/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

/* -*- indent-tabs-mode: nil; js-indent-level: 4 -*- */

"use strict";

loadRelativeToScript('utility.js');
loadRelativeToScript('annotations.js');
loadRelativeToScript('callgraph.js');
loadRelativeToScript('dumpCFG.js');

///////////////////////////////////////////////////////////////////////////////
// Annotations
///////////////////////////////////////////////////////////////////////////////

function checkExternalFunction(entry)
{
    var whitelist = [
        "__builtin_clz",
        "__builtin_expect",
        "isprint",
        "ceilf",
        "floorf",
        /^rusturl/,
        "memcmp",
        "strcmp",
        "fmod",
        "floor",
        "ceil",
        "atof",
        /memchr/,
        "strlen",
        /Servo_DeclarationBlock_GetCssText/,
        "Servo_GetArcStringData",
        "Servo_IsWorkerThread",
        /nsIFrame::AppendOwnedAnonBoxes/,
        // Assume that atomic accesses are threadsafe.
        /^__atomic_/,
    ];
    if (entry.matches(whitelist))
        return;

    // memcpy and memset are safe if the target pointer is threadsafe.
    const simpleWrites = [
        "memcpy",
        "memset",
        "memmove",
    ];

    if (entry.isSafeArgument(1) && simpleWrites.includes(entry.name))
        return;

    dumpError(entry, null, "External function");
}

function hasThreadsafeReferenceCounts(entry, regexp)
{
    // regexp should match some nsISupports-operating function and produce the
    // name of the nsISupports class via exec().

    // nsISupports classes which have threadsafe reference counting.
    var whitelist = [
        "nsIRunnable",

        // I don't know if these always have threadsafe refcounts.
        "nsAtom",
        "nsIPermissionManager",
        "nsIURI",
    ];

    var match = regexp.exec(entry.name);
    return match && nameMatchesArray(match[1], whitelist);
}

function checkOverridableVirtualCall(entry, location, callee)
{
    // We get here when a virtual call is made on a structure which might be
    // overridden by script or by a binary extension. This includes almost
    // everything under nsISupports, however, so for the most part we ignore
    // this issue. The exception is for nsISupports AddRef/Release, which are
    // not in general threadsafe and whose overrides will not be generated by
    // the callgraph analysis.
    if (callee != "nsISupports.AddRef" && callee != "nsISupports.Release")
        return;

    if (hasThreadsafeReferenceCounts(entry, /::~?nsCOMPtr\(.*?\[with T = (.*?)\]$/))
        return;
    if (hasThreadsafeReferenceCounts(entry, /RefPtrTraits.*?::Release.*?\[with U = (.*?)\]/))
        return;
    if (hasThreadsafeReferenceCounts(entry, /nsCOMPtr<T>::assign_assuming_AddRef.*?\[with T = (.*?)\]/))
        return;
    if (hasThreadsafeReferenceCounts(entry, /nsCOMPtr<T>::assign_with_AddRef.*?\[with T = (.*?)\]/))
        return;

    // Watch for raw addref/release.
    var whitelist = [
        "Gecko_AddRefAtom",
        "Gecko_ReleaseAtom",
        /nsPrincipal::Get/,
        /CounterStylePtr::Reset/,
    ];
    if (entry.matches(whitelist))
        return;

    dumpError(entry, location, "AddRef/Release on nsISupports");
}

function checkIndirectCall(entry, location, callee)
{
    var name = entry.name;

    // These hash table callbacks should be threadsafe.
    if (/PLDHashTable/.test(name) && (/matchEntry/.test(callee) || /hashKey/.test(callee)))
        return;
    if (/PL_HashTable/.test(name) && /keyCompare/.test(callee))
        return;

    dumpError(entry, location, "Indirect call " + callee);
}

function checkVariableAssignment(entry, location, variable)
{
    var name = entry.name;

    dumpError(entry, location, "Variable assignment " + variable);
}

// Annotations for function parameters, based on function name and parameter
// name + type.
function treatAsSafeArgument(entry, varName, csuName)
{
    var whitelist = [
        // These iterator classes should all be thread local. They are passed
        // in to some Servo bindings and are created on the heap by others, so
        // just ignore writes to them.
        [null, null, /StyleChildrenIterator/],
        [null, null, /ExplicitChildIterator/],

        // The use of BeginReading() to instantiate this class confuses the
        // analysis.
        [null, null, /nsReadingIterator/],

        // These classes are passed to some Servo bindings to fill in.
        [/^Gecko_/, null, "nsStyleImageLayers"],
        [/^Gecko_/, null, /FontFamilyList/],

