summaryrefslogtreecommitdiffstats
path: root/js/src/builtin/TestingFunctions.cpp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 17:32:43 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 17:32:43 +0000
commit6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch)
treea68f146d7fa01f0134297619fbe7e33db084e0aa /js/src/builtin/TestingFunctions.cpp
parentInitial commit. (diff)
downloadthunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.tar.xz
thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.zip
Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/builtin/TestingFunctions.cpp')
-rw-r--r--js/src/builtin/TestingFunctions.cpp9817
1 files changed, 9817 insertions, 0 deletions
diff --git a/js/src/builtin/TestingFunctions.cpp b/js/src/builtin/TestingFunctions.cpp
new file mode 100644
index 0000000000..d9034c886d
--- /dev/null
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -0,0 +1,9817 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * vim: set ts=8 sts=2 et sw=2 tw=80:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "builtin/TestingFunctions.h"
+
+#include "mozilla/Atomics.h"
+#include "mozilla/Casting.h"
+#include "mozilla/FloatingPoint.h"
+#ifdef JS_HAS_INTL_API
+# include "mozilla/intl/ICU4CLibrary.h"
+# include "mozilla/intl/Locale.h"
+# include "mozilla/intl/String.h"
+# include "mozilla/intl/TimeZone.h"
+#endif
+#include "mozilla/Maybe.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/Span.h"
+#include "mozilla/Sprintf.h"
+#include "mozilla/TextUtils.h"
+#include "mozilla/ThreadLocal.h"
+
+#include <algorithm>
+#include <cfloat>
+#include <cinttypes>
+#include <cmath>
+#include <cstdlib>
+#include <ctime>
+#include <functional>
+#include <initializer_list>
+#include <iterator>
+#include <utility>
+
+#if defined(XP_UNIX) && !defined(XP_DARWIN)
+# include <time.h>
+#else
+# include <chrono>
+#endif
+
+#include "fdlibm.h"
+#include "jsapi.h"
+#include "jsfriendapi.h"
+
+#ifdef JS_HAS_INTL_API
+# include "builtin/intl/CommonFunctions.h"
+# include "builtin/intl/FormatBuffer.h"
+# include "builtin/intl/SharedIntlData.h"
+#endif
+#include "builtin/BigInt.h"
+#include "builtin/MapObject.h"
+#include "builtin/Promise.h"
+#include "builtin/TestingUtility.h" // js::ParseCompileOptions, js::ParseDebugMetadata
+#include "frontend/BytecodeCompilation.h" // frontend::CompileGlobalScriptToExtensibleStencil, frontend::DelazifyCanonicalScriptedFunction
+#include "frontend/BytecodeCompiler.h" // frontend::ParseModuleToExtensibleStencil
+#include "frontend/CompilationStencil.h" // frontend::CompilationStencil
+#include "frontend/FrontendContext.h" // AutoReportFrontendContext
+#include "gc/Allocator.h"
+#include "gc/GC.h"
+#include "gc/GCLock.h"
+#include "gc/Zone.h"
+#include "jit/BaselineJIT.h"
+#include "jit/Disassemble.h"
+#include "jit/InlinableNatives.h"
+#include "jit/Invalidation.h"
+#include "jit/Ion.h"
+#include "jit/JitOptions.h"
+#include "jit/JitRuntime.h"
+#include "jit/TrialInlining.h"
+#include "js/Array.h" // JS::NewArrayObject
+#include "js/ArrayBuffer.h" // JS::{DetachArrayBuffer,GetArrayBufferLengthAndData,NewArrayBufferWithContents}
+#include "js/CallAndConstruct.h" // JS::Call, JS::IsCallable, JS::IsConstructor, JS_CallFunction
+#include "js/CharacterEncoding.h"
+#include "js/CompilationAndEvaluation.h"
