/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "BindingUtils.h" #include #include #include #include "mozilla/Assertions.h" #include "mozilla/DebugOnly.h" #include "mozilla/Encoding.h" #include "mozilla/FloatingPoint.h" #include "mozilla/Preferences.h" #include "mozilla/ScopeExit.h" #include "mozilla/StaticPrefs_dom.h" #include "mozilla/UniquePtr.h" #include "mozilla/Unused.h" #include "mozilla/UseCounter.h" #include "AccessCheck.h" #include "js/CallAndConstruct.h" // JS::Call, JS::IsCallable #include "js/experimental/JitInfo.h" // JSJit{Getter,Setter,Method}CallArgs, JSJit{Getter,Setter}Op, JSJitInfo #include "js/friend/StackLimits.h" // js::AutoCheckRecursionLimit #include "js/Id.h" #include "js/JSON.h" #include "js/MapAndSet.h" #include "js/Object.h" // JS::GetClass, JS::GetCompartment, JS::GetReservedSlot, JS::SetReservedSlot #include "js/PropertyAndElement.h" // JS_AlreadyHasOwnPropertyById, JS_DefineFunction, JS_DefineFunctionById, JS_DefineFunctions, JS_DefineProperties, JS_DefineProperty, JS_DefinePropertyById, JS_ForwardGetPropertyTo, JS_GetProperty, JS_HasProperty, JS_HasPropertyById #include "js/StableStringChars.h" #include "js/String.h" // JS::GetStringLength, JS::MaxStringLength, JS::StringHasLatin1Chars #include "js/Symbol.h" #include "jsfriendapi.h" #include "nsContentCreatorFunctions.h" #include "nsContentUtils.h" #include "nsGlobalWindowInner.h" #include "nsHTMLTags.h" #include "nsIDOMGlobalPropertyInitializer.h" #include "nsINode.h" #include "nsIOService.h" #include "nsIPrincipal.h" #include "nsIXPConnect.h" #include "nsUTF8Utils.h" #include "WorkerPrivate.h" #include "WorkerRunnable.h" #include "WrapperFactory.h" #include "xpcprivate.h" #include "XrayWrapper.h" #include "nsPrintfCString.h" #include "mozilla/Sprintf.h" #include "nsReadableUtils.h" #include "nsWrapperCacheInlines.h" #include "mozilla/dom/ScriptSettings.h" #include "mozilla/dom/CustomElementRegistry.h" #include "mozilla/dom/DeprecationReportBody.h" #include "mozilla/dom/DOMException.h" #include "mozilla/dom/ElementBinding.h" #include "mozilla/dom/Exceptions.h" #include "mozilla/dom/HTMLObjectElement.h" #include "mozilla/dom/HTMLObjectElementBinding.h" #include "mozilla/dom/HTMLEmbedElement.h" #include "mozilla/dom/HTMLElementBinding.h" #include "mozilla/dom/HTMLEmbedElementBinding.h" #include "mozilla/dom/MaybeCrossOriginObject.h" #include "mozilla/dom/ObservableArrayProxyHandler.h" #include "mozilla/dom/ReportingUtils.h" #include "mozilla/dom/XULElementBinding.h" #include "mozilla/dom/XULFrameElementBinding.h" #include "mozilla/dom/XULMenuElementBinding.h" #include "mozilla/dom/XULPopupElementBinding.h" #include "mozilla/dom/XULResizerElementBinding.h" #include "mozilla/dom/XULTextElementBinding.h" #include "mozilla/dom/XULTreeElementBinding.h" #include "mozilla/dom/Promise.h" #include "mozilla/dom/WebIDLGlobalNameHash.h" #include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/WorkerScope.h" #include "mozilla/dom/XrayExpandoClass.h" #include "mozilla/dom/WindowProxyHolder.h" #include "ipc/ErrorIPCUtils.h" #include "ipc/IPCMessageUtilsSpecializations.h" #include "mozilla/dom/DocGroup.h" #include "nsXULElement.h" namespace mozilla { namespace dom { // Forward declare GetConstructorObject methods. #define HTML_TAG(_tag, _classname, _interfacename) \ namespace HTML##_interfacename##Element_Binding { \ JSObject* GetConstructorObject(JSContext*); \ } #define HTML_OTHER(_tag) #include "nsHTMLTagList.h" #undef HTML_TAG #undef HTML_OTHER using constructorGetterCallback = JSObject* (*)(JSContext*); // Mapping of html tag and GetConstructorObject methods. #define HTML_TAG(_tag, _classname, _interfacename) \ HTML##_interfacename##Element_Binding::GetConstructorObject, #define HTML_OTHER(_tag) nullptr, // We use eHTMLTag_foo (where foo is the tag) which is defined in nsHTMLTags.h // to index into this array. static const constructorGetterCallback sConstructorGetterCallback[] = { HTMLUnknownElement_Binding::GetConstructorObject, #include "nsHTMLTagList.h" #undef HTML_TAG #undef HTML_OTHER }; static const JSErrorFormatString ErrorFormatString[] = { #define MSG_DEF(_name, _argc, _has_context, _exn, _str) \ {#_name, _str, _argc, _exn}, #include "mozilla/dom/Errors.msg" #undef MSG_DEF }; #define MSG_DEF(_name, _argc, _has_context, _exn, _str) \ static_assert( \ (_argc) < JS::MaxNumErrorArguments, #_name \ " must only have as many error arguments as the JS engine can support"); #include "mozilla/dom/Errors.msg" #undef MSG_DEF static const JSErrorFormatString* GetErrorMessage(void* aUserRef, const unsigned aErrorNumber) { MOZ_ASSERT(aErrorNumber < ArrayLength(ErrorFormatString)); return &ErrorFormatString[aErrorNumber]; } uint16_t GetErrorArgCount(const ErrNum aErrorNumber) { return GetErrorMessage(nullptr, aErrorNumber)->argCount; } // aErrorNumber needs to be unsigned, not an ErrNum, because the latter makes // va_start have undefined behavior, and we do not want undefined behavior. void binding_detail::ThrowErrorMessage(JSContext* aCx, const unsigned aErrorNumber, ...) { va_list ap; va_start(ap, aErrorNumber); if (!ErrorFormatHasContext[aErrorNumber]) { JS_ReportErrorNumberUTF8VA(aCx, GetErrorMessage, nullptr, aErrorNumber, ap); va_end(ap); return; } // Our first arg is the context arg. We want to replace nullptr with empty // string, leave empty string alone, and for anything else append ": " to the // end. See also the behavior of // TErrorResult::SetPendingExceptionWithMessage, which this is mirroring for // exceptions that are thrown directly, not via an ErrorResult. const char* args[JS::MaxNumErrorArguments + 1]; size_t argCount = GetErrorArgCount(static_cast(aErrorNumber)); MOZ_ASSERT(argCount > 0, "We have a context arg!"); nsAutoCString firstArg; for (size_t i = 0; i < argCount; ++i) { args[i] = va_arg(ap, const char*); if (i == 0) { if (args[0] && *args[0]) { firstArg.Append(args[0]); firstArg.AppendLiteral(": "); } args[0] = firstArg.get(); } } JS_ReportErrorNumberUTF8Array(aCx, GetErrorMessage, nullptr, aErrorNumber, args); va_end(ap); } static bool ThrowInvalidThis(JSContext* aCx, const JS::CallArgs& aArgs, bool aSecurityError, const char* aInterfaceName) { NS_ConvertASCIItoUTF16 ifaceName(aInterfaceName); // This should only be called for DOM methods/getters/setters, which // are JSNative-backed functions, so we can assume that // JS_ValueToFunction and JS_GetFunctionDisplayId will both return // non-null and that JS_GetStringCharsZ returns non-null. JS::Rooted func(aCx, JS_ValueToFunction(aCx, aArgs.calleev())); MOZ_ASSERT(func); JS::Rooted funcName(aCx); if (!JS_GetFunctionDisplayId(aCx, func, &funcName)) { return false; } MOZ_ASSERT(funcName); nsAutoJSString funcNameStr; if (!funcNameStr.init(aCx, funcName)) { return false; } if (aSecurityError) { return Throw(aCx, NS_ERROR_DOM_SECURITY_ERR, nsPrintfCString("Permission to call '%s' denied.", NS_ConvertUTF16toUTF8(funcNameStr).get())); } const ErrNum errorNumber = MSG_METHOD_THIS_DOES_NOT_IMPLEMENT_INTERFACE; MOZ_RELEASE_ASSERT(GetErrorArgCount(errorNumber) == 2); JS_ReportErrorNumberUC(aCx, GetErrorMessage, nullptr, static_cast(errorNumber), static_cast(funcNameStr.get()), static_cast(ifaceName.get())); return false; } bool ThrowInvalidThis(JSContext* aCx, const JS::CallArgs& aArgs, bool aSecurityError, prototypes::ID aProtoId) { return ThrowInvalidThis(aCx, aArgs, aSecurityError, NamesOfInterfacesWithProtos(aProtoId)); } bool ThrowNoSetterArg(JSContext* aCx, const JS::CallArgs& aArgs, prototypes::ID aProtoId) { nsPrintfCString errorMessage("%s attribute setter", NamesOfInterfacesWithProtos(aProtoId)); return aArgs.requireAtLeast(aCx, errorMessage.get(), 1); } } // namespace dom namespace binding_danger { template struct TErrorResult::Message { Message() : mErrorNumber(dom::Err_Limit) { MOZ_COUNT_CTOR(TErrorResult::Message); } ~Message() { MOZ_COUNT_DTOR(TErrorResult::Message); } // UTF-8 strings (probably ASCII in most cases) in mArgs. nsTArray mArgs; dom::ErrNum mErrorNumber; bool HasCorrectNumberOfArguments() { return GetErrorArgCount(mErrorNumber) == mArgs.Length(); } bool operator==(const TErrorResult::Message& aRight) const { return mErrorNumber == aRight.mErrorNumber && mArgs == aRight.mArgs; } }; template nsTArray& TErrorResult::CreateErrorMessageHelper( const dom::ErrNum errorNumber, nsresult errorType) { AssertInOwningThread(); mResult = errorType; Message* message = InitMessage(new Message()); message->mErrorNumber = errorNumber; return message->mArgs; } template void TErrorResult::SerializeMessage( IPC::MessageWriter* aWriter) const { using namespace IPC; AssertInOwningThread(); MOZ_ASSERT(mUnionState == HasMessage); MOZ_ASSERT(mExtra.mMessage); WriteParam(aWriter, mExtra.mMessage->mArgs); WriteParam(aWriter, mExtra.mMessage->mErrorNumber); } template bool TErrorResult::DeserializeMessage( IPC::MessageReader* aReader) { using namespace IPC; AssertInOwningThread(); auto readMessage = MakeUnique(); if (!ReadParam(aReader, &readMessage->mArgs) || !ReadParam(aReader, &readMessage->mErrorNumber)) { return false; } if (!readMessage->HasCorrectNumberOfArguments()) { return false; } MOZ_ASSERT(mUnionState == HasNothing); InitMessage(readMessage.release()); #ifdef DEBUG mUnionState = HasMessage; #endif // DEBUG return true; } template void TErrorResult::SetPendingExceptionWithMessage( JSContext* aCx, const char* context) { AssertInOwningThread(); MOZ_ASSERT(mUnionState == HasMessage); MOZ_ASSERT(mExtra.mMessage, "SetPendingExceptionWithMessage() can be called only once"); Message* message = mExtra.mMessage; MOZ_RELEASE_ASSERT(message->HasCorrectNumberOfArguments()); if (dom::ErrorFormatHasContext[message->mErrorNumber]) { MOZ_ASSERT(!message->mArgs.IsEmpty(), "How could we have no args here?"); MOZ_ASSERT(message->mArgs[0].IsEmpty(), "Context should not be set yet!"); if (context) { // Prepend our context and ": "; see API documentation. message->mArgs[0].AssignASCII(context); message->mArgs[0].AppendLiteral(": "); } } const uint32_t argCount = message->mArgs.Length(); const char* args[JS::MaxNumErrorArguments + 1]; for (uint32_t i = 0; i < argCount; ++i) { args[i] = message->mArgs.ElementAt(i).get(); } args[argCount] = nullptr; JS_ReportErrorNumberUTF8Array(aCx, dom::GetErrorMessage, nullptr, static_cast(message->mErrorNumber), argCount > 0 ? args : nullptr); ClearMessage(); mResult = NS_OK; } template void TErrorResult::ClearMessage() { AssertInOwningThread(); MOZ_ASSERT(IsErrorWithMessage()); MOZ_ASSERT(mUnionState == HasMessage); delete mExtra.mMessage; mExtra.mMessage = nullptr; #ifdef DEBUG mUnionState = HasNothing; #endif // DEBUG } template void TErrorResult::ThrowJSException(JSContext* cx, JS::Handle exn) { AssertInOwningThread(); MOZ_ASSERT(mMightHaveUnreportedJSException, "Why didn't you tell us you planned to throw a JS exception?"); ClearUnionData(); // Make sure mExtra.mJSException is initialized _before_ we try to root it. // But don't set it to exn yet, because we don't want to do that until after // we root. JS::Value& exc = InitJSException(); if (!js::AddRawValueRoot(cx, &exc, "TErrorResult::mExtra::mJSException")) { // Don't use NS_ERROR_INTERNAL_ERRORRESULT_JS_EXCEPTION, because that // indicates we have in fact rooted mExtra.mJSException. mResult = NS_ERROR_OUT_OF_MEMORY; } else { exc = exn; mResult = NS_ERROR_INTERNAL_ERRORRESULT_JS_EXCEPTION; #ifdef DEBUG mUnionState = HasJSException; #endif // DEBUG } } template void TErrorResult::SetPendingJSException(JSContext* cx) { AssertInOwningThread(); MOZ_ASSERT(!mMightHaveUnreportedJSException, "Why didn't you tell us you planned to handle JS exceptions?"); MOZ_ASSERT(mUnionState == HasJSException); JS::Rooted exception(cx, mExtra.mJSException); if (JS_WrapValue(cx, &exception)) { JS_SetPendingException(cx, exception); } mExtra.mJSException = exception; // If JS_WrapValue failed, not much we can do about it... No matter // what, go ahead and unroot mExtra.mJSException. js::RemoveRawValueRoot(cx, &mExtra.mJSException); mResult = NS_OK; #ifdef DEBUG mUnionState = HasNothing; #endif // DEBUG } template struct TErrorResult::DOMExceptionInfo { DOMExceptionInfo(nsresult rv, const nsACString& message) : mMessage(message), mRv(rv) {} nsCString mMessage; nsresult mRv; bool operator==( const TErrorResult::DOMExceptionInfo& aRight) const { return mRv == aRight.mRv && mMessage == aRight.mMessage; } }; template void TErrorResult::SerializeDOMExceptionInfo( IPC::MessageWriter* aWriter) const { using namespace IPC; AssertInOwningThread(); MOZ_ASSERT(mUnionState == HasDOMExceptionInfo); MOZ_ASSERT(mExtra.mDOMExceptionInfo); WriteParam(aWriter, mExtra.mDOMExceptionInfo->mMessage); WriteParam(aWriter, mExtra.mDOMExceptionInfo->mRv); } template bool TErrorResult::DeserializeDOMExceptionInfo( IPC::MessageReader* aReader) { using namespace IPC; AssertInOwningThread(); nsCString message; nsresult rv; if (!ReadParam(aReader, &message) || !ReadParam(aReader, &rv)) { return false; } MOZ_ASSERT(mUnionState == HasNothing); MOZ_ASSERT(IsDOMException()); InitDOMExceptionInfo(new DOMExceptionInfo(rv, message)); #ifdef DEBUG mUnionState = HasDOMExceptionInfo; #endif // DEBUG return true; } template void TErrorResult::ThrowDOMException(nsresult rv, const nsACString& message) { AssertInOwningThread(); ClearUnionData(); mResult = NS_ERROR_INTERNAL_ERRORRESULT_DOMEXCEPTION; InitDOMExceptionInfo(new DOMExceptionInfo(rv, message)); #ifdef DEBUG mUnionState = HasDOMExceptionInfo; #endif } template void TErrorResult::SetPendingDOMException(JSContext* cx, const char* context) { AssertInOwningThread(); MOZ_ASSERT(mUnionState == HasDOMExceptionInfo); MOZ_ASSERT(mExtra.mDOMExceptionInfo, "SetPendingDOMException() can be called only once"); if (context && !mExtra.mDOMExceptionInfo->mMessage.IsEmpty()) { // Prepend our context and ": "; see API documentation. nsAutoCString prefix(context); prefix.AppendLiteral(": "); mExtra.mDOMExceptionInfo->mMessage.Insert(prefix, 0); } dom::Throw(cx, mExtra.mDOMExceptionInfo->mRv, mExtra.mDOMExceptionInfo->mMessage); ClearDOMExceptionInfo(); mResult = NS_OK; } template void TErrorResult::ClearDOMExceptionInfo() { AssertInOwningThread(); MOZ_ASSERT(IsDOMException()); MOZ_ASSERT(mUnionState == HasDOMExceptionInfo); delete mExtra.mDOMExceptionInfo; mExtra.mDOMExceptionInfo = nullptr; #ifdef DEBUG mUnionState = HasNothing; #endif // DEBUG } template void TErrorResult::ClearUnionData() { AssertInOwningThread(); if (IsJSException()) { JSContext* cx = dom::danger::GetJSContext(); MOZ_ASSERT(cx); mExtra.mJSException.setUndefined(); js::RemoveRawValueRoot(cx, &mExtra.mJSException); #ifdef DEBUG mUnionState = HasNothing; #endif // DEBUG } else if (IsErrorWithMessage()) { ClearMessage(); } else if (IsDOMException()) { ClearDOMExceptionInfo(); } } template void TErrorResult::SetPendingGenericErrorException( JSContext* cx) { AssertInOwningThread(); MOZ_ASSERT(!IsErrorWithMessage()); MOZ_ASSERT(!IsJSException()); MOZ_ASSERT(!IsDOMException()); dom::Throw(cx, ErrorCode()); mResult = NS_OK; } template TErrorResult& TErrorResult::operator=( TErrorResult&& aRHS) { AssertInOwningThread(); aRHS.AssertInOwningThread(); // Clear out any union members we may have right now, before we // start writing to it. ClearUnionData(); #ifdef DEBUG mMightHaveUnreportedJSException = aRHS.mMightHaveUnreportedJSException; aRHS.mMightHaveUnreportedJSException = false; #endif if (aRHS.IsErrorWithMessage()) { InitMessage(aRHS.mExtra.mMessage); aRHS.mExtra.mMessage = nullptr; } else if (aRHS.IsJSException()) { JSContext* cx = dom::danger::GetJSContext(); MOZ_ASSERT(cx); JS::Value& exn = InitJSException(); if (!js::AddRawValueRoot(cx, &exn, "TErrorResult::mExtra::mJSException")) { MOZ_CRASH("Could not root mExtra.mJSException, we're about to OOM"); } mExtra.mJSException = aRHS.mExtra.mJSException; aRHS.mExtra.mJSException.setUndefined(); js::RemoveRawValueRoot(cx, &aRHS.mExtra.mJSException); } else if (aRHS.IsDOMException()) { InitDOMExceptionInfo(aRHS.mExtra.mDOMExceptionInfo); aRHS.mExtra.mDOMExceptionInfo = nullptr; } else { // Null out the union on both sides for hygiene purposes. This is purely // precautionary, so InitMessage/placement-new is unnecessary. mExtra.mMessage = aRHS.mExtra.mMessage = nullptr; } #ifdef DEBUG mUnionState = aRHS.mUnionState; aRHS.mUnionState = HasNothing; #endif // DEBUG // Note: It's important to do this last, since this affects the condition // checks above! mResult = aRHS.mResult; aRHS.mResult = NS_OK; return *this; } template bool TErrorResult::operator==(const ErrorResult& aRight) const { auto right = reinterpret_cast*>(&aRight); if (mResult != right->mResult) { return false; } if (IsJSException()) { // js exceptions are always non-equal return false; } if (IsErrorWithMessage()) { return *mExtra.mMessage == *right->mExtra.mMessage; } if (IsDOMException()) { return *mExtra.mDOMExceptionInfo == *right->mExtra.mDOMExceptionInfo; } return true; } template void TErrorResult::CloneTo(TErrorResult& aRv) const { AssertInOwningThread(); aRv.AssertInOwningThread(); aRv.ClearUnionData(); aRv.mResult = mResult; #ifdef DEBUG aRv.mMightHaveUnreportedJSException = mMightHaveUnreportedJSException; #endif if (IsErrorWithMessage()) { #ifdef DEBUG aRv.mUnionState = HasMessage; #endif Message* message = aRv.InitMessage(new Message()); message->mArgs = mExtra.mMessage->mArgs.Clone(); message->mErrorNumber = mExtra.mMessage->mErrorNumber; } else if (IsDOMException()) { #ifdef DEBUG aRv.mUnionState = HasDOMExceptionInfo; #endif auto* exnInfo = new DOMExceptionInfo(mExtra.mDOMExceptionInfo->mRv, mExtra.mDOMExceptionInfo->mMessage); aRv.InitDOMExceptionInfo(exnInfo); } else if (IsJSException()) { #ifdef DEBUG aRv.mUnionState = HasJSException; #endif JSContext* cx = dom::danger::GetJSContext(); JS::Rooted exception(cx, mExtra.mJSException); aRv.ThrowJSException(cx, exception); } } template void TErrorResult::SuppressException() { AssertInOwningThread(); WouldReportJSException(); ClearUnionData(); // We don't use AssignErrorCode, because we want to override existing error // states, which AssignErrorCode is not allowed to do. mResult = NS_OK; } template void TErrorResult::SetPendingException(JSContext* cx, const char* context) { AssertInOwningThread(); if (IsUncatchableException()) { // Nuke any existing exception on cx, to make sure we're uncatchable. JS_ClearPendingException(cx); // Don't do any reporting. Just return, to create an // uncatchable exception. mResult = NS_OK; return; } if (IsJSContextException()) { // Whatever we need to throw is on the JSContext already. MOZ_ASSERT(JS_IsExceptionPending(cx)); mResult = NS_OK; return; } if (IsErrorWithMessage()) { SetPendingExceptionWithMessage(cx, context); return; } if (IsJSException()) { SetPendingJSException(cx); return; } if (IsDOMException()) { SetPendingDOMException(cx, context); return; } SetPendingGenericErrorException(cx); } template void TErrorResult::StealExceptionFromJSContext(JSContext* cx) { AssertInOwningThread(); MOZ_ASSERT(mMightHaveUnreportedJSException, "Why didn't you tell us you planned to throw a JS exception?"); JS::Rooted exn(cx); if (!JS_GetPendingException(cx, &exn)) { ThrowUncatchableException(); return; } ThrowJSException(cx, exn); JS_ClearPendingException(cx); } template void TErrorResult::NoteJSContextException(JSContext* aCx) { AssertInOwningThread(); if (JS_IsExceptionPending(aCx)) { mResult = NS_ERROR_INTERNAL_ERRORRESULT_EXCEPTION_ON_JSCONTEXT; } else { mResult = NS_ERROR_UNCATCHABLE_EXCEPTION; } } /* static */ template void TErrorResult::EnsureUTF8Validity(nsCString& aValue, size_t aValidUpTo) { nsCString valid; if (NS_SUCCEEDED(UTF_8_ENCODING->DecodeWithoutBOMHandling(aValue, valid, aValidUpTo))) { aValue = valid; } else { aValue.SetLength(aValidUpTo); } } template class TErrorResult; template class TErrorResult; template class TErrorResult; template class TErrorResult; } // namespace binding_danger namespace dom { bool DefineConstants(JSContext* cx, JS::Handle obj, const ConstantSpec* cs) { JS::Rooted value(cx); for (; cs->name; ++cs) { value = cs->value; bool ok = JS_DefineProperty( cx, obj, cs->name, value, JSPROP_ENUMERATE | JSPROP_READONLY | JSPROP_PERMANENT); if (!ok) { return false; } } return true; } static inline bool Define(JSContext* cx, JS::Handle obj, const JSFunctionSpec* spec) { return JS_DefineFunctions(cx, obj, spec); } static inline bool Define(JSContext* cx, JS::Handle obj, const JSPropertySpec* spec) { return JS_DefineProperties(cx, obj, spec); } static inline bool Define(JSContext* cx, JS::Handle obj, const ConstantSpec* spec) { return DefineConstants(cx, obj, spec); } template bool DefinePrefable(JSContext* cx, JS::Handle obj, const Prefable* props) { MOZ_ASSERT(props); MOZ_ASSERT(props->specs); do { // Define if enabled if (props->isEnabled(cx, obj)) { if (!Define(cx, obj, props->specs)) { return false; } } } while ((++props)->specs); return true; } bool DefineLegacyUnforgeableMethods( JSContext* cx, JS::Handle obj, const Prefable* props) { return DefinePrefable(cx, obj, props); } bool DefineLegacyUnforgeableAttributes( JSContext* cx, JS::Handle obj, const Prefable* props) { return DefinePrefable(cx, obj, props); } bool InterfaceObjectJSNative(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); return NativeHolderFromInterfaceObject(&args.callee())->mNative(cx, argc, vp); } bool LegacyFactoryFunctionJSNative(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); return NativeHolderFromLegacyFactoryFunction(&args.callee()) ->mNative(cx, argc, vp); } static JSObject* CreateLegacyFactoryFunction(JSContext* cx, jsid name, const JSNativeHolder* nativeHolder, unsigned ctorNargs) { JSFunction* fun = js::NewFunctionByIdWithReserved( cx, LegacyFactoryFunctionJSNative, ctorNargs, JSFUN_CONSTRUCTOR, name); if (!fun) { return nullptr; } JSObject* constructor = JS_GetFunctionObject(fun); js::SetFunctionNativeReserved( constructor, LEGACY_FACTORY_FUNCTION_NATIVE_HOLDER_RESERVED_SLOT, JS::PrivateValue(const_cast(nativeHolder))); return constructor; } static bool DefineConstructor(JSContext* cx, JS::Handle global, JS::Handle name, JS::Handle constructor) { bool alreadyDefined; if (!JS_AlreadyHasOwnPropertyById(cx, global, name, &alreadyDefined)) { return false; } // This is Enumerable: False per spec. return alreadyDefined || JS_DefinePropertyById(cx, global, name, constructor, JSPROP_RESOLVING); } static bool DefineConstructor(JSContext* cx, JS::Handle global, const char* name, JS::Handle constructor) { JSString* nameStr = JS_AtomizeString(cx, name); if (!nameStr) { return false; } JS::Rooted nameKey(cx, JS::PropertyKey::NonIntAtom(nameStr)); return DefineConstructor(cx, global, nameKey, constructor); } static bool DefineToStringTag(JSContext* cx, JS::Handle obj, JS::Handle class_name) { JS::Rooted toStringTagId( cx, JS::GetWellKnownSymbolKey(cx, JS::SymbolCode::toStringTag)); return JS_DefinePropertyById(cx, obj, toStringTagId, class_name, JSPROP_READONLY); } static bool InterfaceIsInstance(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); // If the thing we were passed is not an object, return false like // OrdinaryHasInstance does. if (!args.get(0).isObject()) { args.rval().setBoolean(false); return true; } // If "this" is not an object, likewise return false (again, like // OrdinaryHasInstance). if (!args.thisv().isObject()) { args.rval().setBoolean(false); return true; } // If "this" is not an interface object, likewise return false (again, like // OrdinaryHasInstance). But note that we should CheckedUnwrapStatic here, // because otherwise we won't get the right answers. // The static version is OK, because we're looking for interface objects, // which are not cross-origin objects. JS::Rooted thisObj( cx, js::CheckedUnwrapStatic(&args.thisv().toObject())); if (!thisObj) { // Just fall back on the normal thing, in case it still happens to work. args.rval().setBoolean(false); return true; } if (!IsInterfaceObject(thisObj)) { args.rval().setBoolean(false); return true; } const DOMInterfaceInfo* interfaceInfo = InterfaceInfoFromObject(thisObj); // If "this" is a constructor for an interface without a prototype, just fall // back. if (interfaceInfo->mPrototypeID == prototypes::id::_ID_Count) { args.rval().setBoolean(false); return true; } JS::Rooted instance(cx, &args[0].toObject()); const DOMJSClass* domClass = GetDOMClass( js::UncheckedUnwrap(instance, /* stopAtWindowProxy = */ false)); if (domClass && domClass->mInterfaceChain[interfaceInfo->mDepth] == interfaceInfo->mPrototypeID) { args.rval().setBoolean(true); return true; } if (IsRemoteObjectProxy(instance, interfaceInfo->mPrototypeID)) { args.rval().setBoolean(true); return true; } args.rval().setBoolean(false); return true; } bool InitInterfaceOrNamespaceObject( JSContext* cx, JS::Handle obj, const NativeProperties* properties, const NativeProperties* chromeOnlyProperties, bool isChrome) { if (properties) { if (properties->HasStaticMethods() && !DefinePrefable(cx, obj, properties->StaticMethods())) { return false; } if (properties->HasStaticAttributes() && !DefinePrefable(cx, obj, properties->StaticAttributes())) { return false; } if (properties->HasConstants() && !DefinePrefable(cx, obj, properties->Constants())) { return false; } } if (chromeOnlyProperties && isChrome) { if (chromeOnlyProperties->HasStaticMethods() && !DefinePrefable(cx, obj, chromeOnlyProperties->StaticMethods())) { return false; } if (chromeOnlyProperties->HasStaticAttributes() && !DefinePrefable(cx, obj, chromeOnlyProperties->StaticAttributes())) { return false; } if (chromeOnlyProperties->HasConstants() && !DefinePrefable(cx, obj, chromeOnlyProperties->Constants())) { return false; } } return true; } // name must be an atom (or JS::PropertyKey::NonIntAtom will assert). static JSObject* CreateInterfaceObject( JSContext* cx, JS::Handle global, JS::Handle interfaceProto, const DOMInterfaceInfo* interfaceInfo, unsigned ctorNargs, const Span& legacyFactoryFunctions, JS::Handle proto, const NativeProperties* properties, const NativeProperties* chromeOnlyProperties, JS::Handle name, bool isChrome, bool defineOnGlobal, const char* const* legacyWindowAliases) { MOZ_ASSERT(interfaceProto); MOZ_ASSERT(interfaceInfo); JS::Rooted nameId(cx, JS::PropertyKey::NonIntAtom(name)); JS::Rooted constructor(cx); { JSFunction* fun = js::NewFunctionByIdWithReservedAndProto( cx, InterfaceObjectJSNative, interfaceProto, ctorNargs, JSFUN_CONSTRUCTOR, nameId); if (!fun) { return nullptr; } constructor = JS_GetFunctionObject(fun); } js::SetFunctionNativeReserved( constructor, INTERFACE_OBJECT_INFO_RESERVED_SLOT, JS::PrivateValue(const_cast(interfaceInfo))); // Eagerly force creation of the .length and .name properties, because they // need to be defined before the .prototype property (CreateBuiltinFunction // called from the WebIDL spec sets them, and then the .prototype property is // defined in the WebIDL spec itself). bool unused; if (!JS_HasProperty(cx, constructor, "length", &unused) || !JS_HasProperty(cx, constructor, "name", &unused)) { return nullptr; } if (proto && !JS_LinkConstructorAndPrototype(cx, constructor, proto)) { return nullptr; } if (!InitInterfaceOrNamespaceObject(cx, constructor, properties, chromeOnlyProperties, isChrome)) { return nullptr; } if (defineOnGlobal && !DefineConstructor(cx, global, nameId, constructor)) { return nullptr; } if (interfaceInfo->wantsInterfaceIsInstance && isChrome && !JS_DefineFunction(cx, constructor, "isInstance", InterfaceIsInstance, 1, // Don't bother making it enumerable 0)) { return nullptr; } if (legacyWindowAliases && NS_IsMainThread()) { for (; *legacyWindowAliases; ++legacyWindowAliases) { if (!DefineConstructor(cx, global, *legacyWindowAliases, constructor)) { return nullptr; } } } int legacyFactoryFunctionSlot = INTERFACE_OBJECT_FIRST_LEGACY_FACTORY_FUNCTION; for (const LegacyFactoryFunction& lff : legacyFactoryFunctions) { JSString* fname = JS_AtomizeString(cx, lff.mName); if (!fname) { return nullptr; } nameId = JS::PropertyKey::NonIntAtom(fname); JS::Rooted legacyFactoryFunction( cx, CreateLegacyFactoryFunction(cx, nameId, &lff.mHolder, lff.mNargs)); if (!legacyFactoryFunction || !JS_DefineProperty(cx, legacyFactoryFunction, "prototype", proto, JSPROP_PERMANENT | JSPROP_READONLY) || (defineOnGlobal && !DefineConstructor(cx, global, nameId, legacyFactoryFunction))) { return nullptr; } js::SetFunctionNativeReserved(constructor, legacyFactoryFunctionSlot, JS::ObjectValue(*legacyFactoryFunction)); ++legacyFactoryFunctionSlot; } return constructor; } static JSObject* CreateInterfacePrototypeObject( JSContext* cx, JS::Handle global, JS::Handle parentProto, const JSClass* protoClass, const NativeProperties* properties, const NativeProperties* chromeOnlyProperties, const char* const* unscopableNames, JS::Handle name, bool isGlobal) { JS::Rooted ourProto( cx, JS_NewObjectWithGivenProto(cx, protoClass, parentProto)); if (!ourProto || // We don't try to define properties on the global's prototype; those // properties go on the global itself. (!isGlobal && !DefineProperties(cx, ourProto, properties, chromeOnlyProperties))) { return nullptr; } if (unscopableNames) { JS::Rooted unscopableObj( cx, JS_NewObjectWithGivenProto(cx, nullptr, nullptr)); if (!unscopableObj) { return nullptr; } for (; *unscopableNames; ++unscopableNames) { if (!JS_DefineProperty(cx, unscopableObj, *unscopableNames, JS::TrueHandleValue, JSPROP_ENUMERATE)) { return nullptr; } } JS::Rooted unscopableId( cx, JS::GetWellKnownSymbolKey(cx, JS::SymbolCode::unscopables)); // Readonly and non-enumerable to match Array.prototype. if (!JS_DefinePropertyById(cx, ourProto, unscopableId, unscopableObj, JSPROP_READONLY)) { return nullptr; } } if (!DefineToStringTag(cx, ourProto, name)) { return nullptr; } return ourProto; } bool DefineProperties(JSContext* cx, JS::Handle obj, const NativeProperties* properties, const NativeProperties* chromeOnlyProperties) { if (properties) { if (properties->HasMethods() && !DefinePrefable(cx, obj, properties->Methods())) { return false; } if (properties->HasAttributes() && !DefinePrefable(cx, obj, properties->Attributes())) { return false; } if (properties->HasConstants() && !DefinePrefable(cx, obj, properties->Constants())) { return false; } } if (chromeOnlyProperties) { if (chromeOnlyProperties->HasMethods() && !DefinePrefable(cx, obj, chromeOnlyProperties->Methods())) { return false; } if (chromeOnlyProperties->HasAttributes() && !DefinePrefable(cx, obj, chromeOnlyProperties->Attributes())) { return false; } if (chromeOnlyProperties->HasConstants() && !DefinePrefable(cx, obj, chromeOnlyProperties->Constants())) { return false; } } return true; } namespace binding_detail { void CreateInterfaceObjects( JSContext* cx, JS::Handle global, JS::Handle protoProto, const DOMIfaceAndProtoJSClass* protoClass, JS::Heap* protoCache, JS::Handle interfaceProto, const DOMInterfaceInfo* interfaceInfo, unsigned ctorNargs, bool isConstructorChromeOnly, const Span& legacyFactoryFunctions, JS::Heap* constructorCache, const NativeProperties* properties, const NativeProperties* chromeOnlyProperties, const char* name, bool defineOnGlobal, const char* const* unscopableNames, bool isGlobal, const char* const* legacyWindowAliases) { MOZ_ASSERT(protoClass || interfaceInfo, "Need at least a class or info!"); MOZ_ASSERT( !