        // Various Servo binding out parameters. This is a mess and there needs
        // to be a way to indicate which params are out parameters, either using
        // an attribute or a naming convention.
        ["Gecko_SetCounterStyleToName", "aPtr", null],
        ["Gecko_SetCounterStyleToSymbols", "aPtr", null],
        ["Gecko_SetCounterStyleToString", "aPtr", null],
        ["Gecko_CopyCounterStyle", "aDst", null],
        ["Gecko_SetMozBinding", "aDisplay", null],
        [/ClassOrClassList/, /aClass/, null],
        ["Gecko_GetAtomAsUTF16", "aLength", null],
        ["Gecko_CopyMozBindingFrom", "aDest", null],
        ["Gecko_SetNullImageValue", "aImage", null],
        ["Gecko_SetGradientImageValue", "aImage", null],
        ["Gecko_SetImageElement", "aImage", null],
        ["Gecko_SetLayerImageImageValue", "aImage", null],
        ["Gecko_CopyImageValueFrom", "aImage", null],
        ["Gecko_SetCursorArrayLength", "aStyleUI", null],
        ["Gecko_CopyCursorArrayFrom", "aDest", null],
        ["Gecko_SetCursorImageValue", "aCursor", null],
        ["Gecko_SetListStyleImageImageValue", "aList", null],
        ["Gecko_SetListStyleImageNone", "aList", null],
        ["Gecko_CopyListStyleImageFrom", "aList", null],
        ["Gecko_ClearStyleContents", "aContent", null],
        ["Gecko_CopyStyleContentsFrom", "aContent", null],
        ["Gecko_CopyStyleGridTemplateValues", "aGridTemplate", null],
        ["Gecko_ResetStyleCoord", null, null],
        ["Gecko_CopyClipPathValueFrom", "aDst", null],
        ["Gecko_DestroyClipPath", "aClip", null],
        ["Gecko_ResetFilters", "effects", null],
        [/Gecko_CSSValue_Set/, "aCSSValue", null],
        ["Gecko_CSSValue_Drop", "aCSSValue", null],
        ["Gecko_CSSFontFaceRule_GetCssText", "aResult", null],
        ["Gecko_EnsureTArrayCapacity", "aArray", null],
        ["Gecko_ClearPODTArray", "aArray", null],
        ["Gecko_SetStyleGridTemplate", "aGridTemplate", null],
        ["Gecko_ResizeTArrayForStrings", "aArray", null],
        ["Gecko_ClearAndResizeStyleContents", "aContent", null],
        [/Gecko_ClearAndResizeCounter/, "aContent", null],
        [/Gecko_CopyCounter.*?From/, "aContent", null],
        [/Gecko_SetContentDataImageValue/, "aList", null],
        [/Gecko_SetContentData/, "aContent", null],
        ["Gecko_SetCounterFunction", "aContent", null],
        [/Gecko_EnsureStyle.*?ArrayLength/, "aArray", null],
        ["Gecko_GetOrCreateKeyframeAtStart", "aKeyframes", null],
        ["Gecko_GetOrCreateInitialKeyframe", "aKeyframes", null],
        ["Gecko_GetOrCreateFinalKeyframe", "aKeyframes", null],
        ["Gecko_AppendPropertyValuePair", "aProperties", null],
        ["Gecko_SetStyleCoordCalcValue", null, null],
        ["Gecko_StyleClipPath_SetURLValue", "aClip", null],
        ["Gecko_nsStyleFilter_SetURLValue", "aEffects", null],
        ["Gecko_nsStyleSVG_SetDashArrayLength", "aSvg", null],
        ["Gecko_nsStyleSVG_CopyDashArray", "aDst", null],
        ["Gecko_nsStyleFont_SetLang", "aFont", null],
        ["Gecko_nsStyleFont_CopyLangFrom", "aFont", null],
        ["Gecko_ClearWillChange", "aDisplay", null],
        ["Gecko_AppendWillChange", "aDisplay", null],
        ["Gecko_CopyWillChangeFrom", "aDest", null],
        ["Gecko_InitializeImageCropRect", "aImage", null],
        ["Gecko_CopyShapeSourceFrom", "aDst", null],
        ["Gecko_DestroyShapeSource", "aShape", null],
        ["Gecko_StyleShapeSource_SetURLValue", "aShape", null],
        ["Gecko_NewBasicShape", "aShape", null],
        ["Gecko_NewShapeImage", "aShape", null],
        ["Gecko_nsFont_InitSystem", "aDest", null],
        ["Gecko_nsFont_SetFontFeatureValuesLookup", "aFont", null],
        ["Gecko_nsFont_ResetFontFeatureValuesLookup", "aFont", null],
        ["Gecko_nsStyleFont_FixupNoneGeneric", "aFont", null],
        ["Gecko_StyleTransition_SetUnsupportedProperty", "aTransition", null],
        ["Gecko_AddPropertyToSet", "aPropertySet", null],
        ["Gecko_CalcStyleDifference", "aAnyStyleChanged", null],
        ["Gecko_CalcStyleDifference", "aOnlyResetStructsChanged", null],
        ["Gecko_nsStyleSVG_CopyContextProperties", "aDst", null],
        ["Gecko_nsStyleFont_PrefillDefaultForGeneric", "aFont", null],
        ["Gecko_nsStyleSVG_SetContextPropertiesLength", "aSvg", null],
        ["Gecko_ClearAlternateValues", "aFont", null],
        ["Gecko_AppendAlternateValues", "aFont", null],
        ["Gecko_CopyAlternateValuesFrom", "aDest", null],
        ["Gecko_CounterStyle_GetName", "aResult", null],
        ["Gecko_CounterStyle_GetSingleString", "aResult", null],
        ["Gecko_nsTArray_FontFamilyName_AppendNamed", "aNames", null],
        ["Gecko_nsTArray_FontFamilyName_AppendGeneric", "aNames", null],
    ];
    for (var [entryMatch, varMatch, csuMatch] of whitelist) {
        assert(entryMatch || varMatch || csuMatch);
        if (entryMatch && !nameMatches(entry.name, entryMatch))
            continue;
        if (varMatch && !nameMatches(varName, varMatch))
            continue;
        if (csuMatch && (!csuName || !nameMatches(csuName, csuMatch)))
            continue;
        return true;
    }
    return false;
}

function isSafeAssignment(entry, edge, variable)
{
    if (edge.Kind != 'Assign')
        return false;

    var [mangled, unmangled] = splitFunction(entry.name);

    // The assignment
    //
    //   nsFont* font = fontTypes[eType];
    //
    // ends up with 'font' pointing to a member of 'this', so it should inherit
    // the safety of 'this'.
    if (unmangled.includes("mozilla::LangGroupFontPrefs::Initialize") &&
        variable == 'font')
    {
        const [lhs, rhs] = edge.Exp;
        const {Kind, Exp: [{Kind: indexKind, Exp: [collection, index]}]} = rhs;
        if (Kind == 'Drf' &&
            indexKind == 'Index' &&
            collection.Kind == 'Var' &&
            collection.Variable.Name[0] == 'fontTypes')
        {
            return entry.isSafeArgument(0); // 'this'
        }
    }

    return false;
}

function checkFieldWrite(entry, location, fields)
{
    var name = entry.name;
    for (var field of fields) {
        // The analysis is having some trouble keeping track of whether
        // already_AddRefed and nsCOMPtr structures are safe to access.
        // Hopefully these will be thread local, but it would be better to
        // improve the analysis to handle these.
        if (/already_AddRefed.*?.mRawPtr/.test(field))
            return;
        if (/nsCOMPtr<.*?>.mRawPtr/.test(field))
            return;

        if (/\bThreadLocal<\b/.test(field))
            return;