+#include "js/CompileOptions.h"
+#include "js/Date.h"
+#include "js/experimental/CodeCoverage.h" // js::GetCodeCoverageSummary
+#include "js/experimental/CompileScript.h" // JS::ParseGlobalScript, JS::PrepareForInstantiate
+#include "js/experimental/JSStencil.h" // JS::Stencil
+#include "js/experimental/PCCountProfiling.h" // JS::{Start,Stop}PCCountProfiling, JS::PurgePCCounts, JS::GetPCCountScript{Count,Summary,Contents}
+#include "js/experimental/TypedData.h" // JS_GetObjectAsUint8Array
+#include "js/friend/DumpFunctions.h" // js::Dump{Backtrace,Heap,Object}, JS::FormatStackDump, js::IgnoreNurseryObjects
+#include "js/friend/ErrorMessages.h" // js::GetErrorMessage, JSMSG_*
+#include "js/friend/WindowProxy.h" // js::ToWindowProxyIfWindow
+#include "js/GlobalObject.h"
+#include "js/HashTable.h"
+#include "js/Interrupt.h"
+#include "js/LocaleSensitive.h"
+#include "js/Printf.h"
+#include "js/PropertyAndElement.h" // JS_DefineProperties, JS_DefineProperty, JS_DefinePropertyById, JS_Enumerate, JS_GetProperty, JS_GetPropertyById, JS_HasProperty, JS_SetElement, JS_SetProperty
+#include "js/PropertySpec.h"
+#include "js/SourceText.h"
+#include "js/StableStringChars.h"
+#include "js/Stack.h"
+#include "js/String.h" // JS::GetLinearStringLength, JS::StringToLinearString
+#include "js/StructuredClone.h"
+#include "js/UbiNode.h"
+#include "js/UbiNodeBreadthFirst.h"
+#include "js/UbiNodeShortestPaths.h"
+#include "js/UniquePtr.h"
+#include "js/Vector.h"
+#include "js/Wrapper.h"
+#include "threading/CpuCount.h"
+#include "util/DifferentialTesting.h"
+#include "util/StringBuffer.h"
+#include "util/Text.h"
+#include "vm/BooleanObject.h"
+#include "vm/DateObject.h"
+#include "vm/DateTime.h"
+#include "vm/ErrorObject.h"
+#include "vm/GlobalObject.h"
+#include "vm/HelperThreads.h"
+#include "vm/HelperThreadState.h"
+#include "vm/Interpreter.h"
+#include "vm/JSContext.h"
+#include "vm/JSObject.h"
+#include "vm/NumberObject.h"
+#include "vm/PlainObject.h" // js::PlainObject
+#include "vm/PromiseObject.h" // js::PromiseObject, js::PromiseSlot_*
+#include "vm/ProxyObject.h"
+#include "vm/SavedStacks.h"
+#include "vm/ScopeKind.h"
+#include "vm/Stack.h"
+#include "vm/StencilObject.h" // StencilObject, StencilXDRBufferObject
+#include "vm/StringObject.h"
+#include "vm/StringType.h"
+#include "wasm/AsmJS.h"
+#include "wasm/WasmBaselineCompile.h"
+#include "wasm/WasmInstance.h"
+#include "wasm/WasmIntrinsic.h"
+#include "wasm/WasmIonCompile.h"
+#include "wasm/WasmJS.h"
+#include "wasm/WasmModule.h"
+#include "wasm/WasmValType.h"
+#include "wasm/WasmValue.h"
+
+#include "debugger/DebugAPI-inl.h"
+#include "vm/Compartment-inl.h"
+#include "vm/EnvironmentObject-inl.h"
+#include "vm/JSContext-inl.h"
+#include "vm/JSObject-inl.h"
+#include "vm/NativeObject-inl.h"
+#include "vm/ObjectFlags-inl.h"
+#include "vm/StringType-inl.h"
+#include "wasm/WasmInstance-inl.h"
+
+using namespace js;
+
+using mozilla::AssertedCast;
+using mozilla::AsWritableChars;
+using mozilla::Maybe;
+using mozilla::Span;
+
+using JS::AutoStableStringChars;
+using JS::CompileOptions;
+using JS::SourceOwnership;
+using JS::SourceText;
+
+// If fuzzingSafe is set, remove functionality that could cause problems with
+// fuzzers. Set this via the environment variable MOZ_FUZZING_SAFE.