((properties && (properties->HasMethods() || properties->HasAttributes())) || (chromeOnlyProperties && (chromeOnlyProperties->HasMethods() || chromeOnlyProperties->HasAttributes()))) || protoClass, "Methods or properties but no protoClass!"); MOZ_ASSERT(!((properties && (properties->HasStaticMethods() || properties->HasStaticAttributes())) || (chromeOnlyProperties && (chromeOnlyProperties->HasStaticMethods() || chromeOnlyProperties->HasStaticAttributes()))) || interfaceInfo, "Static methods but no info!"); MOZ_ASSERT(!protoClass == !protoCache, "If, and only if, there is an interface prototype object we need " "to cache it"); MOZ_ASSERT(bool(interfaceInfo) == bool(constructorCache), "If, and only if, there is an interface object we need to cache " "it"); MOZ_ASSERT(interfaceProto || !interfaceInfo, "Must have a interface proto if we plan to create an interface " "object"); bool isChrome = nsContentUtils::ThreadsafeIsSystemCaller(cx); JS::Rooted nameStr(cx, JS_AtomizeString(cx, name)); if (!nameStr) { return; } JS::Rooted proto(cx); if (protoClass) { proto = CreateInterfacePrototypeObject( cx, global, protoProto, protoClass->ToJSClass(), properties, isChrome ? chromeOnlyProperties : nullptr, unscopableNames, nameStr, isGlobal); if (!proto) { return; } *protoCache = proto; } else { MOZ_ASSERT(!proto); } JSObject* interface; if (interfaceInfo) { interface = CreateInterfaceObject( cx, global, interfaceProto, interfaceInfo, (isChrome || !isConstructorChromeOnly) ? ctorNargs : 0, legacyFactoryFunctions, proto, properties, chromeOnlyProperties, nameStr, isChrome, defineOnGlobal, legacyWindowAliases); if (!interface) { if (protoCache) { // If we fail we need to make sure to clear the value of protoCache we // set above. *protoCache = nullptr; } return; } *constructorCache = interface; } } } // namespace binding_detail void CreateNamespaceObject(JSContext* cx, JS::Handle global, JS::Handle namespaceProto, const DOMIfaceAndProtoJSClass& namespaceClass, JS::Heap* namespaceCache, const NativeProperties* properties, const NativeProperties* chromeOnlyProperties, const char* name, bool defineOnGlobal) { JS::Rooted nameStr(cx, JS_AtomizeString(cx, name)); if (!nameStr) { return; } JS::Rooted nameId(cx, JS::PropertyKey::NonIntAtom(nameStr)); JS::Rooted namespaceObj( cx, JS_NewObjectWithGivenProto(cx, namespaceClass.ToJSClass(), namespaceProto)); if (!namespaceObj) { return; } if (!InitInterfaceOrNamespaceObject( cx, namespaceObj, properties, chromeOnlyProperties, nsContentUtils::ThreadsafeIsSystemCaller(cx))) { return; } if (defineOnGlobal && !DefineConstructor(cx, global, nameId, namespaceObj)) { return; } if (!DefineToStringTag(cx, namespaceObj, nameStr)) { return; } *namespaceCache = namespaceObj; } // Only set aAllowNativeWrapper to false if you really know you need it; if in // doubt use true. Setting it to false disables security wrappers. static bool NativeInterface2JSObjectAndThrowIfFailed( JSContext* aCx, JS::Handle aScope, JS::MutableHandle aRetval, xpcObjectHelper& aHelper, const nsIID* aIID, bool aAllowNativeWrapper) { js::AssertSameCompartment(aCx, aScope); nsresult rv; // Inline some logic from XPCConvert::NativeInterfaceToJSObject that we need // on all threads. nsWrapperCache* cache = aHelper.GetWrapperCache(); if (cache) { JS::Rooted obj(aCx, cache->GetWrapper()); if (!obj) { obj = cache->WrapObject(aCx, nullptr); if (!obj) { return Throw(aCx, NS_ERROR_UNEXPECTED); } } if (aAllowNativeWrapper && !JS_WrapObject(aCx, &obj)) { return false; } aRetval.setObject(*obj); return true; } MOZ_ASSERT(NS_IsMainThread()); if (!XPCConvert::NativeInterface2JSObject(aCx, aRetval, aHelper, aIID, aAllowNativeWrapper, &rv)) { // I can't tell if NativeInterface2JSObject throws JS exceptions // or not. This is a sloppy stab at the right semantics; the // method really ought to be fixed to behave consistently. if (!JS_IsExceptionPending(aCx)) { Throw(aCx, NS_FAILED(rv) ? rv : NS_ERROR_UNEXPECTED); } return false; } return true; } bool TryPreserveWrapper(JS::Handle obj) { MOZ_ASSERT(IsDOMObject(obj)); // nsISupports objects are special cased because DOM proxies are nsISupports // and have addProperty hooks that do more than wrapper preservation (so we // don't want to call them). if (nsISupports* native = UnwrapDOMObjectToISupports(obj)) { nsWrapperCache* cache = nullptr; CallQueryInterface(native, &cache); if (cache) { cache->PreserveWrapper(native); } return true; } // The addProperty hook for WebIDL classes does wrapper preservation, and // nothing else, so call it, if present. const JSClass* clasp = JS::GetClass(obj); const DOMJSClass* domClass = GetDOMClass(clasp); // We expect all proxies to be nsISupports. MOZ_RELEASE_ASSERT(clasp->isNativeObject(), "Should not call addProperty for proxies."); JSAddPropertyOp addProperty = clasp->getAddProperty(); if (!addProperty) { return true; } // The class should have an addProperty hook iff it is a CC participant. MOZ_RELEASE_ASSERT(domClass->mParticipant); JS::Rooted dummyId(RootingCx()); JS::Rooted dummyValue(RootingCx()); return addProperty(nullptr, obj, dummyId, dummyValue); } bool HasReleasedWrapper(JS::Handle obj) { MOZ_ASSERT(obj); MOZ_ASSERT(IsDOMObject(obj)); nsWrapperCache* cache = nullptr; if (nsISupports* native = UnwrapDOMObjectToISupports(obj)) { CallQueryInterface(native, &cache); } else { const JSClass* clasp = JS::GetClass(obj); const DOMJSClass* domClass = GetDOMClass(clasp); // We expect all proxies to be nsISupports. MOZ_RELEASE_ASSERT(clasp->isNativeObject(), "Should not call getWrapperCache for proxies."); WrapperCacheGetter getter = domClass->mWrapperCacheGetter; if (getter) { // If the class has a wrapper cache getter it must be a CC participant. MOZ_RELEASE_ASSERT(domClass->mParticipant); cache = getter(obj); } } return cache && !cache->PreservingWrapper(); } // Can only be called with a DOM JSClass. bool InstanceClassHasProtoAtDepth(const JSClass* clasp, uint32_t protoID, uint32_t depth) { const DOMJSClass* domClass = DOMJSClass::FromJSClass(clasp); return static_cast(domClass->mInterfaceChain[depth]) == protoID; } // Only set allowNativeWrapper to false if you really know you need it; if in // doubt use true. Setting it to false disables security wrappers. bool XPCOMObjectToJsval(JSContext* cx, JS::Handle scope, xpcObjectHelper& helper, const nsIID* iid, bool allowNativeWrapper, JS::MutableHandle rval) { return NativeInterface2JSObjectAndThrowIfFailed(cx, scope, rval, helper, iid, allowNativeWrapper); } bool VariantToJsval(JSContext* aCx, nsIVariant* aVariant, JS::MutableHandle aRetval) { nsresult rv; if (!XPCVariant::VariantDataToJS(aCx, aVariant, &rv, aRetval)) { // Does it throw? Who knows if (!JS_IsExceptionPending(aCx)) { Throw(aCx, NS_FAILED(rv) ? rv : NS_ERROR_UNEXPECTED); } return false; } return true; } bool WrapObject(JSContext* cx, const WindowProxyHolder& p, JS::MutableHandle rval) { return ToJSValue(cx, p, rval); } // {JSPropertySpec,JSFunctionSpec} use {JSPropertySpec,JSFunctionSpec}::Name // and ConstantSpec uses `const char*` for name field. static inline JSPropertySpec::Name ToPropertySpecName( JSPropertySpec::Name name) { return name; } static inline JSPropertySpec::Name ToPropertySpecName(const char* name) { return JSPropertySpec::Name(name); } template static bool InitPropertyInfos(JSContext* cx, const Prefable* pref, PropertyInfo* infos, PropertyType type) { MOZ_ASSERT(pref); MOZ_ASSERT(pref->specs); // Index of the Prefable that contains the id for the current PropertyInfo. uint32_t prefIndex = 0; do { // We ignore whether the set of ids is enabled and just intern all the IDs, // because this is only done once per application runtime. const SpecT* spec = pref->specs; // Index of the property/function/constant spec for our current PropertyInfo // in the "specs" array of the relevant Prefable. uint32_t specIndex = 0; do { jsid id; if (!JS::PropertySpecNameToPermanentId(cx, ToPropertySpecName(spec->name), &id)) { return false; } infos->SetId(id); infos->type = type; infos->prefIndex = prefIndex; infos->specIndex = specIndex++; ++infos; } while ((++spec)->name); ++prefIndex; } while ((++pref)->specs); return true; } #define INIT_PROPERTY_INFOS_IF_DEFINED(TypeName) \ { \ if (nativeProperties->Has##TypeName##s() && \ !InitPropertyInfos(cx, nativeProperties->TypeName##s(), \ nativeProperties->TypeName##PropertyInfos(), \ e##TypeName)) { \ return false; \ } \ } static bool InitPropertyInfos(JSContext* cx, const NativeProperties* nativeProperties) { INIT_PROPERTY_INFOS_IF_DEFINED(StaticMethod); INIT_PROPERTY_INFOS_IF_DEFINED(StaticAttribute); INIT_PROPERTY_INFOS_IF_DEFINED(Method); INIT_PROPERTY_INFOS_IF_DEFINED(Attribute); INIT_PROPERTY_INFOS_IF_DEFINED(UnforgeableMethod); INIT_PROPERTY_INFOS_IF_DEFINED(UnforgeableAttribute); INIT_PROPERTY_INFOS_IF_DEFINED(Constant); // Initialize and sort the index array. uint16_t* indices = nativeProperties->sortedPropertyIndices; auto count = nativeProperties->propertyInfoCount; for (auto i = 0; i < count; ++i) { indices[i] = i; } std::sort(indices, indices + count, [infos = nativeProperties->PropertyInfos()](const uint16_t left, const uint16_t right) { // std::sort may call us with the same element by design but // PropertyInfo::Compare does not like that. if (left == right) { return false; } return PropertyInfo::Compare(infos[left], infos[right]) < 0; }); return true; } #undef INIT_PROPERTY_INFOS_IF_DEFINED static inline bool InitPropertyInfos( JSContext* aCx, const NativePropertiesHolder& nativeProperties) { MOZ_ASSERT(NS_IsMainThread()); if (!*nativeProperties.inited) { if (nativeProperties.regular && !InitPropertyInfos(aCx, nativeProperties.regular)) { return false; } if (nativeProperties.chromeOnly && !InitPropertyInfos(aCx, nativeProperties.chromeOnly)) { return false; } *nativeProperties.inited = true; } return true; } void GetInterfaceImpl(JSContext* aCx, nsIInterfaceRequestor* aRequestor, nsWrapperCache* aCache, JS::Handle aIID, JS::MutableHandle aRetval, ErrorResult& aError) { Maybe iid = xpc::JSValue2ID(aCx, aIID); if (!iid) { aError.Throw(NS_ERROR_XPC_BAD_CONVERT_JS); return; } RefPtr result; aError = aRequestor->GetInterface(*iid, getter_AddRefs(result)); if (aError.Failed()) { return; } if (!WrapObject(aCx, result, iid.ptr(), aRetval)) { aError.Throw(NS_ERROR_FAILURE); } } bool ThrowingConstructor(JSContext* cx, unsigned argc, JS::Value* vp) { // Cast nullptr to void* to work around // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100666 return ThrowErrorMessage(cx, (void*)nullptr); } bool ThrowConstructorWithoutNew(JSContext* cx, const char* name) { return ThrowErrorMessage(cx, name); } inline const NativePropertyHooks* GetNativePropertyHooksFromJSNative( JS::Handle obj) { return NativeHolderFromObject(obj)->mPropertyHooks; } inline const NativePropertyHooks* GetNativePropertyHooks( JSContext* cx, JS::Handle obj, DOMObjectType& type) { const JSClass* clasp = JS::GetClass(obj); const DOMJSClass* domClass = GetDOMClass(clasp); if (domClass) { bool isGlobal = (clasp->flags & JSCLASS_DOM_GLOBAL) != 0; type = isGlobal ? eGlobalInstance : eInstance; return domClass->mNativeHooks; } if (JS_ObjectIsFunction(obj)) { type = eInterface; return GetNativePropertyHooksFromJSNative(obj); } MOZ_ASSERT(IsDOMIfaceAndProtoClass(JS::GetClass(obj))); const DOMIfaceAndProtoJSClass* ifaceAndProtoJSClass = DOMIfaceAndProtoJSClass::FromJSClass(JS::GetClass(obj)); type = ifaceAndProtoJSClass->mType; return ifaceAndProtoJSClass->mNativeHooks; } static JSObject* XrayCreateFunction(JSContext* cx, JS::Handle wrapper, JSNativeWrapper native, unsigned nargs, JS::Handle id) { JSFunction* fun; if (id.isString()) { fun = js::NewFunctionByIdWithReserved(cx, native.op, nargs, 0, id); } else { // Can't pass this id (probably a symbol) to NewFunctionByIdWithReserved; // just use an empty name for lack of anything better. fun = js::NewFunctionWithReserved(cx, native.op, nargs, 0, nullptr); } if (!fun) { return nullptr; } SET_JITINFO(fun, native.info); JSObject* obj = JS_GetFunctionObject(fun); js::SetFunctionNativeReserved(obj, XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT, JS::ObjectValue(*wrapper)); #ifdef DEBUG js::SetFunctionNativeReserved(obj, XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF, JS::ObjectValue(*obj)); #endif return obj; } struct IdToIndexComparator { // The id we're searching for. const jsid& mId; // Whether we're searching for static operations. const bool mStatic; // The list of ids we're searching in. const PropertyInfo* mInfos; IdToIndexComparator(const jsid& aId, DOMObjectType aType, const PropertyInfo* aInfos) : mId(aId), mStatic(aType == eInterface || aType == eNamespace), mInfos(aInfos) {} int operator()(const uint16_t aIndex) const { const PropertyInfo& info = mInfos[aIndex]; if (mId.asRawBits() == info.Id().asRawBits()) { if (info.type != eMethod && info.type != eStaticMethod) { return 0; } if (mStatic == info.IsStaticMethod()) { // We're looking for static properties and we've found a static one for // the right name. return 0; } // Static operations are sorted before others by PropertyInfo::Compare. return mStatic ? -1 : 1; } return mId.asRawBits() < info.Id().asRawBits() ? -1 : 1; } }; static const PropertyInfo* XrayFindOwnPropertyInfo( JSContext* cx, DOMObjectType type, JS::Handle id, const NativeProperties* nativeProperties) { if ((type == eInterfacePrototype || type == eGlobalInstance) && MOZ_UNLIKELY(nativeProperties->iteratorAliasMethodIndex >= 0) && id.isWellKnownSymbol(JS::SymbolCode::iterator)) { return nativeProperties->MethodPropertyInfos() + nativeProperties->iteratorAliasMethodIndex; } size_t idx; const uint16_t* sortedPropertyIndices = nativeProperties->sortedPropertyIndices; const PropertyInfo* propertyInfos = nativeProperties->PropertyInfos(); if (BinarySearchIf(sortedPropertyIndices, 0, nativeProperties->propertyInfoCount, IdToIndexComparator(id, type, propertyInfos), &idx)) { return propertyInfos + sortedPropertyIndices[idx]; } return nullptr; } static bool XrayResolveAttribute( JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, const Prefable& pref, const JSPropertySpec& attrSpec, JS::MutableHandle> desc, bool& cacheOnHolder) { if (!pref.isEnabled(cx, obj)) { return true; } MOZ_ASSERT(attrSpec.isAccessor()); MOZ_ASSERT( !attrSpec.isSelfHosted(), "Bad JSPropertySpec declaration: unsupported self-hosted accessor"); cacheOnHolder = true; JS::Rooted getterId(cx); if (!JS::ToGetterId(cx, id, &getterId)) { return false; } // Because of centralization, we need to make sure we fault in the JitInfos as // well. At present, until the JSAPI changes, the easiest way to do this is // wrap them up as functions ourselves. // They all have getters, so we can just make it. JS::Rooted getter( cx, XrayCreateFunction(cx, wrapper, attrSpec.u.accessors.getter.native, 0, getterId)); if (!getter) { return false; } JS::Rooted setter(cx); if (attrSpec.u.accessors.setter.native.op) { JS::Rooted setterId(cx); if (!JS::ToSetterId(cx, id, &setterId)) { return false; } // We have a setter! Make it. setter = XrayCreateFunction(cx, wrapper, attrSpec.u.accessors.setter.native, 1, setterId); if (!setter) { return false; } } desc.set(Some( JS::PropertyDescriptor::Accessor(getter, setter, attrSpec.attributes()))); return