        // Debugging check for string corruption.
        if (field == "nsStringBuffer.mCanary")
            return;
    }

    var str = "";
    for (var field of fields)
        str += " " + field;

    dumpError(entry, location, "Field write" + str);
}

function checkDereferenceWrite(entry, location, variable)
{
    var name = entry.name;

    // Maybe<T> uses placement new on local storage in a way we don't understand.
    // Allow this if the Maybe<> value itself is threadsafe.
    if (/Maybe.*?::emplace/.test(name) && entry.isSafeArgument(0))
        return;

    // UniquePtr writes through temporaries referring to its internal storage.
    // Allow this if the UniquePtr<> is threadsafe.
    if (/UniquePtr.*?::reset/.test(name) && entry.isSafeArgument(0))
        return;

    // Operations on nsISupports reference counts.
    if (hasThreadsafeReferenceCounts(entry, /nsCOMPtr<T>::swap\(.*?\[with T = (.*?)\]/))
        return;

    // ConvertToLowerCase::write writes through a local pointer into the first
    // argument.
    if (/ConvertToLowerCase::write/.test(name) && entry.isSafeArgument(0))
        return;

    dumpError(entry, location, "Dereference write " + (variable ? variable : "<unknown>"));
}

function ignoreCallEdge(entry, callee)
{
    var name = entry.name;

    // nsPropertyTable::GetPropertyInternal has the option of removing data
    // from the table, but when it is called by nsPropertyTable::GetProperty
    // this will not occur.
    if (/nsPropertyTable::GetPropertyInternal/.test(callee) &&
        /nsPropertyTable::GetProperty/.test(name))
    {
        return true;
    }

    // Document::PropertyTable calls GetExtraPropertyTable (which has side
    // effects) if the input category is non-zero. If a literal zero was passed
    // in for the category then we treat it as a safe argument, per
    // isEdgeSafeArgument, so just watch for that.
    if (/Document::GetExtraPropertyTable/.test(callee) &&
        /Document::PropertyTable/.test(name) &&
        entry.isSafeArgument(1))
    {
        return true;
    }

    // This function has an explicit test for being on the main thread if the
    // style has non-threadsafe refcounts, but the analysis isn't smart enough
    // to understand what the actual styles that can be involved are.
    if (/nsStyleList::SetCounterStyle/.test(callee))
        return true;

    // CachedBorderImageData is exclusively owned by nsStyleImage, but the
    // analysis is not smart enough to know this.
    if (/CachedBorderImageData::PurgeCachedImages/.test(callee) &&
        /nsStyleImage::/.test(name) &&
        entry.isSafeArgument(0))
    {
        return true;
    }

    // StyleShapeSource exclusively owns its UniquePtr<nsStyleImage>.
    if (/nsStyleImage::SetURLValue/.test(callee) &&
        /StyleShapeSource::SetURL/.test(name) &&
        entry.isSafeArgument(0))
    {
        return true;
    }

    // The AddRef through a just-assigned heap pointer here is not handled by
    // the analysis.
    if (/nsCSSValue::Array::AddRef/.test(callee) &&
        /nsStyleContentData::SetCounters/.test(name) &&
        entry.isSafeArgument(2))
    {
        return true;
    }

    // AllChildrenIterator asks AppendOwnedAnonBoxes to append into an nsTArray
    // local variable.
    if (/nsIFrame::AppendOwnedAnonBoxes/.test(callee) &&
        /AllChildrenIterator::AppendNativeAnonymousChildren/.test(name))
    {
        return true;
    }

    // Runnables are created and named on one thread, then dispatched
    // (possibly to another). Writes on the origin thread are ok.
    if (/::SetName/.test(callee) &&
        /::UnlabeledDispatch/.test(name))
    {
        return true;
    }

    // We manually lock here
    if (name == "Gecko_nsFont_InitSystem" ||
        name == "Gecko_GetFontMetrics" ||
        name == "Gecko_nsStyleFont_FixupMinFontSize" ||
        /ThreadSafeGetDefaultFontHelper/.test(name))
    {
        return true;
    }

    return false;
}

function ignoreContents(entry)
{
    var whitelist = [
        // We don't care what happens when we're about to crash.
        "abort",
        /MOZ_ReportAssertionFailure/,
        /MOZ_ReportCrash/,
        /MOZ_Crash/,
        /MOZ_CrashPrintf/,
        /AnnotateMozCrashReason/,
        /InvalidArrayIndex_CRASH/,
        /NS_ABORT_OOM/,

        // These ought to be threadsafe.
        "NS_DebugBreak",
        /mozalloc_handle_oom/,
        /^NS_Log/, /log_print/, /LazyLogModule::operator/,
        /SprintfLiteral/, "PR_smprintf", "PR_smprintf_free",
        /NS_DispatchToMainThread/, /NS_ReleaseOnMainThread/,
        /NS_NewRunnableFunction/, /NS_Atomize/,
        /nsCSSValue::BufferFromString/,
        /NS_xstrdup/,
        /Assert_NoQueryNeeded/,
        /AssertCurrentThreadOwnsMe/,
        /PlatformThread::CurrentId/,
        /imgRequestProxy::GetProgressTracker/, // Uses an AutoLock
        /Smprintf/,
        "malloc",
        "calloc",
        "free",
        "realloc",
        "memalign",
        "strdup",
        "strndup",
        "moz_xmalloc",
        "moz_xcalloc",
        "moz_xrealloc",
        "moz_xmemalign",
        "moz_xstrdup",
        "moz_xstrndup",
        "jemalloc_thread_local_arena",