+mozilla::Atomic<bool> js::fuzzingSafe(false);
+
+// If disableOOMFunctions is set, disable functionality that causes artificial
+// OOM conditions.
+static mozilla::Atomic<bool> disableOOMFunctions(false);
+
+static bool EnvVarIsDefined(const char* name) {
+ const char* value = getenv(name);
+ return value && *value;
+}
+
+#if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
+static bool EnvVarAsInt(const char* name, int* valueOut) {
+ if (!EnvVarIsDefined(name)) {
+ return false;
+ }
+
+ *valueOut = atoi(getenv(name));
+ return true;
+}
+#endif
+
+static bool GetRealmConfiguration(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject info(cx, JS_NewPlainObject(cx));
+ if (!info) {
+ return false;
+ }
+
+ bool importAssertions = cx->options().importAssertions();
+ if (!JS_SetProperty(cx, info, "importAssertions",
+ importAssertions ? TrueHandleValue : FalseHandleValue)) {
+ return false;
+ }
+
+#ifdef NIGHTLY_BUILD
+ bool arrayGrouping = cx->realm()->creationOptions().getArrayGroupingEnabled();
+ if (!JS_SetProperty(cx, info, "enableArrayGrouping",
+ arrayGrouping ? TrueHandleValue : FalseHandleValue)) {
+ return false;
+ }
+#endif
+
+ bool changeArrayByCopy =
+ cx->realm()->creationOptions().getChangeArrayByCopyEnabled();
+ if (!JS_SetProperty(cx, info, "enableChangeArrayByCopy",
+ changeArrayByCopy ? TrueHandleValue : FalseHandleValue)) {
+ return false;
+ }
+
+#ifdef ENABLE_NEW_SET_METHODS
+ bool newSetMethods = cx->realm()->creationOptions().getNewSetMethodsEnabled();
+ if (!JS_SetProperty(cx, info, "enableNewSetMethods",
+ newSetMethods ? TrueHandleValue : FalseHandleValue)) {
+ return false;
+ }
+#endif
+
+ args.rval().setObject(*info);
+ return true;
+}
+
+static bool GetBuildConfiguration(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject info(cx, JS_NewPlainObject(cx));
+ if (!info) {
+ return false;
+ }
+
+ if (!JS_SetProperty(cx, info, "rooting-analysis", FalseHandleValue)) {
+ return false;
+ }
+
+ if (!JS_SetProperty(cx, info, "exact-rooting", TrueHandleValue)) {
+ return false;
+ }
+
+ if (!JS_SetProperty(cx, info, "trace-jscalls-api", FalseHandleValue)) {
+ return false;
+ }
+
+ if (!JS_SetProperty(cx, info, "incremental-gc", TrueHandleValue)) {
+ return false;
+ }
+
+ if (!JS_SetProperty(cx, info, "generational-gc", TrueHandleValue)) {
+ return false;
+ }
+
+ if (!JS_SetProperty(cx, info, "oom-backtraces", FalseHandleValue)) {
+ return false;
+ }
+
+ RootedValue value(cx);
+#ifdef DEBUG
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "debug", value)) {
+ return false;
+ }
+
+#ifdef RELEASE_OR_BETA
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "release_or_beta", value)) {
+ return false;
+ }
+
+#ifdef EARLY_BETA_OR_EARLIER
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "early_beta_or_earlier", value)) {
+ return false;
+ }
+
+#ifdef MOZ_CODE_COVERAGE
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "coverage", value)) {
+ return false;
+ }
+
+#ifdef JS_HAS_CTYPES
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "has-ctypes", value)) {
+ return false;
+ }
+
+#if defined(_M_IX86) || defined(__i386__)
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "x86", value)) {
+ return false;
+ }
+
+#if defined(_M_X64) || defined(__x86_64__)
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "x64", value)) {
+ return false;
+ }
+
+#ifdef JS_CODEGEN_ARM
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "arm", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR_ARM
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "arm-simulator", value)) {
+ return false;
+ }
+
+#ifdef ANDROID
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "android", value)) {
+ return false;
+ }
+
+#ifdef XP_WIN
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "windows", value)) {
+ return false;
+ }
+
+#ifdef XP_MACOSX