true; } static bool XrayResolveMethod( JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, const Prefable& pref, const JSFunctionSpec& methodSpec, JS::MutableHandle> desc, bool& cacheOnHolder) { if (!pref.isEnabled(cx, obj)) { return true; } cacheOnHolder = true; JSObject* funobj; if (methodSpec.selfHostedName) { JSFunction* fun = JS::GetSelfHostedFunction(cx, methodSpec.selfHostedName, id, methodSpec.nargs); if (!fun) { return false; } MOZ_ASSERT(!methodSpec.call.op, "Bad FunctionSpec declaration: non-null native"); MOZ_ASSERT(!methodSpec.call.info, "Bad FunctionSpec declaration: non-null jitinfo"); funobj = JS_GetFunctionObject(fun); } else { funobj = XrayCreateFunction(cx, wrapper, methodSpec.call, methodSpec.nargs, id); if (!funobj) { return false; } } desc.set(Some(JS::PropertyDescriptor::Data(JS::ObjectValue(*funobj), methodSpec.flags))); return true; } static bool XrayResolveConstant( JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle, const Prefable& pref, const ConstantSpec& constantSpec, JS::MutableHandle> desc, bool& cacheOnHolder) { if (!pref.isEnabled(cx, obj)) { return true; } cacheOnHolder = true; desc.set(Some(JS::PropertyDescriptor::Data( constantSpec.value, {JS::PropertyAttribute::Enumerable}))); return true; } #define RESOLVE_CASE(PropType, SpecType, Resolver) \ case e##PropType: { \ MOZ_ASSERT(nativeProperties->Has##PropType##s()); \ const Prefable& pref = \ nativeProperties->PropType##s()[propertyInfo.prefIndex]; \ return Resolver(cx, wrapper, obj, id, pref, \ pref.specs[propertyInfo.specIndex], desc, cacheOnHolder); \ } static bool XrayResolveProperty( JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, JS::MutableHandle> desc, bool& cacheOnHolder, DOMObjectType type, const NativeProperties* nativeProperties, const PropertyInfo& propertyInfo) { MOZ_ASSERT(type != eGlobalInterfacePrototype); // Make sure we resolve for matched object type. switch (propertyInfo.type) { case eStaticMethod: case eStaticAttribute: if (type != eInterface && type != eNamespace) { return true; } break; case eMethod: case eAttribute: if (type != eGlobalInstance && type != eInterfacePrototype) { return true; } break; case eUnforgeableMethod: case eUnforgeableAttribute: if (!IsInstance(type)) { return true; } break; case eConstant: if (IsInstance(type)) { return true; } break; } switch (propertyInfo.type) { RESOLVE_CASE(StaticMethod, JSFunctionSpec, XrayResolveMethod) RESOLVE_CASE(StaticAttribute, JSPropertySpec, XrayResolveAttribute) RESOLVE_CASE(Method, JSFunctionSpec, XrayResolveMethod) RESOLVE_CASE(Attribute, JSPropertySpec, XrayResolveAttribute) RESOLVE_CASE(UnforgeableMethod, JSFunctionSpec, XrayResolveMethod) RESOLVE_CASE(UnforgeableAttribute, JSPropertySpec, XrayResolveAttribute) RESOLVE_CASE(Constant, ConstantSpec, XrayResolveConstant) } return true; } #undef RESOLVE_CASE static bool ResolvePrototypeOrConstructor( JSContext* cx, JS::Handle wrapper, JS::Handle obj, size_t protoAndIfaceCacheIndex, unsigned attrs, JS::MutableHandle> desc, bool& cacheOnHolder) { JS::Rooted global(cx, JS::GetNonCCWObjectGlobal(obj)); { JSAutoRealm ar(cx, global); ProtoAndIfaceCache& protoAndIfaceCache = *GetProtoAndIfaceCache(global); // This function is called when resolving the "constructor" and "prototype" // properties of Xrays for DOM prototypes and constructors respectively. // This means the relevant Xray exists, which means its _target_ exists. // And that means we managed to successfullly create the prototype or // constructor, respectively, and hence must have managed to create the // thing it's pointing to as well. So our entry slot must exist. JSObject* protoOrIface = protoAndIfaceCache.EntrySlotMustExist(protoAndIfaceCacheIndex); MOZ_RELEASE_ASSERT(protoOrIface, "How can this object not exist?"); cacheOnHolder = true; desc.set(Some( JS::PropertyDescriptor::Data(JS::ObjectValue(*protoOrIface), attrs))); } return JS_WrapPropertyDescriptor(cx, desc); } /* static */ bool XrayResolveOwnProperty( JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, JS::MutableHandle> desc, bool& cacheOnHolder) { MOZ_ASSERT(desc.isNothing()); cacheOnHolder = false; DOMObjectType type; const NativePropertyHooks* nativePropertyHooks = GetNativePropertyHooks(cx, obj, type); ResolveOwnProperty resolveOwnProperty = nativePropertyHooks->mIndexedOrNamedNativeProperties ? nativePropertyHooks->mIndexedOrNamedNativeProperties ->mResolveOwnProperty : nullptr; if (type == eNamedPropertiesObject) { MOZ_ASSERT(!resolveOwnProperty, "Shouldn't have any Xray-visible properties"); return true; } const NativePropertiesHolder& nativePropertiesHolder = nativePropertyHooks->mNativeProperties; if (!InitPropertyInfos(cx, nativePropertiesHolder)) { return false; } const NativeProperties* nativeProperties = nullptr; const PropertyInfo* found = nullptr; if ((nativeProperties = nativePropertiesHolder.regular)) { found = XrayFindOwnPropertyInfo(cx, type, id, nativeProperties); } if (!found && (nativeProperties = nativePropertiesHolder.chromeOnly) && xpc::AccessCheck::isChrome(JS::GetCompartment(wrapper))) { found = XrayFindOwnPropertyInfo(cx, type, id, nativeProperties); } if (IsInstance(type)) { // Check for unforgeable properties first to prevent names provided by // resolveOwnProperty callback from shadowing them. if (found && (found->type == eUnforgeableMethod || found->type == eUnforgeableAttribute)) { if (!XrayResolveProperty(cx, wrapper, obj, id, desc, cacheOnHolder, type, nativeProperties, *found)) { return false; } if (desc.isSome()) { return true; } } if (resolveOwnProperty) { if (!resolveOwnProperty(cx, wrapper, obj, id, desc)) { return false; } if (desc.isSome()) { // None of these should be cached on the holder, since they're dynamic. return true; } } // For non-global instance Xrays there are no other properties, so return // here for them. if (type != eGlobalInstance) { return true; } } else if (type == eInterface) { if (id.get() == GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE)) { return nativePropertyHooks->mPrototypeID == prototypes::id::_ID_Count || ResolvePrototypeOrConstructor( cx, wrapper, obj, nativePropertyHooks->mPrototypeID, JSPROP_PERMANENT | JSPROP_READONLY, desc, cacheOnHolder); } if (id.get() == GetJSIDByIndex(cx, XPCJSContext::IDX_ISINSTANCE)) { if (IsInterfaceObject(obj) && InterfaceInfoFromObject(obj)->wantsInterfaceIsInstance) { cacheOnHolder = true; JSObject* funObj = XrayCreateFunction( cx, wrapper, {InterfaceIsInstance, nullptr}, 1, id); if (!funObj) { return false; } desc.set(Some(JS::PropertyDescriptor::Data( JS::ObjectValue(*funObj), {JS::PropertyAttribute::Configurable, JS::PropertyAttribute::Writable}))); return true; } } } else if (type == eNamespace) { if (id.isWellKnownSymbol(JS::SymbolCode::toStringTag)) { JS::Rooted nameStr( cx, JS_AtomizeString(cx, JS::GetClass(obj)->name)); if (!nameStr) { return false; } desc.set(Some(JS::PropertyDescriptor::Data( JS::StringValue(nameStr), {JS::PropertyAttribute::Configurable}))); return true; } } else { MOZ_ASSERT(IsInterfacePrototype(type)); if (id.get() == GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR)) { return nativePropertyHooks->mConstructorID == constructors::id::_ID_Count || ResolvePrototypeOrConstructor(cx, wrapper, obj, nativePropertyHooks->mConstructorID, 0, desc, cacheOnHolder); } if (id.isWellKnownSymbol(JS::SymbolCode::toStringTag)) { const JSClass* objClass = JS::GetClass(obj); prototypes::ID prototypeID = DOMIfaceAndProtoJSClass::FromJSClass(objClass)->mPrototypeID; JS::Rooted nameStr( cx, JS_AtomizeString(cx, NamesOfInterfacesWithProtos(prototypeID))); if (!nameStr) { return false; } desc.set(Some(JS::PropertyDescriptor::Data( JS::StringValue(nameStr), {JS::PropertyAttribute::Configurable}))); return true; } // The properties for globals live on the instance, so return here as there // are no properties on their interface prototype object. if (type == eGlobalInterfacePrototype) { return true; } } if (found && !XrayResolveProperty(cx, wrapper, obj, id, desc, cacheOnHolder, type, nativeProperties, *found)) { return false; } return true; } bool XrayDefineProperty(JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, JS::Handle desc, JS::ObjectOpResult& result, bool* done) { if (!js::IsProxy(obj)) return true; const DOMProxyHandler* handler = GetDOMProxyHandler(obj); return handler->defineProperty(cx, wrapper, id, desc, result, done); } template bool XrayAppendPropertyKeys(JSContext* cx, JS::Handle obj, const Prefable* pref, const PropertyInfo* infos, unsigned flags, JS::MutableHandleVector props) { do { bool prefIsEnabled = pref->isEnabled(cx, obj); if (prefIsEnabled) { const SpecType* spec = pref->specs; do { const jsid id = infos++->Id(); if (((flags & JSITER_HIDDEN) || (spec->attributes() & JSPROP_ENUMERATE)) && ((flags & JSITER_SYMBOLS) || !id.isSymbol()) && !props.append(id)) { return false; } } while ((++spec)->name); } // Break if we have reached the end of pref. if (!(++pref)->specs) { break; } // Advance infos if the previous pref is disabled. The -1 is required // because there is an end-of-list terminator between pref->specs and // (pref - 1)->specs. if (!prefIsEnabled) { infos += pref->specs - (pref - 1)->specs - 1; } } while (1); return true; } template <> bool XrayAppendPropertyKeys( JSContext* cx, JS::Handle obj, const Prefable* pref, const PropertyInfo* infos, unsigned flags, JS::MutableHandleVector props) { do { bool prefIsEnabled = pref->isEnabled(cx, obj); if (prefIsEnabled) { const ConstantSpec* spec = pref->specs; do { if (!props.append(infos++->Id())) { return false; } } while ((++spec)->name); } // Break if we have reached the end of pref. if (!(++pref)->specs) { break; } // Advance infos if the previous pref is disabled. The -1 is required // because there is an end-of-list terminator between pref->specs and // (pref - 1)->specs. if (!prefIsEnabled) { infos += pref->specs - (pref - 1)->specs - 1; } } while (1); return true; } #define ADD_KEYS_IF_DEFINED(FieldName) \ { \ if (nativeProperties->Has##FieldName##s() && \ !XrayAppendPropertyKeys(cx, obj, nativeProperties->FieldName##s(), \ nativeProperties->FieldName##PropertyInfos(), \ flags, props)) { \ return false; \ } \ } bool XrayOwnPropertyKeys(JSContext* cx, JS::Handle wrapper, JS::Handle obj, unsigned flags, JS::MutableHandleVector props, DOMObjectType type, const NativeProperties* nativeProperties) { MOZ_ASSERT(type != eNamedPropertiesObject); if (IsInstance(type)) { ADD_KEYS_IF_DEFINED(UnforgeableMethod); ADD_KEYS_IF_DEFINED(UnforgeableAttribute); if (type == eGlobalInstance) { ADD_KEYS_IF_DEFINED(Method); ADD_KEYS_IF_DEFINED(Attribute); } } else { MOZ_ASSERT(type != eGlobalInterfacePrototype); if (type == eInterface || type == eNamespace) { ADD_KEYS_IF_DEFINED(StaticMethod); ADD_KEYS_IF_DEFINED(StaticAttribute); } else { MOZ_ASSERT(type == eInterfacePrototype); ADD_KEYS_IF_DEFINED(Method); ADD_KEYS_IF_DEFINED(Attribute); } ADD_KEYS_IF_DEFINED(Constant); } return true; } #undef ADD_KEYS_IF_DEFINED bool XrayOwnNativePropertyKeys(JSContext* cx, JS::Handle wrapper, const NativePropertyHooks* nativePropertyHooks, DOMObjectType type, JS::Handle obj, unsigned flags, JS::MutableHandleVector props) { MOZ_ASSERT(type != eNamedPropertiesObject); if (type == eInterface && nativePropertyHooks->mPrototypeID != prototypes::id::_ID_Count && !AddStringToIDVector(cx, props, "prototype")) { return false; } if (IsInterfacePrototype(type) && nativePropertyHooks->mConstructorID != constructors::id::_ID_Count && (flags & JSITER_HIDDEN) && !AddStringToIDVector(cx, props, "constructor")) { return false; } const NativePropertiesHolder& nativeProperties = nativePropertyHooks->mNativeProperties; if (!InitPropertyInfos(cx, nativeProperties)) { return false; } if (nativeProperties.regular && !XrayOwnPropertyKeys(cx, wrapper, obj, flags, props, type, nativeProperties.regular)) { return false; } if (nativeProperties.chromeOnly && xpc::AccessCheck::isChrome(JS::GetCompartment(wrapper)) && !XrayOwnPropertyKeys(cx, wrapper, obj, flags, props, type, nativeProperties.chromeOnly)) { return false; } return true; } bool XrayOwnPropertyKeys(JSContext* cx, JS::Handle wrapper, JS::Handle obj, unsigned flags, JS::MutableHandleVector props) { DOMObjectType type; const NativePropertyHooks* nativePropertyHooks = GetNativePropertyHooks(cx, obj, type); EnumerateOwnProperties enumerateOwnProperties = nativePropertyHooks->mIndexedOrNamedNativeProperties ? nativePropertyHooks->mIndexedOrNamedNativeProperties ->mEnumerateOwnProperties : nullptr; if (type == eNamedPropertiesObject) { MOZ_ASSERT(!enumerateOwnProperties, "Shouldn't have any Xray-visible properties"); return true; } if (IsInstance(type)) { // FIXME https://bugzilla.mozilla.org/show_bug.cgi?id=1071189 // Should do something about XBL properties too. if (enumerateOwnProperties && !enumerateOwnProperties(cx, wrapper, obj, props)) { return false; } } return type == eGlobalInterfacePrototype || XrayOwnNativePropertyKeys(cx, wrapper, nativePropertyHooks, type, obj, flags, props); } const JSClass* XrayGetExpandoClass(JSContext* cx, JS::Handle obj) { DOMObjectType type; const NativePropertyHooks* nativePropertyHooks = GetNativePropertyHooks(cx, obj, type); if (!IsInstance(type)) { // Non-instances don't need any special expando classes. return &DefaultXrayExpandoObjectClass; } return nativePropertyHooks->mXrayExpandoClass; } bool XrayDeleteNamedProperty(JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, JS::ObjectOpResult& opresult) { DOMObjectType type; const NativePropertyHooks* nativePropertyHooks = GetNativePropertyHooks(cx, obj, type); if (!IsInstance(type) || !nativePropertyHooks->mIndexedOrNamedNativeProperties || !nativePropertyHooks->mIndexedOrNamedNativeProperties ->mDeleteNamedProperty) { return opresult.succeed(); } return nativePropertyHooks->mIndexedOrNamedNativeProperties ->mDeleteNamedProperty(cx, wrapper, obj, id, opresult); } namespace binding_detail { bool ResolveOwnProperty(JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::Handle id, JS::MutableHandle> desc) { return js::GetProxyHandler(obj)->getOwnPropertyDescriptor(cx, wrapper, id, desc); } bool EnumerateOwnProperties(JSContext* cx, JS::Handle wrapper, JS::Handle obj, JS::MutableHandleVector props) { return js::GetProxyHandler(obj)->ownPropertyKeys(cx, wrapper, props); } } // namespace binding_detail JSObject* GetCachedSlotStorageObjectSlow(JSContext* cx, JS::Handle obj, bool* isXray) { if (!xpc::WrapperFactory::IsXrayWrapper(obj)) { JSObject* retval = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false); MOZ_ASSERT(IsDOMObject(retval)); *isXray = false; return retval; } *isXray = true; return xpc::EnsureXrayExpandoObject(cx, obj); } DEFINE_XRAY_EXPANDO_CLASS(, DefaultXrayExpandoObjectClass, 0); bool sEmptyNativePropertiesInited = true; NativePropertyHooks sEmptyNativePropertyHooks = { nullptr, {nullptr, nullptr, &sEmptyNativePropertiesInited}, prototypes::id::_ID_Count, constructors::id::_ID_Count, nullptr}; bool GetPropertyOnPrototype(JSContext* cx, JS::Handle proxy, JS::Handle receiver, JS::Handle id, bool* found, JS::MutableHandle vp) { JS::Rooted proto(cx); if (!js::GetObjectProto(cx, proxy, &proto)) { return false; } if (!proto) { *found = false; return true; } if (!JS_HasPropertyById(cx, proto, id, found)) { return false; } if (!