        // These all create static strings in local storage, which is threadsafe
        // to do but not understood by the analysis yet.
        / EmptyString\(\)/,

        // These could probably be handled by treating the scope of PSAutoLock
        // aka BaseAutoLock<PSMutex> as threadsafe.
        /profiler_register_thread/,
        /profiler_unregister_thread/,

        // The analysis thinks we'll write to mBits in the DoGetStyleFoo<false>
        // call.  Maybe the template parameter confuses it?
        /ComputedStyle::PeekStyle/,

        // The analysis can't cope with the indirection used for the objects
        // being initialized here, from nsCSSValue::Array::Create to the return
        // value of the Item(i) getter.
        /nsCSSValue::SetCalcValue/,

        // Unable to analyze safety of linked list initialization.
        "Gecko_NewCSSValueSharedList",
        "Gecko_CSSValue_InitSharedList",

        // Unable to trace through dataflow, but straightforward if inspected.
        "Gecko_NewNoneTransform",

        // Need main thread assertions or other fixes.
        /EffectCompositor::GetServoAnimationRule/,
    ];
    if (entry.matches(whitelist))
        return true;

    if (entry.isSafeArgument(0)) {
        var heapWhitelist = [
            // Operations on heap structures pointed to by arrays and strings are
            // threadsafe as long as the array/string itself is threadsafe.
            /nsTArray_Impl.*?::AppendElement/,
            /nsTArray_Impl.*?::RemoveElementsAt/,
            /nsTArray_Impl.*?::ReplaceElementsAt/,
            /nsTArray_Impl.*?::InsertElementAt/,
            /nsTArray_Impl.*?::SetCapacity/,
            /nsTArray_Impl.*?::SetLength/,
            /nsTArray_base.*?::EnsureCapacity/,
            /nsTArray_base.*?::ShiftData/,
            /AutoTArray.*?::Init/,
            /(nsTSubstring<T>|nsAC?String)::SetCapacity/,
            /(nsTSubstring<T>|nsAC?String)::SetLength/,
            /(nsTSubstring<T>|nsAC?String)::Assign/,
            /(nsTSubstring<T>|nsAC?String)::Append/,
            /(nsTSubstring<T>|nsAC?String)::Replace/,
            /(nsTSubstring<T>|nsAC?String)::Trim/,
            /(nsTSubstring<T>|nsAC?String)::Truncate/,
            /(nsTSubstring<T>|nsAC?String)::StripTaggedASCII/,
            /(nsTSubstring<T>|nsAC?String)::operator=/,
            /nsTAutoStringN<T, N>::nsTAutoStringN/,

            // Similar for some other data structures
            /nsCOMArray_base::SetCapacity/,
            /nsCOMArray_base::Clear/,
            /nsCOMArray_base::AppendElement/,

            // UniquePtr is similar.
            /mozilla::UniquePtr/,

            // The use of unique pointers when copying mCropRect here confuses
            // the analysis.
            /nsStyleImage::DoCopy/,
        ];
        if (entry.matches(heapWhitelist))
            return true;
    }

    if (entry.isSafeArgument(1)) {
        var firstArgWhitelist = [
            /nsTextFormatter::snprintf/,
            /nsTextFormatter::ssprintf/,
            /_ASCIIToUpperInSitu/,

            // Handle some writes into an array whose safety we don't have a good way
            // of tracking currently.
            /FillImageLayerList/,
            /FillImageLayerPositionCoordList/,
        ];
        if (entry.matches(firstArgWhitelist))
            return true;
    }

    if (entry.isSafeArgument(2)) {
        var secondArgWhitelist = [
            /nsStringBuffer::ToString/,
            /AppendUTF\d+toUTF\d+/,
            /AppendASCIItoUTF\d+/,
        ];
        if (entry.matches(secondArgWhitelist))
            return true;
    }

    return false;
}

///////////////////////////////////////////////////////////////////////////////
// Sixgill Utilities
///////////////////////////////////////////////////////////////////////////////

function variableName(variable)
{
    return (variable && variable.Name) ? variable.Name[0] : null;
}

function stripFields(exp)
{
    // Fields and index operations do not involve any dereferences. Remove them
    // from the expression but remember any encountered fields for use by
    // annotations later on.
    var fields = [];
    while (true) {
        if (exp.Kind == "Index") {
            exp = exp.Exp[0];
            continue;
        }
        if (exp.Kind == "Fld") {
            var csuName = exp.Field.FieldCSU.Type.Name;
            var fieldName = exp.Field.Name[0];
            assert(csuName && fieldName);
            fields.push(csuName + "." + fieldName);
            exp = exp.Exp[0];
            continue;
        }
        break;
    }
    return [exp, fields];
}

function isLocalVariable(variable)
{
    switch (variable.Kind) {
      case "Return":
      case "Temp":
      case "Local":
      case "Arg":
        return true;
    }
    return false;
}

function isDirectCall(edge, regexp)
{
    return edge.Kind == "Call"
        && edge.Exp[0].Kind == "Var"
        && regexp.test(variableName(edge.Exp[0].Variable));
}

function isZero(exp)
{
    return exp.Kind == "Int" && exp.String == "0";
}

///////////////////////////////////////////////////////////////////////////////
// Analysis Structures
///////////////////////////////////////////////////////////////////////////////

// Safe arguments are those which may be written through (directly, not through
// pointer fields etc.) without concerns about thread safety. This includes
// pointers to stack data, null pointers, and other data we know is thread
// local, such as certain arguments to the root functions.
//
// Entries in the worklist keep track of the pointer arguments to the function
// which are safe using a sorted array, so that this can be propagated down the
// stack. Zero is |this|, and arguments are indexed starting at one.

function WorklistEntry(name, safeArguments, stack, parameterNames)
{
    this.name = name;
    this.safeArguments = safeArguments;
    this.stack = stack;
    this.parameterNames = parameterNames;
}

