1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* vim: set ts=8 sts=2 et sw=2 tw=80:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "vm/PromiseLookup.h"
#include "mozilla/Assertions.h" // MOZ_ASSERT
#include "jspubtd.h" // JSProto_*
#include "builtin/Promise.h" // js::Promise_then, js::Promise_static_resolve, js::Promise_static_species
#include "js/HeapAPI.h" // js::gc::IsInsideNursery
#include "js/Id.h" // SYMBOL_TO_JSID
#include "js/Value.h" // JS::Value, JS::ObjectValue
#include "util/Poison.h" // js::AlwaysPoison, JS_RESET_VALUE_PATTERN, MemCheckKind
#include "vm/GlobalObject.h" // js::GlobalObject
#include "vm/JSContext.h" // JSContext
#include "vm/JSFunction.h" // JSFunction
#include "vm/JSObject.h" // JSObject
#include "vm/NativeObject.h" // js::NativeObject
#include "vm/Runtime.h" // js::WellKnownSymbols
#include "vm/Shape.h" // js::Shape
#include "vm/JSObject-inl.h" // js::IsFunctionObject, js::IsNativeFunction
using JS::ObjectValue;
using JS::Value;
using js::NativeObject;
JSFunction* js::PromiseLookup::getPromiseConstructor(JSContext* cx) {
JSObject* obj = cx->global()->maybeGetConstructor(JSProto_Promise);
return obj ? &obj->as<JSFunction>() : nullptr;
}
NativeObject* js::PromiseLookup::getPromisePrototype(JSContext* cx) {
JSObject* obj = cx->global()->maybeGetPrototype(JSProto_Promise);
return obj ? &obj->as<NativeObject>() : nullptr;
}
bool js::PromiseLookup::isDataPropertyNative(JSContext* cx, NativeObject* obj,
uint32_t slot, JSNative native) {
JSFunction* fun;
if (!IsFunctionObject(obj->getSlot(slot), &fun)) {
return false;
}
return fun->maybeNative() == native && fun->realm() == cx->realm();
}
bool js::PromiseLookup::isAccessorPropertyNative(JSContext* cx,
NativeObject* holder,
uint32_t getterSlot,
JSNative native) {
JSObject* getter = holder->getGetter(getterSlot);
return getter && IsNativeFunction(getter, native) &&
getter->as<JSFunction>().realm() == cx->realm();
}
void js::PromiseLookup::initialize(JSContext* cx) {
MOZ_ASSERT(state_ == State::Uninitialized);
// Get the canonical Promise.prototype.
NativeObject* promiseProto = getPromisePrototype(cx);
// Check condition 1:
// Leave the cache uninitialized if the Promise class itself is not yet
// initialized.
if (!promiseProto) {
return;
}
// Get the canonical Promise constructor.
JSFunction* promiseCtor = getPromiseConstructor(cx);
MOZ_ASSERT(promiseCtor,
"The Promise constructor is initialized iff Promise.prototype is "
"initialized");
// Shortcut returns below means Promise[@@species] will never be
// optimizable, set to disabled now, and clear it later when we succeed.
state_ = State::Disabled;
// Check condition 2:
// Look up Promise.prototype.constructor and ensure it's a data property.
mozilla::Maybe<PropertyInfo> ctorProp =
promiseProto->lookup(cx, cx->names().constructor);
if (ctorProp.isNothing() || !ctorProp->isDataProperty()) {
return;
}
// Get the referred value, and ensure it holds the canonical Promise
// constructor.
JSFunction* ctorFun;
if (!IsFunctionObject(promiseProto->getSlot(ctorProp->slot()), &ctorFun)) {
return;
}
if (ctorFun != promiseCtor) {
return;
}
// Check condition 3:
// Look up Promise.prototype.then and ensure it's a data property.
mozilla::Maybe<PropertyInfo> thenProp =
promiseProto->lookup(cx, cx->names().then);
if (thenProp.isNothing() || !thenProp->isDataProperty()) {
return;
}
// Get the referred value, and ensure it holds the canonical "then"
// function.
if (!isDataPropertyNative(cx, promiseProto, thenProp->slot(), Promise_then)) {
return;
}
// Check condition 4:
// Look up the '@@species' value on Promise.
mozilla::Maybe<PropertyInfo> speciesProp = promiseCtor->lookup(
cx, PropertyKey::Symbol(cx->wellKnownSymbols().species));
if (speciesProp.isNothing() || !promiseCtor->hasGetter(*speciesProp)) {
return;
}
// Get the referred value, ensure it holds the canonical Promise[@@species]
// function.
uint32_t speciesGetterSlot = speciesProp->slot();
if (!isAccessorPropertyNative(cx, promiseCtor, speciesGetterSlot,
Promise_static_species)) {
return;
}
// Check condition 5:
// Look up Promise.resolve and ensure it's a data property.
mozilla::Maybe<PropertyInfo> resolveProp =
promiseCtor->lookup(cx, cx->names().resolve);
if (resolveProp.isNothing() || !resolveProp->isDataProperty()) {
return;
}
// Get the referred value, and ensure it holds the canonical "resolve"
// function.
if (!isDataPropertyNative(cx, promiseCtor, resolveProp->slot(),
Promise_static_resolve)) {
return;
}
// Store raw pointers below. This is okay to do here, because all objects
// are in the tenured heap.