*found) { return true; } return JS_ForwardGetPropertyTo(cx, proto, id, receiver, vp); } bool HasPropertyOnPrototype(JSContext* cx, JS::Handle proxy, JS::Handle id, bool* has) { JS::Rooted proto(cx); if (!js::GetObjectProto(cx, proxy, &proto)) { return false; } if (!proto) { *has = false; return true; } return JS_HasPropertyById(cx, proto, id, has); } bool AppendNamedPropertyIds(JSContext* cx, JS::Handle proxy, nsTArray& names, bool shadowPrototypeProperties, JS::MutableHandleVector props) { for (uint32_t i = 0; i < names.Length(); ++i) { JS::Rooted v(cx); if (!xpc::NonVoidStringToJsval(cx, names[i], &v)) { return false; } JS::Rooted id(cx); if (!JS_ValueToId(cx, v, &id)) { return false; } bool shouldAppend = shadowPrototypeProperties; if (!shouldAppend) { bool has; if (!HasPropertyOnPrototype(cx, proxy, id, &has)) { return false; } shouldAppend = !has; } if (shouldAppend) { if (!props.append(id)) { return false; } } } return true; } bool DictionaryBase::ParseJSON(JSContext* aCx, const nsAString& aJSON, JS::MutableHandle aVal) { if (aJSON.IsEmpty()) { return true; } return JS_ParseJSON(aCx, aJSON.BeginReading(), aJSON.Length(), aVal); } bool DictionaryBase::StringifyToJSON(JSContext* aCx, JS::Handle aObj, nsAString& aJSON) const { return JS::ToJSONMaybeSafely(aCx, aObj, AppendJSONToString, &aJSON); } /* static */ bool DictionaryBase::AppendJSONToString(const char16_t* aJSONData, uint32_t aDataLength, void* aString) { nsAString* string = static_cast(aString); string->Append(aJSONData, aDataLength); return true; } void UpdateReflectorGlobal(JSContext* aCx, JS::Handle aObjArg, ErrorResult& aError) { js::AssertSameCompartment(aCx, aObjArg); aError.MightThrowJSException(); // Check if we're anywhere near the stack limit before we reach the // transplanting code, since it has no good way to handle errors. This uses // the untrusted script limit, which is not strictly necessary since no // actual script should run. js::AutoCheckRecursionLimit recursion(aCx); if (!recursion.checkConservative(aCx)) { aError.StealExceptionFromJSContext(aCx); return; } JS::Rooted aObj(aCx, aObjArg); MOZ_ASSERT(IsDOMObject(aObj)); const DOMJSClass* domClass = GetDOMClass(aObj); JS::Rooted oldGlobal(aCx, JS::GetNonCCWObjectGlobal(aObj)); MOZ_ASSERT(JS_IsGlobalObject(oldGlobal)); JS::Rooted newGlobal(aCx, domClass->mGetAssociatedGlobal(aCx, aObj)); MOZ_ASSERT(JS_IsGlobalObject(newGlobal)); JSAutoRealm oldAr(aCx, oldGlobal); if (oldGlobal == newGlobal) { return; } nsISupports* native = UnwrapDOMObjectToISupports(aObj); if (!native) { return; } bool isProxy = js::IsProxy(aObj); JS::Rooted expandoObject(aCx); if (isProxy) { expandoObject = DOMProxyHandler::GetAndClearExpandoObject(aObj); } JSAutoRealm newAr(aCx, newGlobal); // First we clone the reflector. We get a copy of its properties and clone its // expando chain. JS::Handle proto = (domClass->mGetProto)(aCx); if (!proto) { aError.StealExceptionFromJSContext(aCx); return; } JS::Rooted newobj(aCx, JS_CloneObject(aCx, aObj, proto)); if (!newobj) { aError.StealExceptionFromJSContext(aCx); return; } // Assert it's possible to create wrappers when |aObj| and |newobj| are in // different compartments. MOZ_ASSERT_IF(JS::GetCompartment(aObj) != JS::GetCompartment(newobj), js::AllowNewWrapper(JS::GetCompartment(aObj), newobj)); JS::Rooted propertyHolder(aCx); JS::Rooted copyFrom(aCx, isProxy ? expandoObject : aObj); if (copyFrom) { propertyHolder = JS_NewObjectWithGivenProto(aCx, nullptr, nullptr); if (!propertyHolder) { aError.StealExceptionFromJSContext(aCx); return; } if (!JS_CopyOwnPropertiesAndPrivateFields(aCx, propertyHolder, copyFrom)) { aError.StealExceptionFromJSContext(aCx); return; } } else { propertyHolder = nullptr; } // We've set up |newobj|, so we make it own the native by setting its reserved // slot and nulling out the reserved slot of |obj|. Update the wrapper cache // to keep everything consistent in case GC moves newobj. // // NB: It's important to do this _after_ copying the properties to // propertyHolder. Otherwise, an object with |foo.x === foo| will // crash when JS_CopyOwnPropertiesAndPrivateFields tries to call wrap() on // foo.x. JS::SetReservedSlot(newobj, DOM_OBJECT_SLOT, JS::GetReservedSlot(aObj, DOM_OBJECT_SLOT)); JS::SetReservedSlot(aObj, DOM_OBJECT_SLOT, JS::PrivateValue(nullptr)); nsWrapperCache* cache = nullptr; CallQueryInterface(native, &cache); cache->UpdateWrapperForNewGlobal(native, newobj); aObj = xpc::TransplantObjectRetainingXrayExpandos(aCx, aObj, newobj); if (!aObj) { MOZ_CRASH(); } // Update the wrapper cache again if transplanting didn't use newobj but // returned some other object. if (aObj != newobj) { MOZ_ASSERT(UnwrapDOMObjectToISupports(aObj) == native); cache->UpdateWrapperForNewGlobal(native, aObj); } if (propertyHolder) { JS::Rooted copyTo(aCx); if (isProxy) { copyTo = DOMProxyHandler::EnsureExpandoObject(aCx, aObj); } else { copyTo = aObj; } if (!copyTo || !JS_CopyOwnPropertiesAndPrivateFields(aCx, copyTo, propertyHolder)) { MOZ_CRASH(); } } } GlobalObject::GlobalObject(JSContext* aCx, JSObject* aObject) : mGlobalJSObject(aCx), mCx(aCx), mGlobalObject(nullptr) { MOZ_ASSERT(mCx); JS::Rooted obj(aCx, aObject); if (js::IsWrapper(obj)) { // aCx correctly represents the current global here. obj = js::CheckedUnwrapDynamic(obj, aCx, /* stopAtWindowProxy = */ false); if (!obj) { // We should never end up here on a worker thread, since there shouldn't // be any security wrappers to worry about. if (!MOZ_LIKELY(NS_IsMainThread())) { MOZ_CRASH(); } Throw(aCx, NS_ERROR_XPC_SECURITY_MANAGER_VETO); return; } } mGlobalJSObject = JS::GetNonCCWObjectGlobal(obj); } nsISupports* GlobalObject::GetAsSupports() const { if (mGlobalObject) { return mGlobalObject; } MOZ_ASSERT(!js::IsWrapper(mGlobalJSObject)); // Most of our globals are DOM objects. Try that first. Note that this // assumes that either the first nsISupports in the object is the canonical // one or that we don't care about the canonical nsISupports here. mGlobalObject = UnwrapDOMObjectToISupports(mGlobalJSObject); if (mGlobalObject) { return mGlobalObject; } MOZ_ASSERT(NS_IsMainThread(), "All our worker globals are DOM objects"); // Remove everything below here once all our global objects are using new // bindings. If that ever happens; it would need to include Sandbox and // BackstagePass. // See whether mGlobalJSObject is an XPCWrappedNative. This will redo the // IsWrapper bit above and the UnwrapDOMObjectToISupports in the case when // we're not actually an XPCWrappedNative, but this should be a rare-ish case // anyway. // // It's OK to use ReflectorToISupportsStatic, because we know we don't have a // cross-compartment wrapper. nsCOMPtr supp = xpc::ReflectorToISupportsStatic(mGlobalJSObject); if (supp) { // See documentation for mGlobalJSObject for why this assignment is OK. mGlobalObject = supp; return mGlobalObject; } // And now a final hack. Sandbox is not a reflector, but it does have an // nsIGlobalObject hanging out in its private slot. Handle that case here, // (though again, this will do the useless UnwrapDOMObjectToISupports if we // got here for something that is somehow not a DOM object, not an // XPCWrappedNative _and_ not a Sandbox). if (XPCConvert::GetISupportsFromJSObject(mGlobalJSObject, &mGlobalObject)) { return mGlobalObject; } MOZ_ASSERT(!mGlobalObject); Throw(mCx, NS_ERROR_XPC_BAD_CONVERT_JS); return nullptr; } nsIPrincipal* GlobalObject::GetSubjectPrincipal() const { if (!NS_IsMainThread()) { return nullptr; } JS::Realm* realm = js::GetContextRealm(mCx); MOZ_ASSERT(realm); JSPrincipals* principals = JS::GetRealmPrincipals(realm); return nsJSPrincipals::get(principals); } CallerType GlobalObject::CallerType() const { return nsContentUtils::ThreadsafeIsSystemCaller(mCx) ? dom::CallerType::System : dom::CallerType::NonSystem; } bool ReportLenientThisUnwrappingFailure(JSContext* cx, JSObject* obj) { JS::Rooted rootedObj(cx, obj); GlobalObject global(cx, rootedObj); if (global.Failed()) { return false; } nsCOMPtr window = do_QueryInterface(global.GetAsSupports()); if (window && window->GetDoc()) { window->GetDoc()->WarnOnceAbout(DeprecatedOperations::eLenientThis); } return true; } bool GetContentGlobalForJSImplementedObject(BindingCallContext& cx, JS::Handle obj, nsIGlobalObject** globalObj) { // Be very careful to not get tricked here. MOZ_ASSERT(NS_IsMainThread()); if (!xpc::AccessCheck::isChrome(JS::GetCompartment(obj))) { MOZ_CRASH("Should have a chrome object here"); } // Look up the content-side object. JS::Rooted domImplVal(cx); if (!JS_GetProperty(cx, obj, "__DOM_IMPL__", &domImplVal)) { return false; } if (!domImplVal.isObject()) { cx.ThrowErrorMessage("Value"); return false; } // Go ahead and get the global from it. GlobalObject will handle // doing unwrapping as needed. GlobalObject global(cx, &domImplVal.toObject()); if (global.Failed()) { return false; } DebugOnly rv = CallQueryInterface(global.GetAsSupports(), globalObj); MOZ_ASSERT(NS_SUCCEEDED(rv)); MOZ_ASSERT(*globalObj); return true; } void ConstructJSImplementation(const char* aContractId, nsIGlobalObject* aGlobal, JS::MutableHandle aObject, ErrorResult& aRv) { MOZ_ASSERT(NS_IsMainThread()); // Make sure to divorce ourselves from the calling JS while creating and // initializing the object, so exceptions from that will get reported // properly, since those are never exceptions that a spec wants to be thrown. { AutoNoJSAPI nojsapi; nsCOMPtr window = do_QueryInterface(aGlobal); if (!window) { aRv.ThrowInvalidStateError("Global is not a Window"); return; } if (!window->IsCurrentInnerWindow()) { aRv.ThrowInvalidStateError("Window no longer active"); return; } // Get the XPCOM component containing the JS implementation. nsresult rv; nsCOMPtr implISupports = do_CreateInstance(aContractId, &rv); if (!implISupports) { nsPrintfCString msg("Failed to get JS implementation for contract \"%s\"", aContractId); NS_WARNING(msg.get()); aRv.Throw(rv); return; } // Initialize the object, if it implements nsIDOMGlobalPropertyInitializer // and our global is a window. nsCOMPtr gpi = do_QueryInterface(implISupports); if (gpi) { JS::Rooted initReturn(RootingCx()); rv = gpi->Init(window, &initReturn); if (NS_FAILED(rv)) { aRv.Throw(rv); return; } // With JS-implemented WebIDL, the return value of init() is not used to // determine if init() failed, so init() should only return undefined. Any // kind of permission or pref checking must happen by adding an attribute // to the WebIDL interface. if (!initReturn.isUndefined()) { MOZ_ASSERT(false, "The init() method for JS-implemented WebIDL should not " "return anything"); MOZ_CRASH(); } } // Extract the JS implementation from the XPCOM object. nsCOMPtr implWrapped = do_QueryInterface(implISupports, &rv); MOZ_ASSERT(implWrapped, "Failed to get wrapped JS from XPCOM component."); if (!implWrapped) { aRv.Throw(rv); return; } aObject.set(implWrapped->GetJSObject()); if (!aObject) { aRv.Throw(NS_ERROR_FAILURE); } } } bool NormalizeUSVString(nsAString& aString) { return EnsureUTF16Validity(aString); } bool NormalizeUSVString(binding_detail::FakeString& aString) { uint32_t upTo = Utf16ValidUpTo(aString); uint32_t len = aString.Length(); if (upTo == len) { return true; } // This is the part that's different from EnsureUTF16Validity with an // nsAString& argument, because we don't want to ensure mutability in our // BeginWriting() in the common case and nsAString's EnsureMutable is not // public. This is a little annoying; I wish we could just share the more or // less identical code! if (!aString.EnsureMutable()) { return false; } char16_t* ptr = aString.BeginWriting(); auto span = Span(ptr, len); span[upTo] = 0xFFFD; EnsureUtf16ValiditySpan(span.From(upTo + 1)); return true; } bool ConvertJSValueToByteString(BindingCallContext& cx, JS::Handle v, bool nullable, const char* sourceDescription, nsACString& result) { JS::Rooted s(cx); if (v.isString()) { s = v.toString(); size_t length = JS::GetStringLength(s); if (XPCStringConvert::MaybeAssignLatin1StringChars(s, length, result)) { return true; } } else { if (nullable && v.isNullOrUndefined()) { result.SetIsVoid(true); return true; } s = JS::ToString(cx, v); if (!s) { return false; } } // Conversion from Javascript string to ByteString is only valid if all // characters < 256. This is always the case for Latin1 strings. size_t length; if (!JS::StringHasLatin1Chars(s)) { // ThrowErrorMessage can GC, so we first scan the string for bad chars // and report the error outside the AutoCheckCannotGC scope. bool foundBadChar = false; size_t badCharIndex; char16_t badChar; { JS::AutoCheckCannotGC nogc; const char16_t* chars = JS_GetTwoByteStringCharsAndLength(cx, nogc, s, &length); if (!chars) { return false; } for (size_t i = 0; i < length; i++) { if (chars[i] > 255) { badCharIndex = i; badChar = chars[i]; foundBadChar = true; break; } } } if (foundBadChar) { MOZ_ASSERT(badCharIndex < length); MOZ_ASSERT(badChar > 255); // The largest unsigned 64 bit number (18,446,744,073,709,551,615) has // 20 digits, plus one more for the null terminator. char index[21]; static_assert(sizeof(size_t) <= 8, "index array too small"); SprintfLiteral(index, "%zu", badCharIndex); // A char16_t is 16 bits long. The biggest unsigned 16 bit // number (65,535) has 5 digits, plus one more for the null // terminator. char badCharArray[6]; static_assert(sizeof(char16_t) <= 2, "badCharArray too small"); SprintfLiteral(badCharArray, "%d", badChar); cx.ThrowErrorMessage(sourceDescription, index, badCharArray); return false; } } else { length = JS::GetStringLength(s); } static_assert(JS::MaxStringLength < UINT32_MAX, "length+1 shouldn't overflow"); if (!result.SetLength(length, fallible)) { return false; } if (!JS_EncodeStringToBuffer(cx, s, result.BeginWriting(), length)) { return false; } return true; } void FinalizeGlobal(JS::GCContext* aGcx, JSObject* aObj) { MOZ_ASSERT(JS::GetClass(aObj)->flags & JSCLASS_DOM_GLOBAL); mozilla::dom::DestroyProtoAndIfaceCache(aObj); } bool ResolveGlobal(JSContext* aCx, JS::Handle aObj, JS::Handle aId, bool* aResolvedp) { MOZ_ASSERT(JS_IsGlobalObject(aObj), "Should have a global here, since we plan to resolve standard " "classes!"); return JS_ResolveStandardClass(aCx, aObj, aId, aResolvedp); } bool MayResolveGlobal(const JSAtomState& aNames, jsid aId, JSObject* aMaybeObj) { return JS_MayResolveStandardClass(aNames, aId, aMaybeObj); } bool EnumerateGlobal(JSContext* aCx, JS::Handle aObj, JS::MutableHandleVector aProperties, bool aEnumerableOnly) { MOZ_ASSERT(JS_IsGlobalObject(aObj), "Should have a global here, since we plan to enumerate standard " "classes!"); return JS_NewEnumerateStandardClasses(aCx, aObj, aProperties, aEnumerableOnly); } bool IsGlobalInExposureSet(JSContext* aCx, JSObject* aGlobal, uint32_t aGlobalSet) { MOZ_ASSERT(aGlobalSet, "Why did we get called?"); MOZ_ASSERT((aGlobalSet & ~(GlobalNames::Window | GlobalNames::DedicatedWorkerGlobalScope | GlobalNames::SharedWorkerGlobalScope | GlobalNames::ServiceWorkerGlobalScope | GlobalNames::WorkerDebuggerGlobalScope | GlobalNames::AudioWorkletGlobalScope | GlobalNames::PaintWorkletGlobalScope | GlobalNames::ShadowRealmGlobalScope)) == 0, "Unknown global type"); const char* name = JS::GetClass(aGlobal)->name; if ((aGlobalSet & GlobalNames::Window) && (!strcmp(name, "Window") || !strcmp(name, "BackstagePass"))) { return true; } if ((aGlobalSet & GlobalNames::DedicatedWorkerGlobalScope) && !strcmp(name, "DedicatedWorkerGlobalScope")) { return true; } if ((aGlobalSet & GlobalNames::SharedWorkerGlobalScope) && !strcmp(name, "SharedWorkerGlobalScope")) { return true; } if ((aGlobalSet & GlobalNames::ServiceWorkerGlobalScope) && !strcmp(name, "ServiceWorkerGlobalScope")) { return