WorklistEntry.prototype.readable = function()
{
    const [ mangled, readable ] = splitFunction(this.name);
    return readable;
}

WorklistEntry.prototype.mangledName = function()
{
    var str = this.name;
    for (var safe of this.safeArguments)
        str += " SAFE " + safe;
    return str;
}

WorklistEntry.prototype.isSafeArgument = function(index)
{
    for (var safe of this.safeArguments) {
        if (index == safe)
            return true;
    }
    return false;
}

WorklistEntry.prototype.setParameterName = function(index, name)
{
    this.parameterNames[index] = name;
}

WorklistEntry.prototype.addSafeArgument = function(index)
{
    if (this.isSafeArgument(index))
        return;
    this.safeArguments.push(index);

    // Sorting isn't necessary for correctness but makes printed stack info tidier.
    this.safeArguments.sort();
}

function safeArgumentIndex(variable)
{
    if (variable.Kind == "This")
        return 0;
    if (variable.Kind == "Arg")
        return variable.Index + 1;
    return -1;
}

function nameMatches(name, match)
{
    if (typeof match == "string") {
        if (name == match)
            return true;
    } else {
        assert(match instanceof RegExp);
        if (match.test(name))
            return true;
    }
    return false;
}

function nameMatchesArray(name, matchArray)
{
    for (var match of matchArray) {
        if (nameMatches(name, match))
            return true;
    }
    return false;
}

WorklistEntry.prototype.matches = function(matchArray)
{
    return nameMatchesArray(this.name, matchArray);
}

function CallSite(callee, safeArguments, location, parameterNames)
{
    this.callee = callee;
    this.safeArguments = safeArguments;
    this.location = location;
    this.parameterNames = parameterNames;
}

CallSite.prototype.safeString = function()
{
    if (this.safeArguments.length) {
        var str = "";
        for (var i = 0; i < this.safeArguments.length; i++) {
            var arg = this.safeArguments[i];
            if (arg in this.parameterNames)
                str += " " + this.parameterNames[arg];
            else
                str += " <" + ((arg == 0) ? "this" : "arg" + (arg - 1)) + ">";
        }
        return " ### SafeArguments:" + str;
    }
    return "";
}

///////////////////////////////////////////////////////////////////////////////
// Analysis Core
///////////////////////////////////////////////////////////////////////////////

var errorCount = 0;
var errorLimit = 100;

// We want to suppress output for functions that ended up not having any
// hazards, for brevity of the final output. So each new toplevel function will
// initialize this to a string, which should be printed only if an error is
// seen.
var errorHeader;

var startTime = new Date;
function elapsedTime()
{
    var seconds = (new Date - startTime) / 1000;
    return "[" + seconds.toFixed(2) + "s] ";
}

var options = parse_options([
    {
        name: '--strip-prefix',
        default: os.getenv('SOURCE') || '',
        type: 'string'
    },
    {
        name: '--add-prefix',
        default: os.getenv('URLPREFIX') || '',
        type: 'string'
    },
    {
        name: '--verbose',
        type: 'bool'
    },
]);

function add_trailing_slash(str) {
    if (str == '')
        return str;
    return str.endsWith("/") ? str : str + "/";
}

var removePrefix = add_trailing_slash(options.strip_prefix);
var addPrefix = add_trailing_slash(options.add_prefix);

if (options.verbose) {
    printErr(`Removing prefix ${removePrefix} from paths`);
    printErr(`Prepending ${addPrefix} to paths`);
}

print(elapsedTime() + "Loading types...");
if (os.getenv("TYPECACHE"))
    loadTypesWithCache('src_comp.xdb', os.getenv("TYPECACHE"));
else
    loadTypes('src_comp.xdb');
print(elapsedTime() + "Starting analysis...");

var xdb = xdbLibrary();
xdb.open("src_body.xdb");

var minStream = xdb.min_data_stream();
var maxStream = xdb.max_data_stream();
var roots = [];

var [flag, arg] = scriptArgs;
if (flag && (flag == '-f' || flag == '--function')) {
    roots = [arg];
} else {
    for (var bodyIndex = minStream; bodyIndex <= maxStream; bodyIndex++) {
        var key = xdb.read_key(bodyIndex);
        var name = key.readString();
        if (/^Gecko_/.test(name)) {
            var data = xdb.read_entry(key);
            if (/ServoBindings.cpp/.test(data.readString()))
                roots.push(name);
            xdb.free_string(data);
        }
        xdb.free_string(key);
    }
}

print(elapsedTime() + "Found " + roots.length + " roots.");
for (var i = 0; i < roots.length; i++) {
    var root = roots[i];
    errorHeader = elapsedTime() + "#" + (i + 1) + " Analyzing " + root + " ...";
    try {
        processRoot(root);
    } catch (e) {
        if (e != "Error!")
            throw e;
    }
}

print(`${elapsedTime()}Completed analysis, found ${errorCount}/${errorLimit} allowed errors`);

var currentBody;

// All local variable assignments we have seen in either the outer or inner
// function. This crosses loop boundaries, and currently has an unsoundness
// where later assignments in a loop are not taken into account.
var assignments;

// All loops in the current function which are reachable off main thread.
var reachableLoops;

