + : context(nullptr) +#endif + { + allow = handler->hasSecurityPolicy() + ? handler->enter(cx, wrapper, id, act, mayThrow, &rv) + : true; + recordEnter(cx, wrapper, id, act); + // We want to throw an exception if all of the following are true: + // * The policy disallowed access. + // * The policy set rv to false, indicating that we should throw. + // * The caller did not instruct us to ignore exceptions. + // * The policy did not throw itself. + if (!allow && !rv && mayThrow) { + reportErrorIfExceptionIsNotPending(cx, id); + } + } + + virtual ~AutoEnterPolicy() { recordLeave(); } + inline bool allowed() { return allow; } + inline bool returnValue() { + MOZ_ASSERT(!allowed()); + return rv; + } + + protected: + // no-op constructor for subclass + AutoEnterPolicy() +#ifdef JS_DEBUG + : context(nullptr), + enteredAction(BaseProxyHandler::NONE) +#endif + { + } + void reportErrorIfExceptionIsNotPending(JSContext* cx, JS::HandleId id); + bool allow; + bool rv; + +#ifdef JS_DEBUG + JSContext* context; + mozilla::Maybe<JS::HandleObject> enteredProxy; + mozilla::Maybe<JS::HandleId> enteredId; + Action enteredAction; + + // NB: We explicitly don't track the entered action here, because sometimes + // set() methods do an implicit get() during their implementation, leading + // to spurious assertions. + AutoEnterPolicy* prev; + void recordEnter(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + Action act); + void recordLeave(); + + friend JS_PUBLIC_API void assertEnteredPolicy(JSContext* cx, JSObject* proxy, + jsid id, Action act); +#else + inline void recordEnter(JSContext* cx, JSObject* proxy, jsid id, Action act) { + } + inline void recordLeave() {} +#endif + + private: + // This operator needs to be deleted explicitly, otherwise Visual C++ will + // create it automatically when it is part of the export JS API. In that + // case, compile would fail because HandleId is not allowed to be assigned + // and consequently instantiation of assign operator of mozilla::Maybe + // would fail. See bug 1325351 comment 16. Copy constructor is removed at + // the same time for consistency. + AutoEnterPolicy(const AutoEnterPolicy&) = delete; + AutoEnterPolicy& operator=(const AutoEnterPolicy&) = delete; +}; + +#ifdef JS_DEBUG +class JS_PUBLIC_API AutoWaivePolicy : public AutoEnterPolicy { + public: + AutoWaivePolicy(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + BaseProxyHandler::Action act) { + allow = true; + recordEnter(cx, proxy, id, act); + } +}; +#else +class JS_PUBLIC_API AutoWaivePolicy { + public: + AutoWaivePolicy(JSContext* cx, JS::HandleObject proxy, JS::HandleId id, + BaseProxyHandler::Action act) {} +}; +#endif + +#ifdef JS_DEBUG +extern JS_PUBLIC_API void assertEnteredPolicy(JSContext* cx, JSObject* obj, + jsid id, + BaseProxyHandler::Action act); +#else +inline void assertEnteredPolicy(JSContext* cx, JSObject* obj, jsid id, + BaseProxyHandler::Action act) {} +#endif + +extern JS_PUBLIC_DATA const JSClassOps ProxyClassOps; +extern JS_PUBLIC_DATA const js::ClassExtension ProxyClassExtension; +extern JS_PUBLIC_DATA const js::ObjectOps ProxyObjectOps; + +template <unsigned Flags> +constexpr unsigned CheckProxyFlags() { + constexpr size_t reservedSlots = + (Flags >> JSCLASS_RESERVED_SLOTS_SHIFT) & JSCLASS_RESERVED_SLOTS_MASK; + + // For now assert each Proxy Class has at least 1 reserved slot. This is + // not a hard requirement, but helps catch Classes that need an explicit + // JSCLASS_HAS_RESERVED_SLOTS since bug 1360523. + static_assert(reservedSlots > 0, + "Proxy Classes must have at least 1 reserved slot"); + + constexpr size_t numSlots = + offsetof(js::detail::ProxyValueArray, reservedSlots) / sizeof(JS::Value); + + // ProxyValueArray must fit inline in the object, so assert the number of + // slots does not exceed MAX_FIXED_SLOTS. + static_assert(numSlots + reservedSlots <= JS::shadow::Object::MAX_FIXED_SLOTS, + "ProxyValueArray size must not exceed max JSObject size"); + + // Proxies must not have the JSCLASS_SKIP_NURSERY_FINALIZE flag set: they + // always have finalizers, and whether they can be nursery allocated is + // controlled by the canNurseryAllocate() method on the proxy handler. + static_assert(!(Flags & JSCLASS_SKIP_NURSERY_FINALIZE), + "Proxies must not use JSCLASS_SKIP_NURSERY_FINALIZE; use " + "the canNurseryAllocate() proxy handler method instead."); + return Flags; +} + +#define PROXY_CLASS_DEF_WITH_CLASS_SPEC(name, flags, classSpec) \ + { \ + name, \ + JSClass::NON_NATIVE | JSCLASS_IS_PROXY | \ + JSCLASS_DELAY_METADATA_BUILDER | js::CheckProxyFlags<flags>(), \ + &js::ProxyClassOps, classSpec, &js::ProxyClassExtension, \ + &js::ProxyObjectOps \ + } + +#define PROXY_CLASS_DEF(name, flags) \ + PROXY_CLASS_DEF_WITH_CLASS_SPEC(name, flags, JS_NULL_CLASS_SPEC) + +// Converts a proxy into a DeadObjectProxy that will throw exceptions on all +// access. This will run the proxy's finalizer to perform clean-up before the +// conversion happens. +JS_PUBLIC_API void NukeNonCCWProxy(JSContext* cx, JS::HandleObject proxy); + +// This is a variant of js::NukeNonCCWProxy() for CCWs. It should only be called +// on CCWs that have been removed from CCW tables. +JS_PUBLIC_API void NukeRemovedCrossCompartmentWrapper(JSContext* cx, + JSObject* wrapper); + +} /* namespace js */ + +#endif /* js_Proxy_h */ |