true; } if ((aGlobalSet & GlobalNames::WorkerDebuggerGlobalScope) && !strcmp(name, "WorkerDebuggerGlobalScopex")) { return true; } if ((aGlobalSet & GlobalNames::AudioWorkletGlobalScope) && !strcmp(name, "AudioWorkletGlobalScope")) { return true; } if ((aGlobalSet & GlobalNames::PaintWorkletGlobalScope) && !strcmp(name, "PaintWorkletGlobalScope")) { return true; } if ((aGlobalSet & GlobalNames::ShadowRealmGlobalScope) && !strcmp(name, "ShadowRealmGlobalScope")) { return true; } return false; } namespace binding_detail { /** * A ThisPolicy struct needs to provide the following methods: * * HasValidThisValue: Takes a CallArgs and returns a boolean indicating whether * the thisv() is valid in the sense of being the right type * of Value. It does not check whether it's the right sort * of object if the Value is a JSObject*. * * ExtractThisObject: Takes a CallArgs for which HasValidThisValue was true and * returns the JSObject* to use for getting |this|. * * MaybeUnwrapThisObject: If our |this| is a JSObject* that this policy wants to * allow unchecked access to for this * getter/setter/method, unwrap it. Otherwise just * return the given object. * * UnwrapThisObject: Takes a MutableHandle for a JSObject which contains the * this object (which the caller probably got from * MaybeUnwrapThisObject). It will try to get the right native * out of aObj. In some cases there are 2 possible types for * the native (which is why aSelf is a reference to a void*). * The ThisPolicy user should use the this JSObject* to * determine what C++ class aSelf contains. aObj is used to * keep the reflector object alive while self is being used, * so its value before and after the UnwrapThisObject call * could be different (if aObj was wrapped). The return value * is an nsresult, which will signal if an error occurred. * * This is passed a JSContext for dynamic unwrapping purposes, * but should not throw exceptions on that JSContext. * * HandleInvalidThis: If the |this| is not valid (wrong type of value, wrong * object, etc), decide what to do about it. Returns a * boolean to return from the JSNative (false for failure, * true for succcess). */ struct NormalThisPolicy { // This needs to be inlined because it's called on no-exceptions fast-paths. static MOZ_ALWAYS_INLINE bool HasValidThisValue(const JS::CallArgs& aArgs) { // Per WebIDL spec, all getters/setters/methods allow null/undefined "this" // and coerce it to the global. Then the "is this the right interface?" // check fails if the interface involved is not one that the global // implements. // // As an optimization, we skip doing the null/undefined stuff if we know our // interface is not implemented by the global. return aArgs.thisv().isObject(); } static MOZ_ALWAYS_INLINE JSObject* ExtractThisObject( const JS::CallArgs& aArgs) { return &aArgs.thisv().toObject(); } static MOZ_ALWAYS_INLINE JSObject* MaybeUnwrapThisObject(JSObject* aObj) { return aObj; } static MOZ_ALWAYS_INLINE nsresult UnwrapThisObject( JS::MutableHandle aObj, JSContext* aCx, void*& aSelf, prototypes::ID aProtoID, uint32_t aProtoDepth) { binding_detail::MutableObjectHandleWrapper wrapper(aObj); return binding_detail::UnwrapObjectInternal( wrapper, aSelf, aProtoID, aProtoDepth, aCx); } static bool HandleInvalidThis(JSContext* aCx, const JS::CallArgs& aArgs, bool aSecurityError, prototypes::ID aProtoId) { return ThrowInvalidThis(aCx, aArgs, aSecurityError, aProtoId); } }; struct MaybeGlobalThisPolicy : public NormalThisPolicy { static MOZ_ALWAYS_INLINE bool HasValidThisValue(const JS::CallArgs& aArgs) { // Here we have to allow null/undefined. return aArgs.thisv().isObject() || aArgs.thisv().isNullOrUndefined(); } static MOZ_ALWAYS_INLINE JSObject* ExtractThisObject( const JS::CallArgs& aArgs) { return aArgs.thisv().isObject() ? &aArgs.thisv().toObject() : JS::GetNonCCWObjectGlobal(&aArgs.callee()); } // We want the MaybeUnwrapThisObject of NormalThisPolicy. // We want the HandleInvalidThis of NormalThisPolicy. }; // Shared LenientThis behavior for our two different LenientThis policies. struct LenientThisPolicyMixin { static bool HandleInvalidThis(JSContext* aCx, const JS::CallArgs& aArgs, bool aSecurityError, prototypes::ID aProtoId) { if (aSecurityError) { return NormalThisPolicy::HandleInvalidThis(aCx, aArgs, aSecurityError, aProtoId); } MOZ_ASSERT(!JS_IsExceptionPending(aCx)); if (!ReportLenientThisUnwrappingFailure(aCx, &aArgs.callee())) { return false; } aArgs.rval().set(JS::UndefinedValue()); return true; } }; // There are some LenientThis things on globals, so we inherit from // MaybeGlobalThisPolicy. struct LenientThisPolicy : public MaybeGlobalThisPolicy, public LenientThisPolicyMixin { // We want the HasValidThisValue of MaybeGlobalThisPolicy. // We want the ExtractThisObject of MaybeGlobalThisPolicy. // We want the MaybeUnwrapThisObject of MaybeGlobalThisPolicy. // We want HandleInvalidThis from LenientThisPolicyMixin using LenientThisPolicyMixin::HandleInvalidThis; }; // There are some cross-origin things on globals, so we inherit from // MaybeGlobalThisPolicy. struct CrossOriginThisPolicy : public MaybeGlobalThisPolicy { // We want the HasValidThisValue of MaybeGlobalThisPolicy. // We want the ExtractThisObject of MaybeGlobalThisPolicy. static MOZ_ALWAYS_INLINE JSObject* MaybeUnwrapThisObject(JSObject* aObj) { if (xpc::WrapperFactory::IsCrossOriginWrapper(aObj)) { return js::UncheckedUnwrap(aObj); } // Else just return aObj; our UnwrapThisObject call will try to // CheckedUnwrap it, and either succeed or get a security error as needed. return aObj; } // After calling UnwrapThisObject aSelf can contain one of 2 types, depending // on whether aObj is a proxy with a RemoteObjectProxy handler or a (maybe // wrapped) normal WebIDL reflector. The generated binding code relies on this // and uses IsRemoteObjectProxy to determine what type aSelf points to. static MOZ_ALWAYS_INLINE nsresult UnwrapThisObject( JS::MutableHandle aObj, JSContext* aCx, void*& aSelf, prototypes::ID aProtoID, uint32_t aProtoDepth) { binding_detail::MutableObjectHandleWrapper wrapper(aObj); // We need to pass false here, because if aObj doesn't have a DOMJSClass // it might be a remote proxy object, and we don't want to throw in that // case (even though unwrapping would fail). nsresult rv = binding_detail::UnwrapObjectInternal( wrapper, aSelf, aProtoID, aProtoDepth, nullptr); if (NS_SUCCEEDED(rv)) { return rv; } if (js::IsWrapper(wrapper)) { // We want CheckedUnwrapDynamic here: aCx represents the Realm we are in // right now, so we want to check whether that Realm should be able to // access the object. And this object can definitely be a WindowProxy, so // we need he dynamic check. JSObject* unwrappedObj = js::CheckedUnwrapDynamic( wrapper, aCx, /* stopAtWindowProxy = */ false); if (!unwrappedObj) { return NS_ERROR_XPC_SECURITY_MANAGER_VETO; } // At this point we want to keep "unwrappedObj" alive, because we don't // hold a strong reference in "aSelf". wrapper = unwrappedObj; return binding_detail::UnwrapObjectInternal( wrapper, aSelf, aProtoID, aProtoDepth, nullptr); } if (!IsRemoteObjectProxy(wrapper, aProtoID)) { return NS_ERROR_XPC_BAD_CONVERT_JS; } aSelf = RemoteObjectProxyBase::GetNative(wrapper); return NS_OK; } // We want the HandleInvalidThis of MaybeGlobalThisPolicy. }; // Some objects that can be cross-origin objects are globals, so we inherit // from MaybeGlobalThisPolicy. struct MaybeCrossOriginObjectThisPolicy : public MaybeGlobalThisPolicy { // We want the HasValidThisValue of MaybeGlobalThisPolicy. // We want the ExtractThisObject of MaybeGlobalThisPolicy. // We want the MaybeUnwrapThisObject of MaybeGlobalThisPolicy static MOZ_ALWAYS_INLINE nsresult UnwrapThisObject( JS::MutableHandle aObj, JSContext* aCx, void*& aSelf, prototypes::ID aProtoID, uint32_t aProtoDepth) { // There are two cases at this point: either aObj is a cross-compartment // wrapper (CCW) or it's not. If it is, we don't need to do anything // special compared to MaybeGlobalThisPolicy: the CCW will do the relevant // security checks. Which is good, because if we tried to do the // cross-origin object check _before_ unwrapping it would always come back // as "same-origin" and if we tried to do it after unwrapping it would be // completely wrong: the checks rely on the two sides of the comparison // being symmetric (can access each other or cannot access each other), but // if we have a CCW we could have an Xray, which is asymmetric. And then // we'd think we should deny access, whereas we should actually allow // access. // // If we do _not_ have a CCW here, then we need to check whether it's a // cross-origin-accessible object, and if it is check whether it's // same-origin-domain with our current callee. if (!js::IsCrossCompartmentWrapper(aObj) && xpc::IsCrossOriginAccessibleObject(aObj) && !MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(aCx, aObj)) { return NS_ERROR_XPC_SECURITY_MANAGER_VETO; } return MaybeGlobalThisPolicy::UnwrapThisObject(aObj, aCx, aSelf, aProtoID, aProtoDepth); } // We want the HandleInvalidThis of MaybeGlobalThisPolicy. }; // And in some cases we are dealing with a maybe-cross-origin object _and_ need // [LenientThis] behavior. struct MaybeCrossOriginObjectLenientThisPolicy : public MaybeCrossOriginObjectThisPolicy, public LenientThisPolicyMixin { // We want to get all of our behavior from // MaybeCrossOriginObjectLenientThisPolicy, except for HandleInvalidThis, // which should come from LenientThisPolicyMixin. using LenientThisPolicyMixin::HandleInvalidThis; }; /** * An ExceptionPolicy struct provides a single HandleException method which is * used to handle an exception, if any. The method is given the current * success/failure boolean so it can decide whether there is in fact an * exception involved. */ struct ThrowExceptions { // This needs to be inlined because it's called even on no-exceptions // fast-paths. static MOZ_ALWAYS_INLINE bool HandleException(JSContext* aCx, JS::CallArgs& aArgs, const JSJitInfo* aInfo, bool aOK) { return aOK; } }; struct ConvertExceptionsToPromises { // This needs to be inlined because it's called even on no-exceptions // fast-paths. static MOZ_ALWAYS_INLINE bool HandleException(JSContext* aCx, JS::CallArgs& aArgs, const JSJitInfo* aInfo, bool aOK) { // Promise-returning getters/methods always return objects. MOZ_ASSERT(aInfo->returnType() == JSVAL_TYPE_OBJECT); if (aOK) { return true; } return ConvertExceptionToPromise(aCx, aArgs.rval()); } }; template bool GenericGetter(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); const JSJitInfo* info = FUNCTION_VALUE_TO_JITINFO(args.calleev()); prototypes::ID protoID = static_cast(info->protoID); if (!ThisPolicy::HasValidThisValue(args)) { bool ok = ThisPolicy::HandleInvalidThis(cx, args, false, protoID); return ExceptionPolicy::HandleException(cx, args, info, ok); } JS::Rooted obj(cx, ThisPolicy::ExtractThisObject(args)); // NOTE: we want to leave obj in its initial compartment, so don't want to // pass it to UnwrapObjectInternal. Also, the thing we pass to // UnwrapObjectInternal may be affected by our ThisPolicy. JS::Rooted rootSelf(cx, ThisPolicy::MaybeUnwrapThisObject(obj)); void* self; { nsresult rv = ThisPolicy::UnwrapThisObject(&rootSelf, cx, self, protoID, info->depth); if (NS_FAILED(rv)) { bool ok = ThisPolicy::HandleInvalidThis( cx, args, rv == NS_ERROR_XPC_SECURITY_MANAGER_VETO, protoID); return ExceptionPolicy::HandleException(cx, args, info, ok); } } MOZ_ASSERT(info->type() == JSJitInfo::Getter); JSJitGetterOp getter = info->getter; bool ok = getter(cx, obj, self, JSJitGetterCallArgs(args)); #ifdef DEBUG if (ok) { AssertReturnTypeMatchesJitinfo(info, args.rval()); } #endif return ExceptionPolicy::HandleException(cx, args, info, ok); } // Force instantiation of the specializations of GenericGetter we need here. template bool GenericGetter(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericGetter( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericGetter( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericGetter( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericGetter(JSContext* cx, unsigned argc, JS::Value* vp); // There aren't any [LenientThis] Promise-returning getters, so don't // bother instantiating that specialization. template bool GenericGetter( JSContext* cx, unsigned argc, JS::Value* vp); // There aren't any cross-origin Promise-returning getters, so don't // bother instantiating that specialization. template bool GenericGetter( JSContext* cx, unsigned argc, JS::Value* vp); // There aren't any maybe-cross-origin-object Promise-returning getters, so // don't bother instantiating that specialization. template bool GenericGetter(JSContext* cx, unsigned argc, JS::Value* vp); // There aren't any maybe-cross-origin-object Promise-returning lenient-this // getters, so don't bother instantiating that specialization. template bool GenericSetter(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); const JSJitInfo* info = FUNCTION_VALUE_TO_JITINFO(args.calleev()); prototypes::ID protoID = static_cast(info->protoID); if (!ThisPolicy::HasValidThisValue(args)) { return ThisPolicy::HandleInvalidThis(cx, args, false, protoID); } JS::Rooted obj(cx, ThisPolicy::ExtractThisObject(args)); // NOTE: we want to leave obj in its initial compartment, so don't want to // pass it to UnwrapObject. Also the thing we pass to UnwrapObjectInternal // may be affected by our ThisPolicy. JS::Rooted rootSelf(cx, ThisPolicy::MaybeUnwrapThisObject(obj)); void* self; { nsresult rv = ThisPolicy::UnwrapThisObject(&rootSelf, cx, self, protoID, info->depth); if (NS_FAILED(rv)) { return ThisPolicy::HandleInvalidThis( cx, args, rv == NS_ERROR_XPC_SECURITY_MANAGER_VETO, protoID); } } if (args.length() == 0) { return ThrowNoSetterArg(cx, args, protoID); } MOZ_ASSERT(info->type() == JSJitInfo::Setter); JSJitSetterOp setter = info->setter; if (!setter(cx, obj, self, JSJitSetterCallArgs(args))) { return false; } args.rval().setUndefined(); #ifdef DEBUG AssertReturnTypeMatchesJitinfo(info, args.rval()); #endif return true; } // Force instantiation of the specializations of GenericSetter we need here. template bool GenericSetter(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericSetter(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericSetter(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericSetter(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericSetter(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericSetter( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericMethod(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); const JSJitInfo* info = FUNCTION_VALUE_TO_JITINFO(args.calleev()); prototypes::ID protoID = static_cast(info->protoID); if (!ThisPolicy::HasValidThisValue(args)) { bool ok = ThisPolicy::HandleInvalidThis(cx, args, false, protoID); return ExceptionPolicy::HandleException(cx, args, info, ok); } JS::Rooted obj(cx, ThisPolicy::ExtractThisObject(args)); // NOTE: we want to leave obj in its initial compartment, so don't want to // pass it to UnwrapObjectInternal. Also, the thing we pass to // UnwrapObjectInternal may be affected by our ThisPolicy. JS::Rooted rootSelf(cx, ThisPolicy::MaybeUnwrapThisObject(obj)); void* self; { nsresult rv = ThisPolicy::UnwrapThisObject(&rootSelf, cx, self, protoID, info->depth); if (NS_FAILED(rv)) { bool ok = ThisPolicy::HandleInvalidThis( cx, args, rv == NS_ERROR_XPC_SECURITY_MANAGER_VETO, protoID); return