MOZ_ASSERT(!gc::IsInsideNursery(promiseCtor->shape()));
MOZ_ASSERT(!gc::IsInsideNursery(promiseProto->shape()));
state_ = State::Initialized;
promiseConstructorShape_ = promiseCtor->shape();
promiseProtoShape_ = promiseProto->shape();
promiseSpeciesGetterSlot_ = speciesGetterSlot;
promiseResolveSlot_ = resolveProp->slot();
promiseProtoConstructorSlot_ = ctorProp->slot();
promiseProtoThenSlot_ = thenProp->slot();
}
void js::PromiseLookup::reset() {
AlwaysPoison(this, JS_RESET_VALUE_PATTERN, sizeof(*this),
MemCheckKind::MakeUndefined);
state_ = State::Uninitialized;
}
bool js::PromiseLookup::isPromiseStateStillSane(JSContext* cx) {
MOZ_ASSERT(state_ == State::Initialized);
NativeObject* promiseProto = getPromisePrototype(cx);
MOZ_ASSERT(promiseProto);
NativeObject* promiseCtor = getPromiseConstructor(cx);
MOZ_ASSERT(promiseCtor);
// Ensure that Promise.prototype still has the expected shape.
if (promiseProto->shape() != promiseProtoShape_) {
return false;
}
// Ensure that Promise still has the expected shape.
if (promiseCtor->shape() != promiseConstructorShape_) {
return false;
}
// Ensure that Promise.prototype.constructor is the canonical constructor.
if (promiseProto->getSlot(promiseProtoConstructorSlot_) !=
ObjectValue(*promiseCtor)) {
return false;
}
// Ensure that Promise.prototype.then is the canonical "then" function.
if (!isDataPropertyNative(cx, promiseProto, promiseProtoThenSlot_,
Promise_then)) {
return false;
}
// Ensure the species getter contains the canonical @@species function.
if (!isAccessorPropertyNative(cx, promiseCtor, promiseSpeciesGetterSlot_,
Promise_static_species)) {
return false;
}
// Ensure that Promise.resolve is the canonical "resolve" function.
if (!isDataPropertyNative(cx, promiseCtor, promiseResolveSlot_,
Promise_static_resolve)) {
return false;
}
return true;
}
bool js::PromiseLookup::ensureInitialized(JSContext* cx,
Reinitialize reinitialize) {
if (state_ == State::Uninitialized) {
// If the cache is not initialized, initialize it.
initialize(cx);
} else if (state_ == State::Initialized) {
if (reinitialize == Reinitialize::Allowed) {
if (!isPromiseStateStillSane(cx)) {
// If the promise state is no longer sane, reinitialize.
reset();
initialize(cx);
}
} else {
// When we're not allowed to reinitialize, the promise state must
// still be sane if the cache is already initialized.
MOZ_ASSERT(isPromiseStateStillSane(cx));
}
}
// If the cache is disabled or still uninitialized, don't bother trying to
// optimize.
if (state_ != State::Initialized) {
return false;
}
// By the time we get here, we should have a sane promise state.
MOZ_ASSERT(isPromiseStateStillSane(cx));
return true;
}
bool js::PromiseLookup::isDefaultPromiseState(JSContext* cx) {
// Promise and Promise.prototype are in their default states iff the
// lookup cache was successfully initialized.
return ensureInitialized(cx, Reinitialize::Allowed);
}
bool js::PromiseLookup::hasDefaultProtoAndNoShadowedProperties(
JSContext* cx, PromiseObject* promise) {
// Ensure |promise|'s prototype is the actual Promise.prototype.
if (promise->staticPrototype() != getPromisePrototype(cx)) {
return false;
}
// Ensure |promise| doesn't define any own properties. This serves as a
// quick check to make sure |promise| doesn't define an own "constructor"
// or "then" property which may shadow Promise.prototype.constructor or
// Promise.prototype.then.
return promise->empty();
}
bool js::PromiseLookup::isDefaultInstance(JSContext* cx, PromiseObject* promise,
Reinitialize reinitialize) {
// Promise and Promise.prototype must be in their default states.
if (!ensureInitialized(cx, reinitialize)) {
return false;
}
// The object uses the default properties from Promise.prototype.
return hasDefaultProtoAndNoShadowedProperties(cx, promise);
}
|