// Functions that are reachable from the current root.
var reachable = {};

function dumpError(entry, location, text)
{
    if (errorHeader) {
        print(errorHeader);
        errorHeader = undefined;
    }

    var stack = entry.stack;
    print("Error: " + text);
    print("Location: " + entry.name + (location ? " @ " + location : "") + stack[0].safeString());
    print("Stack Trace:");
    // Include the callers in the stack trace instead of the callees. Make sure
    // the dummy stack entry we added for the original roots is in place.
    assert(stack[stack.length - 1].location == null);
    for (var i = 0; i < stack.length - 1; i++)
        print(stack[i + 1].callee + " @ " + stack[i].location + stack[i + 1].safeString());
    print("\n");

    if (++errorCount == errorLimit) {
        print("Maximum number of errors encountered, exiting...");
        quit();
    }

    throw "Error!";
}

// If edge is an assignment from a local variable, return the rhs variable.
function variableAssignRhs(edge)
{
    if (edge.Kind == "Assign" && edge.Exp[1].Kind == "Drf" && edge.Exp[1].Exp[0].Kind == "Var") {
        var variable = edge.Exp[1].Exp[0].Variable;
        if (isLocalVariable(variable))
            return variable;
    }
    return null;
}

function processAssign(body, entry, location, lhs, edge)
{
    var fields;
    [lhs, fields] = stripFields(lhs);

    switch (lhs.Kind) {
      case "Var":
        var name = variableName(lhs.Variable);
        if (isLocalVariable(lhs.Variable)) {
            // Remember any assignments to local variables in this function.
            // Note that we ignore any points where the variable's address is
            // taken and indirect assignments might occur. This is an
            // unsoundness in the analysis.

            let assign = [body, edge];

            // Chain assignments if the RHS has only been assigned once.
            var rhsVariable = variableAssignRhs(edge);
            if (rhsVariable) {
                var rhsAssign = singleAssignment(variableName(rhsVariable));
                if (rhsAssign)
                    assign = rhsAssign;
            }

            if (!(name in assignments))
                assignments[name] = [];
            assignments[name].push(assign);
        } else {
            checkVariableAssignment(entry, location, name);
        }
        return;
      case "Drf":
        var variable = null;
        if (lhs.Exp[0].Kind == "Var") {
            variable = lhs.Exp[0].Variable;
            if (isSafeVariable(entry, variable))
                return;
        } else if (lhs.Exp[0].Kind == "Fld") {
            const {
                Name: [ fieldName ],
                Type: {Kind, Type: fieldType},
                FieldCSU: {Type: {Kind: containerTypeKind,
                                  Name: containerTypeName}}
            } = lhs.Exp[0].Field;
            const [containerExpr] = lhs.Exp[0].Exp;

            if (containerTypeKind == 'CSU' &&
                Kind == 'Pointer' &&
                isEdgeSafeArgument(entry, containerExpr) &&
                isSafeMemberPointer(containerTypeName, fieldName, fieldType))
            {
                return;
            }
        }
        if (fields.length)
            checkFieldWrite(entry, location, fields);
        else
            checkDereferenceWrite(entry, location, variableName(variable));
        return;
      case "Int":
        if (isZero(lhs)) {
            // This shows up under MOZ_ASSERT, to crash the process.
            return;
        }
    }
    dumpError(entry, location, "Unknown assignment " + JSON.stringify(lhs));
}

function get_location(rawLocation) {
    const filename = rawLocation.CacheString.replace(removePrefix, '');
    return addPrefix + filename + "#" + rawLocation.Line;
}

function process(entry, body, addCallee)
{
    if (!("PEdge" in body))
        return;

    // Add any arguments which are safe due to annotations.
    if ("DefineVariable" in body) {
        for (var defvar of body.DefineVariable) {
            var index = safeArgumentIndex(defvar.Variable);
            if (index >= 0) {
                var varName = index ? variableName(defvar.Variable) : "this";
                assert(varName);
                entry.setParameterName(index, varName);
                var csuName = null;
                var type = defvar.Type;
                if (type.Kind == "Pointer" && type.Type.Kind == "CSU")
                    csuName = type.Type.Name;
                if (treatAsSafeArgument(entry, varName, csuName))
                    entry.addSafeArgument(index);
            }
        }
    }

    // Points in the body which are reachable if we are not on the main thread.
    var nonMainThreadPoints = [];
    nonMainThreadPoints[body.Index[0]] = true;

    for (var edge of body.PEdge) {
        // Ignore code that only executes on the main thread.
        if (!(edge.Index[0] in nonMainThreadPoints))
            continue;

        var location = get_location(body.PPoint[edge.Index[0] - 1].Location);

        var callees = getCallees(edge);
        for (var callee of callees) {
            switch (callee.kind) {
            case "direct":
                var safeArguments = getEdgeSafeArguments(entry, edge, callee.name);
                addCallee(new CallSite(callee.name, safeArguments, location, {}));
                break;
              case "resolved-field":
                break;
              case "field":
                var field = callee.csu + "." + callee.field;
                if (callee.isVirtual)
                    checkOverridableVirtualCall(entry, location, field);
                else
                    checkIndirectCall(entry, location, field);
                break;
              case "indirect":
                checkIndirectCall(entry, location, callee.variable);
                break;
              default:
                dumpError(entry, location, "Unknown call " + callee.kind);
                break;
            }
        }

        var fallthrough = true;

        if (edge.Kind == "Assign") {
            assert(edge.Exp.length == 2);
            processAssign(body, entry, location, edge.Exp[0], edge);
        } else if (edge.Kind == "Call") {
            assert(edge.Exp.length <= 2);
            if (edge.Exp.length == 2)
                processAssign(body, entry, location, edge.Exp[1], edge);

            // Treat assertion failures as if they don't return, so that
            // asserting NS_IsMainThread() is sufficient to prevent the
            // analysis from considering a block of code.
            if (isDirectCall(edge, /MOZ_ReportAssertionFailure/))
                fallthrough = false;
        } else if (edge.Kind == "Loop") {
            reachableLoops[edge.BlockId.Loop] = true;
        } else if (edge.Kind == "Assume") {
            if (testFailsOffMainThread(edge.Exp[0], edge.PEdgeAssumeNonZero))
                fallthrough = false;
        }

        if (fallthrough)
            nonMainThreadPoints[edge.Index[1]] = true;
    }
}

function maybeProcessMissingFunction(entry, addCallee)
{
    // If a function is missing it might be because a destructor Foo::~Foo() is
    // being called but GCC only gave us an implementation for
    // Foo::~Foo(int32). See computeCallgraph.js for a little more info.
    var name = entry.name;
    if (name.indexOf("::~") > 0 && name.indexOf("()") > 0) {
        var callee = name.replace("()", "(int32)");
        addCallee(new CallSite(name, entry.safeArguments, entry.stack[0].location, entry.parameterNames));
        return true;
    }