ExceptionPolicy::HandleException(cx, args, info, ok); } } MOZ_ASSERT(info->type() == JSJitInfo::Method); JSJitMethodOp method = info->method; bool ok = method(cx, obj, self, JSJitMethodCallArgs(args)); #ifdef DEBUG if (ok) { AssertReturnTypeMatchesJitinfo(info, args.rval()); } #endif return ExceptionPolicy::HandleException(cx, args, info, ok); } // Force instantiation of the specializations of GenericMethod we need here. template bool GenericMethod(JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericMethod( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericMethod( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericMethod( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericMethod( JSContext* cx, unsigned argc, JS::Value* vp); // There aren't any cross-origin Promise-returning methods, so don't // bother instantiating that specialization. template bool GenericMethod( JSContext* cx, unsigned argc, JS::Value* vp); template bool GenericMethod(JSContext* cx, unsigned argc, JS::Value* vp); } // namespace binding_detail bool StaticMethodPromiseWrapper(JSContext* cx, unsigned argc, JS::Value* vp) { JS::CallArgs args = JS::CallArgsFromVp(argc, vp); const JSJitInfo* info = FUNCTION_VALUE_TO_JITINFO(args.calleev()); MOZ_ASSERT(info); MOZ_ASSERT(info->type() == JSJitInfo::StaticMethod); bool ok = info->staticMethod(cx, argc, vp); if (ok) { return true; } return ConvertExceptionToPromise(cx, args.rval()); } bool ConvertExceptionToPromise(JSContext* cx, JS::MutableHandle rval) { JS::Rooted exn(cx); if (!JS_GetPendingException(cx, &exn)) { // This is very important: if there is no pending exception here but we're // ending up in this code, that means the callee threw an uncatchable // exception. Just propagate that out as-is. return false; } JS_ClearPendingException(cx); JSObject* promise = JS::CallOriginalPromiseReject(cx, exn); if (!promise) { // We just give up. Put the exception back. JS_SetPendingException(cx, exn); return false; } rval.setObject(*promise); return true; } /* static */ void CreateGlobalOptionsWithXPConnect::TraceGlobal(JSTracer* aTrc, JSObject* aObj) { xpc::TraceXPCGlobal(aTrc, aObj); } /* static */ bool CreateGlobalOptionsWithXPConnect::PostCreateGlobal( JSContext* aCx, JS::Handle aGlobal) { JSPrincipals* principals = JS::GetRealmPrincipals(js::GetNonCCWObjectRealm(aGlobal)); nsIPrincipal* principal = nsJSPrincipals::get(principals); SiteIdentifier site; nsresult rv = BasePrincipal::Cast(principal)->GetSiteIdentifier(site); NS_ENSURE_SUCCESS(rv, false); xpc::RealmPrivate::Init(aGlobal, site); return true; } uint64_t GetWindowID(void* aGlobal) { return 0; } uint64_t GetWindowID(nsGlobalWindowInner* aGlobal) { return aGlobal->WindowID(); } uint64_t GetWindowID(DedicatedWorkerGlobalScope* aGlobal) { return aGlobal->WindowID(); } #ifdef DEBUG void AssertReturnTypeMatchesJitinfo(const JSJitInfo* aJitInfo, JS::Handle aValue) { switch (aJitInfo->returnType()) { case JSVAL_TYPE_UNKNOWN: // Any value is good. break; case JSVAL_TYPE_DOUBLE: // The value could actually be an int32 value as well. MOZ_ASSERT(aValue.isNumber()); break; case JSVAL_TYPE_INT32: MOZ_ASSERT(aValue.isInt32()); break; case JSVAL_TYPE_UNDEFINED: MOZ_ASSERT(aValue.isUndefined()); break; case JSVAL_TYPE_BOOLEAN: MOZ_ASSERT(aValue.isBoolean()); break; case JSVAL_TYPE_STRING: MOZ_ASSERT(aValue.isString()); break; case JSVAL_TYPE_NULL: MOZ_ASSERT(aValue.isNull()); break; case JSVAL_TYPE_OBJECT: MOZ_ASSERT(aValue.isObject()); break; default: // Someone messed up their jitinfo type. MOZ_ASSERT(false, "Unexpected JSValueType stored in jitinfo"); break; } } #endif bool CallerSubsumes(JSObject* aObject) { // Remote object proxies are not CCWs, so unwrapping them does not get you // their "real" principal, but we want to treat them like cross-origin objects // when considering them as WebIDL arguments, for consistency. if (IsRemoteObjectProxy(aObject)) { return false; } nsIPrincipal* objPrin = nsContentUtils::ObjectPrincipal(js::UncheckedUnwrap(aObject)); return nsContentUtils::SubjectPrincipal()->Subsumes(objPrin); } nsresult UnwrapArgImpl(JSContext* cx, JS::Handle src, const nsIID& iid, void** ppArg) { if (!NS_IsMainThread()) { return NS_ERROR_NOT_AVAILABLE; } // The JSContext represents the "who is unwrapping" realm, so we want to use // it for ReflectorToISupportsDynamic here. nsCOMPtr iface = xpc::ReflectorToISupportsDynamic(src, cx); if (iface) { if (NS_FAILED(iface->QueryInterface(iid, ppArg))) { return NS_ERROR_XPC_BAD_CONVERT_JS; } return NS_OK; } // Only allow XPCWrappedJS stuff in system code. Ideally we would remove this // even there, but that involves converting some things to WebIDL callback // interfaces and making some other things builtinclass... if (!nsContentUtils::IsSystemCaller(cx)) { return NS_ERROR_XPC_BAD_CONVERT_JS; } RefPtr wrappedJS; nsresult rv = nsXPCWrappedJS::GetNewOrUsed(cx, src, iid, getter_AddRefs(wrappedJS)); if (NS_FAILED(rv) || !wrappedJS) { return rv; } // We need to go through the QueryInterface logic to make this return // the right thing for the various 'special' interfaces; e.g. // nsIPropertyBag. We must use AggregatedQueryInterface in cases where // there is an outer to avoid nasty recursion. return wrappedJS->QueryInterface(iid, ppArg); } nsresult UnwrapWindowProxyArg(JSContext* cx, JS::Handle src, WindowProxyHolder& ppArg) { if (IsRemoteObjectProxy(src, prototypes::id::Window)) { ppArg = static_cast(RemoteObjectProxyBase::GetNative(src)); return NS_OK; } nsCOMPtr inner; nsresult rv = UnwrapArg(cx, src, getter_AddRefs(inner)); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr outer = inner->GetOuterWindow(); RefPtr bc = outer ? outer->GetBrowsingContext() : nullptr; ppArg = std::move(bc); return NS_OK; } template static bool GetBackingObject(JSContext* aCx, JS::Handle aObj, size_t aSlotIndex, JS::MutableHandle aBackingObj, bool* aBackingObjCreated, Args... aArgs) { JS::Rooted reflector(aCx); reflector = IsDOMObject(aObj) ? aObj : js::UncheckedUnwrap(aObj, /* stopAtWindowProxy = */ false); // Retrieve the backing object from the reserved slot on the maplike/setlike // object. If it doesn't exist yet, create it. JS::Rooted slotValue(aCx); slotValue = JS::GetReservedSlot(reflector, aSlotIndex); if (slotValue.isUndefined()) { // Since backing object access can happen in non-originating realms, // make sure to create the backing object in reflector realm. { JSAutoRealm ar(aCx, reflector); JS::Rooted newBackingObj(aCx); newBackingObj.set(Method(aCx, aArgs...)); if (NS_WARN_IF(!newBackingObj)) { return false; } JS::SetReservedSlot(reflector, aSlotIndex, JS::ObjectValue(*newBackingObj)); } slotValue = JS::GetReservedSlot(reflector, aSlotIndex); *aBackingObjCreated = true; } else { *aBackingObjCreated = false; } if (!MaybeWrapNonDOMObjectValue(aCx, &slotValue)) { return false; } aBackingObj.set(&slotValue.toObject()); return true; } bool GetMaplikeBackingObject(JSContext* aCx, JS::Handle aObj, size_t aSlotIndex, JS::MutableHandle aBackingObj, bool* aBackingObjCreated) { return GetBackingObject(aCx, aObj, aSlotIndex, aBackingObj, aBackingObjCreated); } bool GetSetlikeBackingObject(JSContext* aCx, JS::Handle aObj, size_t aSlotIndex, JS::MutableHandle aBackingObj, bool* aBackingObjCreated) { return GetBackingObject(aCx, aObj, aSlotIndex, aBackingObj, aBackingObjCreated); } static inline JSObject* NewObservableArrayProxyObject( JSContext* aCx, const ObservableArrayProxyHandler* aHandler, void* aOwner) { JS::Rooted target(aCx, JS::NewArrayObject(aCx, 0)); if (NS_WARN_IF(!target)) { return nullptr; } JS::Rooted targetValue(aCx, JS::ObjectValue(*target)); JS::Rooted proxy( aCx, js::NewProxyObject(aCx, aHandler, targetValue, nullptr)); if (!proxy) { return nullptr; } js::SetProxyReservedSlot(proxy, OBSERVABLE_ARRAY_DOM_INTERFACE_SLOT, JS::PrivateValue(aOwner)); return proxy; } bool GetObservableArrayBackingObject( JSContext* aCx, JS::Handle aObj, size_t aSlotIndex, JS::MutableHandle aBackingObj, bool* aBackingObjCreated, const ObservableArrayProxyHandler* aHandler, void* aOwner) { return GetBackingObject( aCx, aObj, aSlotIndex, aBackingObj, aBackingObjCreated, aHandler, aOwner); } bool ForEachHandler(JSContext* aCx, unsigned aArgc, JS::Value* aVp) { JS::CallArgs args = CallArgsFromVp(aArgc, aVp); // Unpack callback and object from slots JS::Rooted callbackFn( aCx, js::GetFunctionNativeReserved(&args.callee(), FOREACH_CALLBACK_SLOT)); JS::Rooted maplikeOrSetlikeObj( aCx, js::GetFunctionNativeReserved(&args.callee(), FOREACH_MAPLIKEORSETLIKEOBJ_SLOT)); MOZ_ASSERT(aArgc == 3); JS::RootedVector newArgs(aCx); // Arguments are passed in as value, key, object. Keep value and key, replace // object with the maplike/setlike object. if (!newArgs.append(args.get(0))) { return false; } if (!newArgs.append(args.get(1))) { return false; } if (!newArgs.append(maplikeOrSetlikeObj)) { return false; } JS::Rooted rval(aCx, JS::UndefinedValue()); // Now actually call the user specified callback return JS::Call(aCx, args.thisv(), callbackFn, newArgs, &rval); } static inline prototypes::ID GetProtoIdForNewtarget( JS::Handle aNewTarget) { if (IsDOMConstructor(aNewTarget)) { return GetNativePropertyHooksFromJSNative(aNewTarget)->mPrototypeID; } return prototypes::id::_ID_Count; } bool GetDesiredProto(JSContext* aCx, const JS::CallArgs& aCallArgs, prototypes::id::ID aProtoId, CreateInterfaceObjectsMethod aCreator, JS::MutableHandle aDesiredProto) { // This basically implements // https://heycam.github.io/webidl/#internally-create-a-new-object-implementing-the-interface // step 3. MOZ_ASSERT(aCallArgs.isConstructing(), "How did we end up here?"); // The desired prototype depends on the actual constructor that was invoked, // which is passed to us as the newTarget in the callargs. We want to do // something akin to the ES6 specification's GetProtototypeFromConstructor (so // get .prototype on the newTarget, with a fallback to some sort of default). // First, a fast path for the case when the the constructor is in fact one of // our DOM constructors. This is safe because on those the "constructor" // property is non-configurable and non-writable, so we don't have to do the // slow JS_GetProperty call. JS::Rooted newTarget(aCx, &aCallArgs.newTarget().toObject()); MOZ_ASSERT(JS::IsCallable(newTarget)); JS::Rooted originalNewTarget(aCx, newTarget); // See whether we have a known DOM constructor here, such that we can take a // fast path. prototypes::ID protoID = GetProtoIdForNewtarget(newTarget); if (protoID == prototypes::id::_ID_Count) { // We might still have a cross-compartment wrapper for a known DOM // constructor. CheckedUnwrapStatic is fine here, because we're looking for // DOM constructors and those can't be cross-origin objects. newTarget = js::CheckedUnwrapStatic(newTarget); if (newTarget && newTarget != originalNewTarget) { protoID = GetProtoIdForNewtarget(newTarget); } } if (protoID != prototypes::id::_ID_Count) { ProtoAndIfaceCache& protoAndIfaceCache = *GetProtoAndIfaceCache(JS::GetNonCCWObjectGlobal(newTarget)); aDesiredProto.set(protoAndIfaceCache.EntrySlotMustExist(protoID)); if (newTarget != originalNewTarget) { return JS_WrapObject(aCx, aDesiredProto); } return true; } // Slow path. This basically duplicates the ES6 spec's // GetPrototypeFromConstructor except that instead of taking a string naming // the fallback prototype we determine the fallback based on the proto id we // were handed. // // Note that it's very important to do this property get on originalNewTarget, // not our unwrapped newTarget, since we want to get Xray behavior here as // needed. // XXXbz for speed purposes, using a preinterned id here sure would be nice. // We can't use GetJSIDByIndex, because that only works on the main thread, // not workers. JS::Rooted protoVal(aCx); if (!JS_GetProperty(aCx, originalNewTarget, "prototype", &protoVal)) { return false; } if (protoVal.isObject()) { aDesiredProto.set(&protoVal.toObject()); return true; } // Fall back to getting the proto for our given proto id in the realm that // GetFunctionRealm(newTarget) returns. JS::Rooted realm(aCx, JS::GetFunctionRealm(aCx, newTarget)); if (!realm) { return false; } { // JS::GetRealmGlobalOrNull should not be returning null here, because we // have live objects in the Realm. JSAutoRealm ar(aCx, JS::GetRealmGlobalOrNull(realm)); aDesiredProto.set( GetPerInterfaceObjectHandle(aCx, aProtoId, aCreator, true)); if (!aDesiredProto) { return false; } } return MaybeWrapObject(aCx, aDesiredProto); } namespace { class MOZ_RAII AutoConstructionDepth final { public: MOZ_IMPLICIT AutoConstructionDepth(CustomElementDefinition* aDefinition) : mDefinition(aDefinition) { MOZ_ASSERT(mDefinition->mConstructionStack.IsEmpty()); mDefinition->mConstructionDepth++; // If the mConstructionDepth isn't matched with the length of mPrefixStack, // this means the constructor is called directly from JS, i.e. // 'new CustomElementConstructor()', we have to push a dummy prefix into // stack. if (mDefinition->mConstructionDepth > mDefinition->mPrefixStack.Length()) { mDidPush = true; mDefinition->mPrefixStack.AppendElement(nullptr); } MOZ_ASSERT(mDefinition->mConstructionDepth == mDefinition->mPrefixStack.Length()); } ~AutoConstructionDepth() { MOZ_ASSERT(mDefinition->mConstructionDepth > 0); MOZ_ASSERT(mDefinition->mConstructionDepth == mDefinition->mPrefixStack.Length()); if (mDidPush) { MOZ_ASSERT(mDefinition->mPrefixStack.LastElement() == nullptr); mDefinition->mPrefixStack.RemoveLastElement(); } mDefinition->mConstructionDepth--; } private: CustomElementDefinition* mDefinition; bool mDidPush = false; }; } // anonymous namespace // https://html.spec.whatwg.org/multipage/dom.html#htmlconstructor namespace binding_detail { bool HTMLConstructor(JSContext* aCx, unsigned aArgc, JS::Value* aVp, constructors::id::ID aConstructorId, prototypes::id::ID aProtoId, CreateInterfaceObjectsMethod aCreator) { JS::CallArgs args = JS::CallArgsFromVp(aArgc, aVp); // Per spec, this is technically part of step 3, but doing the check // directly lets us provide a better error message. And then in // step 2 we can work with newTarget in a simpler way because we // know it's an object. if (!args.isConstructing()) { return ThrowConstructorWithoutNew(aCx, NamesOfInterfacesWithProtos(aProtoId)); } JS::Rooted callee(aCx, &args.callee()); // 'callee' is not a function here; it's either an Xray for our interface // object or the interface object itself. So caling XrayAwareCalleeGlobal on // it is not safe. But since in the Xray case it's a wrapper for our // interface object, we can just construct our GlobalObject from it and end // up with the right thing. GlobalObject global(aCx, callee); if (global.Failed()) { return false; } // Now we start the [HTMLConstructor] algorithm steps from // https://html.spec.whatwg.org/multipage/dom.html#htmlconstructor ErrorResult rv; auto scopeExit = MakeScopeExit([&]() { Unused << rv.MaybeSetPendingException(aCx); }); // Step 1. nsCOMPtr window = do_QueryInterface(global.GetAsSupports()); if (!window) { // This means we ended up with an HTML Element interface object defined in // a non-Window scope. That's ... pretty unexpected. rv.Throw(NS_ERROR_UNEXPECTED); return false; } RefPtr registry( window->CustomElements()); // Technically, per spec, a window always has a document. In Gecko, a // sufficiently torn-down window might not, so check for that case. We're // going to need a document to create an element. Document* doc = window->GetExtantDoc(); if (!doc) { rv.Throw(NS_ERROR_UNEXPECTED); return false; } // Step 2. // The newTarget might be a cross-compartment wrapper. Get the underlying // object so we can do the spec's object-identity checks. If we ever stop // unwrapping here, carefully audit uses of newTarget below! // // Note that the ES spec enforces that newTarget is always a constructor (in // the sense of having a [[Construct]]), so it's not a cross-origin object and // we can use CheckedUnwrapStatic. JS::Rooted newTarget( aCx, js::CheckedUnwrapStatic(&args.newTarget().toObject())); if (!newTarget) { rv.ThrowTypeError(); return false; } // Enter the compartment of our underlying newTarget object, so we end // up comparing to the constructor object for our interface from that global. // XXXbz This is not what the spec says to do, and it's not super-clear to me // at this point why we're doing it. Why not just compare |newTarget| and // |callee| if the intent is just to prevent registration of HTML interface // objects as constructors? Of course it's not clear that the spec check // makes sense to start with: https://github.com/whatwg/html/issues/3575 { JSAutoRealm ar(aCx, newTarget); JS::Handle constructor = GetPerInterfaceObjectHandle(aCx, aConstructorId, aCreator, true); if (!constructor) { return false; } if (newTarget == constructor) { rv.ThrowTypeError(); return false; } } // Step 3. CustomElementDefinition* definition = registry->LookupCustomElementDefinition(aCx, newTarget); if (!definition) { rv.ThrowTypeError(); return false; } // Steps 4, 5, 6 do some sanity checks on our callee. We add to those a // determination of what sort of element we're planning to construct. // Technically, this should happen (implicitly) in step 8, but this // determination is side-effect-free, so it's OK. int32_t ns = definition->mNamespaceID; constructorGetterCallback cb = nullptr; if (ns == kNameSpaceID_XUL) { if (definition->mLocalName == nsGkAtoms::description || definition->mLocalName == nsGkAtoms::label) { cb = XULTextElement_Binding::GetConstructorObject; } else if (definition->mLocalName == nsGkAtoms::resizer) { cb = XULResizerElement_Binding::GetConstructorObject; } else if (definition->mLocalName == nsGkAtoms::menupopup || definition->mLocalName == nsGkAtoms::panel || definition->mLocalName == nsGkAtoms::tooltip) { cb = XULPopupElement_Binding::GetConstructorObject; } else if (definition->mLocalName == nsGkAtoms::iframe || definition->mLocalName == nsGkAtoms::browser || definition->mLocalName == nsGkAtoms::editor) { cb = XULFrameElement_Binding::GetConstructorObject; } else if (definition->mLocalName == nsGkAtoms::menu || definition->mLocalName == nsGkAtoms::menulist) { cb = XULMenuElement_Binding::GetConstructorObject; } else if (definition->mLocalName == nsGkAtoms::tree) { cb = XULTreeElement_Binding::GetConstructorObject; } else { cb = XULElement_Binding::GetConstructorObject; } } int32_t tag = eHTMLTag_userdefined; if (!definition->IsCustomBuiltIn()) { // Step 4. // If the definition is for an autonomous custom element, the active // function should be HTMLElement or extend from XULElement. if (!cb) { cb = HTMLElement_Binding::GetConstructorObject; } // We want to get the constructor from our global's realm, not the // caller realm. JSAutoRealm ar(aCx, global.Get()); JS::Rooted constructor(aCx, cb(aCx)); // CheckedUnwrapStatic is OK here, since our callee is callable, hence not a // cross-origin object. if (constructor != js::CheckedUnwrapStatic(callee)) { rv.ThrowTypeError(); return false; } } else { if (ns == kNameSpaceID_XHTML) { // Step 5. // If the definition is for a customized built-in element, the localName // should be one of the ones defined in the specification for this // interface. tag = nsHTMLTags::CaseSensitiveAtomTagToId(definition->mLocalName); if (tag == eHTMLTag_userdefined) { rv.ThrowTypeError(); return false; } MOZ_ASSERT(tag <= NS_HTML_TAG_MAX, "tag is out of bounds"); // If the definition is for a customized built-in element, the active // function should be the localname's element interface. cb = sConstructorGetterCallback[tag]; } if (!cb) { rv.ThrowTypeError(); return false; } // We want to get the constructor from our global's realm, not the // caller realm. JSAutoRealm ar(aCx, global.Get()); JS::Rooted constructor(aCx, cb(aCx)); if (!constructor) { return false; } // CheckedUnwrapStatic is OK here, since our callee is callable, hence not a // cross-origin object. if (constructor != js::CheckedUnwrapStatic(callee)) { rv.ThrowTypeError(); return false; } } // Steps 7 and 8. JS::Rooted desiredProto(aCx); if (!GetDesiredProto(aCx, args, aProtoId, aCreator, &desiredProto)) { return false; } MOZ_ASSERT(desiredProto, "How could we not have a prototype by now?"); // We need to do some work to actually return an Element, so we do step 8 on // one branch and steps 9-12 on another branch, then common up the "return // element" work. RefPtr element; nsTArray>& constructionStack = definition->mConstructionStack; if (constructionStack.IsEmpty()) { // Step 8. // Now we go to construct an element. We want to do this in global's // realm, not caller realm (the normal constructor behavior), // just in case those elements create JS things. JSAutoRealm ar(aCx, global.Get()); AutoConstructionDepth acd(definition); RefPtr nodeInfo = doc->NodeInfoManager()->GetNodeInfo( definition->mLocalName, definition->mPrefixStack.LastElement(), ns, nsINode::ELEMENT_NODE); MOZ_ASSERT(nodeInfo); if (ns == kNameSpaceID_XUL) { element = nsXULElement::Construct(nodeInfo.forget()); } else { if (tag == eHTMLTag_userdefined) { // Autonomous custom element. element = NS_NewHTMLElement(nodeInfo.forget()); } else { // Customized built-in element. element = CreateHTMLElement(tag, nodeInfo.forget(), NOT_FROM_PARSER); } } element->SetCustomElementData(MakeUnique( definition->mType, CustomElementData::State::eCustom)); element->SetCustomElementDefinition(definition); } else { // Step 9. element = constructionStack.LastElement(); // Step 10. if (element == ALREADY_CONSTRUCTED_MARKER) { rv.ThrowTypeError( "Cannot instantiate a custom element inside its own constructor " "during upgrades"); return false; } // Step 11. // Do prototype swizzling for upgrading a custom element here, for cases // when we have a reflector already. If we don't have one yet, we will // create it with the right proto (by calling GetOrCreateDOMReflector with // that proto), and will preserve it by means of the proto != canonicalProto // check). JS::Rooted reflector(aCx, element->GetWrapper()); if (reflector) { // reflector might be in different realm. JSAutoRealm ar(aCx, reflector); JS::Rooted givenProto(aCx, desiredProto); if (!JS_WrapObject(aCx, &givenProto) || !JS_SetPrototype(aCx, reflector, givenProto)) { return false; } PreserveWrapper(element.get()); } // Step 12. constructionStack.LastElement() = ALREADY_CONSTRUCTED_MARKER; } // Tail end of step 8 and step 13: returning the element. We want to do this // part in the global's realm, though in practice it won't matter much // because Element always knows which realm it should be created in. JSAutoRealm ar(aCx, global.Get()); if (!js::IsObjectInContextCompartment(desiredProto, aCx) && !JS_WrapObject(aCx, &desiredProto)) { return false; } return GetOrCreateDOMReflector(aCx, element, args.rval(), desiredProto); } } // namespace binding_detail #ifdef DEBUG namespace binding_detail { void AssertReflectorHasGivenProto(JSContext* aCx, JSObject* aReflector, JS::Handle aGivenProto) { if (!aGivenProto) { // Nothing to assert here return; } JS::Rooted reflector(aCx, aReflector); JSAutoRealm ar(aCx, reflector); JS::Rooted reflectorProto(aCx); bool ok = JS_GetPrototype(aCx, reflector, &reflectorProto); MOZ_ASSERT(ok); // aGivenProto may not be in the right realm here, so we // have to wrap it to compare. JS::Rooted givenProto(aCx, aGivenProto); ok = JS_WrapObject(aCx, &givenProto); MOZ_ASSERT(ok); MOZ_ASSERT(givenProto == reflectorProto, "How are we supposed to change the proto now?"); } } // namespace binding_detail #endif // DEBUG void SetUseCounter(JSObject* aObject, UseCounter aUseCounter) { nsGlobalWindowInner* win = xpc::WindowGlobalOrNull(js::UncheckedUnwrap(aObject)); if (win && win->GetDocument()) { win->GetDocument()->SetUseCounter(aUseCounter); } } void SetUseCounter(UseCounterWorker aUseCounter) { // If this is called from Worklet thread, workerPrivate will be null. WorkerPrivate* workerPrivate = GetCurrentThreadWorkerPrivate(); if (workerPrivate) { workerPrivate->SetUseCounter(aUseCounter); } } namespace { #define DEPRECATED_OPERATION(_op) #_op, static const char* kDeprecatedOperations[] = { #include "nsDeprecatedOperationList.h" nullptr}; #undef DEPRECATED_OPERATION void ReportDeprecation(nsIGlobalObject* aGlobal, nsIURI* aURI, DeprecatedOperations aOperation, const nsAString& aFileName, const Nullable& aLineNumber, const Nullable& aColumnNumber) { MOZ_ASSERT(aURI); // If the URI has the data scheme, report that instead of the spec, // as the spec may be arbitrarily long and we would like to avoid // copying it. nsAutoCString specOrScheme; nsresult rv = nsContentUtils::AnonymizeURI(aURI, specOrScheme); if (NS_WARN_IF(NS_FAILED(rv))) { return; } nsAutoString type; type.AssignASCII(kDeprecatedOperations[static_cast(aOperation)]); nsAutoCString key; key.AssignASCII(kDeprecatedOperations[static_cast(aOperation)]); key.AppendASCII("Warning"); nsAutoString msg; rv = nsContentUtils::GetLocalizedString(nsContentUtils::eDOM_PROPERTIES, key.get(), msg); if (NS_WARN_IF(NS_FAILED(rv))) { return; } RefPtr body = new DeprecationReportBody(aGlobal, type, nullptr /* date */, msg, aFileName, aLineNumber, aColumnNumber); ReportingUtils::Report(aGlobal, nsGkAtoms::deprecation, u"default"_ns, NS_ConvertUTF8toUTF16(specOrScheme), body); } // This runnable is used to write a deprecation message from a worker to the // console running on the main-thread. class DeprecationWarningRunnable final : public WorkerProxyToMainThreadRunnable { const DeprecatedOperations mOperation; public: explicit DeprecationWarningRunnable(DeprecatedOperations aOperation) : mOperation(aOperation) {} private: void RunOnMainThread(WorkerPrivate* aWorkerPrivate) override { MOZ_ASSERT(NS_IsMainThread()); MOZ_ASSERT(aWorkerPrivate); // Walk up to our containing page WorkerPrivate* wp = aWorkerPrivate; while (wp->GetParent()) { wp = wp->GetParent(); } nsPIDOMWindowInner* window = wp->GetWindow(); if (window && window->GetExtantDoc()) { window->GetExtantDoc()->WarnOnceAbout(mOperation); } } void RunBackOnWorkerThreadForCleanup(WorkerPrivate* aWorkerPrivate) override { } }; void MaybeShowDeprecationWarning(const GlobalObject& aGlobal, DeprecatedOperations aOperation) { if (NS_IsMainThread()) { nsCOMPtr window = do_QueryInterface(aGlobal.GetAsSupports()); if (window && window->GetExtantDoc()) { window->GetExtantDoc()->WarnOnceAbout(aOperation); } return; } WorkerPrivate* workerPrivate = GetWorkerPrivateFromContext(aGlobal.Context()); if (!workerPrivate) { return; } RefPtr runnable = new DeprecationWarningRunnable(aOperation); runnable->Dispatch(workerPrivate); } void MaybeReportDeprecation(const GlobalObject& aGlobal, DeprecatedOperations aOperation) { nsCOMPtr uri; if (NS_IsMainThread()) { nsCOMPtr window = do_QueryInterface(aGlobal.GetAsSupports()); if (!window || !window->GetExtantDoc()) { return; } uri = window->GetExtantDoc()->GetDocumentURI(); } else { WorkerPrivate* workerPrivate = GetWorkerPrivateFromContext(aGlobal.Context()); if (!workerPrivate) { return; } uri = workerPrivate->GetResolvedScriptURI(); } if (NS_WARN_IF(!uri)) { return; } nsAutoString fileName; Nullable lineNumber; Nullable columnNumber; uint32_t line = 0; uint32_t column = 1; if (nsJSUtils::GetCallingLocation(aGlobal.Context(), fileName, &line, &column)) { lineNumber.SetValue(line); columnNumber.SetValue(column); } nsCOMPtr global = do_QueryInterface(aGlobal.GetAsSupports()); MOZ_ASSERT(global); ReportDeprecation(global, uri, aOperation, fileName, lineNumber, columnNumber); } } // anonymous namespace void DeprecationWarning(JSContext* aCx, JSObject* aObject, DeprecatedOperations aOperation) { GlobalObject global(aCx, aObject); if (global.Failed()) { NS_ERROR("Could not create global for DeprecationWarning"); return; } DeprecationWarning(global, aOperation); } void DeprecationWarning(const GlobalObject& aGlobal, DeprecatedOperations aOperation) { MaybeShowDeprecationWarning(aGlobal, aOperation); MaybeReportDeprecation(aGlobal, aOperation); } namespace binding_detail { JSObject* UnprivilegedJunkScopeOrWorkerGlobal(const fallible_t&) { if (NS_IsMainThread()) { return xpc::UnprivilegedJunkScope(fallible); } return GetCurrentThreadWorkerGlobal(); } } // namespace binding_detail JS::Handle GetPerInterfaceObjectHandle( JSContext* aCx, size_t aSlotId, CreateInterfaceObjectsMethod aCreator, bool aDefineOnGlobal) { /* Make sure our global is sane. Hopefully we can remove this sometime */ JSObject* global = JS::CurrentGlobalOrNull(aCx); if (!(JS::GetClass(global)->flags & JSCLASS_DOM_GLOBAL)) { return nullptr; } /* Check to see whether the interface objects are already installed */ ProtoAndIfaceCache& protoAndIfaceCache = *GetProtoAndIfaceCache(global); if (!protoAndIfaceCache.HasEntryInSlot(aSlotId)) { JS::Rooted rootedGlobal(aCx, global); aCreator(aCx, rootedGlobal, protoAndIfaceCache, aDefineOnGlobal); } /* * The object might _still_ be null, but that's OK. * * Calling fromMarkedLocation() is safe because protoAndIfaceCache is * traced by TraceProtoAndIfaceCache() and its contents are never * changed after they have been set. * * Calling address() avoids the read barrier that does gray unmarking, but * it's not possible for the object to be gray here. */ const JS::Heap& entrySlot = protoAndIfaceCache.EntrySlotMustExist(aSlotId); JS::AssertObjectIsNotGray(entrySlot); return JS::Handle::fromMarkedLocation(entrySlot.address()); } namespace binding_detail { bool IsGetterEnabled(JSContext* aCx, JS::Handle aObj, JSJitGetterOp aGetter, const Prefable* aAttributes) { MOZ_ASSERT(aAttributes); MOZ_ASSERT(aAttributes->specs); do { if (aAttributes->isEnabled(aCx, aObj)) { const JSPropertySpec* specs = aAttributes->specs; do { if (!specs->isAccessor() || specs->isSelfHosted()) { // It won't have a JSJitGetterOp. continue; } const JSJitInfo* info = specs->u.accessors.getter.native.info; if (!info) { continue; } MOZ_ASSERT(info->type() == JSJitInfo::OpType::Getter); if (info->getter == aGetter) { return true; } } while ((++specs)->name); } } while ((++aAttributes)->specs); // Didn't find it. return false; } already_AddRefed CreateRejectedPromiseFromThrownException( JSContext* aCx, ErrorResult& aError) { if (!JS_IsExceptionPending(aCx)) { // If there is no pending exception here but we're ending up in this code, // that means the callee threw an uncatchable exception. Just propagate that // out as-is. Promise::RejectWithExceptionFromContext also checks this, but // we want to bail out here before trying to get the globals. aError.ThrowUncatchableException(); return nullptr; } GlobalObject promiseGlobal(aCx, GetEntryGlobal()->GetGlobalJSObject()); if (promiseGlobal.Failed()) { aError.StealExceptionFromJSContext(aCx); return nullptr; } nsCOMPtr global = do_QueryInterface(promiseGlobal.GetAsSupports()); if (!global) { aError.Throw(NS_ERROR_UNEXPECTED); return nullptr; } return Promise::RejectWithExceptionFromContext(global, aCx, aError); } } // namespace binding_detail } // namespace dom } // namespace mozilla