    // Similarly, a call to a C1 constructor might invoke the C4 constructor. A
    // mangled constructor will be something like _ZN<length><name>C1E... or in
    // the case of a templatized constructor, _ZN<length><name>C1I...EE... so
    // we hack it and look for "C1E" or "C1I" and replace them with their C4
    // variants. This will have rare false matches, but so far we haven't hit
    // any external function calls of that sort.
    if (entry.mangledName().includes("C1E") || entry.mangledName().includes("C1I")) {
        var callee = name.replace("C1E", "C4E").replace("C1I", "C4I");
        addCallee(new CallSite(name, entry.safeArguments, entry.stack[0].location, entry.parameterNames));
        return true;
    }

    // Hack to manually follow some typedefs that show up on some functions.
    // This is a bug in the sixgill GCC plugin I think, since sixgill is
    // supposed to follow any typedefs itself.
    if (/mozilla::dom::Element/.test(name)) {
        var callee = name.replace("mozilla::dom::Element", "Document::Element");
        addCallee(new CallSite(name, entry.safeArguments, entry.stack[0].location, entry.parameterNames));
        return true;
    }

    // Hack for contravariant return types. When overriding a virtual method
    // with a method that returns a different return type (a subtype of the
    // original return type), we are getting the right mangled name but the
    // wrong return type in the unmangled name.
    if (/\$nsTextFrame*/.test(name)) {
        var callee = name.replace("nsTextFrame", "nsIFrame");
        addCallee(new CallSite(name, entry.safeArguments, entry.stack[0].location, entry.parameterNames));
        return true;
    }

    return false;
}

function processRoot(name)
{
    var safeArguments = [];
    var parameterNames = {};
    var worklist = [new WorklistEntry(name, safeArguments, [new CallSite(name, safeArguments, null, parameterNames)], parameterNames)];

    reachable = {};

    while (worklist.length > 0) {
        var entry = worklist.pop();

        // In principle we would be better off doing a meet-over-paths here to get
        // the common subset of arguments which are safe to write through. However,
        // analyzing functions separately for each subset if simpler, ensures that
        // the stack traces we produce accurately characterize the stack arguments,
        // and should be fast enough for now.

        if (entry.mangledName() in reachable)
            continue;
        reachable[entry.mangledName()] = true;

        if (ignoreContents(entry))
            continue;

        var data = xdb.read_entry(entry.name);
        var dataString = data.readString();
        var callees = [];
        if (dataString.length) {
            // Reverse the order of the bodies we process so that we visit the
            // outer function and see its assignments before the inner loops.
            assignments = {};
            reachableLoops = {};
            var bodies = JSON.parse(dataString).reverse();
            for (var body of bodies) {
                if (!body.BlockId.Loop || body.BlockId.Loop in reachableLoops) {
                    currentBody = body;
                    process(entry, body, Array.prototype.push.bind(callees));
                }
            }
        } else {
            if (!maybeProcessMissingFunction(entry, Array.prototype.push.bind(callees)))
                checkExternalFunction(entry);
        }
        xdb.free_string(data);

        for (var callee of callees) {
            if (!ignoreCallEdge(entry, callee.callee)) {
                var nstack = [callee, ...entry.stack];
                worklist.push(new WorklistEntry(callee.callee, callee.safeArguments, nstack, callee.parameterNames));
            }
        }
    }
}

function isEdgeSafeArgument(entry, exp)
{
    var fields;
    [exp, fields] = stripFields(exp);

    if (exp.Kind == "Var" && isLocalVariable(exp.Variable))
        return true;
    if (exp.Kind == "Drf" && exp.Exp[0].Kind == "Var") {
        var variable = exp.Exp[0].Variable;
        return isSafeVariable(entry, variable);
    }
    if (isZero(exp))
        return true;
    return false;
}

function getEdgeSafeArguments(entry, edge, callee)
{
    assert(edge.Kind == "Call");
    var res = [];
    if ("PEdgeCallInstance" in edge) {
        if (isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp))
            res.push(0);
    }
    if ("PEdgeCallArguments" in edge) {
        var args = edge.PEdgeCallArguments.Exp;
        for (var i = 0; i < args.length; i++) {
            if (isEdgeSafeArgument(entry, args[i]))
                res.push(i + 1);
        }
    }
    return res;
}

function singleAssignment(name)
{
    if (name in assignments) {
        var edges = assignments[name];
        if (edges.length == 1)
            return edges[0];
    }
    return null;
}

function expressionValueEdge(exp) {
    if (!(exp.Kind == "Var" && exp.Variable.Kind == "Temp"))
        return null;
    const assign = singleAssignment(variableName(exp.Variable));
    if (!assign)
        return null;
    const [body, edge] = assign;
    return edge;
}

// Examples:
//
//   void foo(type* aSafe) {
//     type* safeBecauseNew = new type(...);
//     type* unsafeBecauseMultipleAssignments = new type(...);
//     if (rand())
//       unsafeBecauseMultipleAssignments = bar();
//     type* safeBecauseSingleAssignmentOfSafe = aSafe;
//   }
//
function isSafeVariable(entry, variable)
{
    var index = safeArgumentIndex(variable);
    if (index >= 0)
        return entry.isSafeArgument(index);

    if (variable.Kind != "Temp" && variable.Kind != "Local")
        return false;
    var name = variableName(variable);

    if (!entry.safeLocals)
        entry.safeLocals = new Map;
    if (entry.safeLocals.has(name))
        return entry.safeLocals.get(name);

    const safe = isSafeLocalVariable(entry, name);
    entry.safeLocals.set(name, safe);
    return safe;
}

function isSafeLocalVariable(entry, name)
{
    // If there is a single place where this variable has been assigned on
    // edges we are considering, look at that edge.
    var assign = singleAssignment(name);
    if (assign) {
        const [body, edge] = assign;

        // Treat temporary pointers to DebugOnly contents as thread local.
        if (isDirectCall(edge, /DebugOnly.*?::operator/))
            return true;

        // Treat heap allocated pointers as thread local during construction.
        // Hopefully the construction code doesn't leak pointers to the object
        // to places where other threads might access it.
        if (isDirectCall(edge, /operator new/) ||
            isDirectCall(edge, /nsCSSValue::Array::Create/))
        {
            return true;
        }

        if ("PEdgeCallInstance" in edge) {
            // References to the contents of an array are threadsafe if the array
            // itself is threadsafe.
            if ((isDirectCall(edge, /operator\[\]/) ||
                 isDirectCall(edge, /nsTArray.*?::InsertElementAt\b/) ||
                 isDirectCall(edge, /nsStyleContent::ContentAt/) ||
                 isDirectCall(edge, /nsTArray_base.*?::GetAutoArrayBuffer\b/)) &&
                isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp))
            {
                return true;
            }

            // Watch for the coerced result of a getter_AddRefs or getter_Copies call.
            if (isDirectCall(edge, /operator /)) {
                var otherEdge = expressionValueEdge(edge.PEdgeCallInstance.Exp);
                if (otherEdge &&
                    isDirectCall(otherEdge, /getter_(?:AddRefs|Copies)/) &&
                    isEdgeSafeArgument(entry, otherEdge.PEdgeCallArguments.Exp[0]))
                {
                    return true;
                }
            }

            // RefPtr::operator->() and operator* transmit the safety of the
            // RefPtr to the return value.
            if (isDirectCall(edge, /RefPtr<.*?>::operator(->|\*)\(\)/) &&
                isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp))
            {
                return true;
            }

            // Placement-new returns a pointer that is as safe as the pointer
            // passed to it. Exp[0] is the size, Exp[1] is the pointer/address.
            // Note that the invocation of the constructor is a separate call,
            // and so need not be considered here.
            if (isDirectCall(edge, /operator new/) &&
                edge.PEdgeCallInstance.Exp.length == 2 &&
                isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp[1]))
            {
                return true;
            }

            // Coercion via AsAString preserves safety.
            if (isDirectCall(edge, /AsAString/) &&
                isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp))
            {
                return true;
            }

            // Special case:
            //
            //   keyframe->mTimingFunction.emplace()
            //   keyframe->mTimingFunction->Init()
            //
            // The object calling Init should be considered safe here because
            // we just emplaced it, though in general keyframe::operator->
            // could do something crazy.
            if (isDirectCall(edge, /operator->/)) do {
                const predges = getPredecessors(body)[edge.Index[0]];
                if (!predges || predges.length != 1)
                    break;
                const predge = predges[0];
                if (!isDirectCall(predge, /\bemplace\b/))
                    break;
                const instance = predge.PEdgeCallInstance;
                if (JSON.stringify(instance) == JSON.stringify(edge.PEdgeCallInstance))
                    return true;
            } while (false);
        }

        if (isSafeAssignment(entry, edge, name))
            return true;

        // Watch out for variables which were assigned arguments.
        var rhsVariable = variableAssignRhs(edge);
        if (rhsVariable)
            return isSafeVariable(entry, rhsVariable);
    }

    // When temporary stack structures are created (either to return or to call
    // methods on without assigning them a name), the generated sixgill JSON is
    // rather strange. The temporary has structure type and is never assigned
    // to, but is dereferenced. GCC is probably not showing us everything it is
    // doing to compile this code. Pattern match for this case here.

    // The variable should have structure type.
    var type = null;
    for (var defvar of currentBody.DefineVariable) {
        if (variableName(defvar.Variable) == name) {
            type = defvar.Type;
            break;
        }
    }
    if (!type || type.Kind != "CSU")
        return false;

    // The variable should not have been written to anywhere up to this point.
    // If it is initialized at this point we should have seen *some* write
    // already, since the CFG edges are visited in reverse post order.
    if (name in assignments)
        return false;

    return true;
}

function isSafeMemberPointer(containerType, memberName, memberType)
{
    // nsTArray owns its header.
    if (containerType.includes("nsTArray_base") && memberName == "mHdr")
        return true;

    if (memberType.Kind != 'Pointer')
        return false;

    // Special-cases go here :)
    return false;
}

// Return whether 'exp == value' holds only when execution is on the main thread.
function testFailsOffMainThread(exp, value) {
    switch (exp.Kind) {
      case "Drf":
        var edge = expressionValueEdge(exp.Exp[0]);
        if (edge) {
            if (isDirectCall(edge, /NS_IsMainThread/) && value)
                return true;
            if (isDirectCall(edge, /IsInServoTraversal/) && !value)
                return true;
            if (isDirectCall(edge, /IsCurrentThreadInServoTraversal/) && !value)
                return true;
            if (isDirectCall(edge, /__builtin_expect/))
                return testFailsOffMainThread(edge.PEdgeCallArguments.Exp[0], value);
            if (edge.Kind == "Assign")
                return testFailsOffMainThread(edge.Exp[1], value);
        }
        break;
      case "Unop":
        if (exp.OpCode == "LogicalNot")
            return testFailsOffMainThread(exp.Exp[0], !value);
        break;
      case "Binop":
        if (exp.OpCode == "NotEqual" || exp.OpCode == "Equal") {
            var cmpExp = isZero(exp.Exp[0])
                ? exp.Exp[1]
                : (isZero(exp.Exp[1]) ? exp.Exp[0] : null);
            if (cmpExp)
                return testFailsOffMainThread(cmpExp, exp.OpCode == "NotEqual" ? value : !value);
        }
        break;
      case "Int":
        if (exp.String == "0" && value)
            return true;
        if (exp.String == "1" && !value)
            return true;
        break;
    }
    return false;
}