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "osx", value)) {
+ return false;
+ }
+
+#ifdef JS_CODEGEN_ARM64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "arm64", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR_ARM64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "arm64-simulator", value)) {
+ return false;
+ }
+
+#ifdef JS_CODEGEN_MIPS32
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "mips32", value)) {
+ return false;
+ }
+
+#ifdef JS_CODEGEN_MIPS64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "mips64", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR_MIPS32
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "mips32-simulator", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR_MIPS64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "mips64-simulator", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "simulator", value)) {
+ return false;
+ }
+
+#ifdef __wasi__
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "wasi", value)) {
+ return false;
+ }
+
+#ifdef JS_CODEGEN_LOONG64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "loong64", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR_LOONG64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "loong64-simulator", value)) {
+ return false;
+ }
+
+#ifdef JS_CODEGEN_RISCV64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "riscv64", value)) {
+ return false;
+ }
+
+#ifdef JS_SIMULATOR_RISCV64
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "riscv64-simulator", value)) {
+ return false;
+ }
+
+#ifdef MOZ_ASAN
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "asan", value)) {
+ return false;
+ }
+
+#ifdef MOZ_TSAN
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "tsan", value)) {
+ return false;
+ }
+
+#ifdef MOZ_UBSAN
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "ubsan", value)) {
+ return false;
+ }
+
+#ifdef JS_GC_ZEAL
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "has-gczeal", value)) {
+ return false;
+ }
+
+#ifdef MOZ_PROFILING
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "profiling", value)) {
+ return false;
+ }
+
+#ifdef INCLUDE_MOZILLA_DTRACE
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "dtrace", value)) {
+ return false;
+ }
+
+#ifdef MOZ_VALGRIND
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "valgrind", value)) {
+ return false;
+ }
+
+#ifdef JS_HAS_INTL_API
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "intl-api", value)) {
+ return false;
+ }
+
+#if defined(SOLARIS)
+ value = BooleanValue(false);
+#else
+ value = BooleanValue(true);
+#endif
+ if (!JS_SetProperty(cx, info, "mapped-array-buffer", value)) {
+ return false;
+ }
+
+#ifdef MOZ_MEMORY
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "moz-memory", value)) {
+ return false;
+ }
+
+ value.setInt32(sizeof(void*));
+ if (!JS_SetProperty(cx, info, "pointer-byte-size", value)) {
+ return false;
+ }
+
+#ifdef ENABLE_NEW_SET_METHODS
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "new-set-methods", value)) {
+ return false;
+ }
+
+#ifdef ENABLE_DECORATORS
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "decorators", value)) {
+ return false;
+ }
+
+#ifdef FUZZING
+ value = BooleanValue(true);
+#else
+ value = BooleanValue(false);
+#endif
+ if (!JS_SetProperty(cx, info, "fuzzing-defined", value)) {
+ return false;
+ }
+
+ args.rval().setObject(*info);
+ return true;
+}
+
+static bool IsLCovEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(coverage::IsLCovEnabled());
+ return true;
+}
+
+static bool TrialInline(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setUndefined();
+
+ FrameIter iter(cx);
+ if (iter.done() || !iter.isBaseline() || iter.realm() != cx->realm()) {
+ return true;
+ }
+
+ jit::BaselineFrame* frame = iter.abstractFramePtr().asBaselineFrame();
+ if (!jit::CanIonCompileScript(cx, frame->script())) {
+ return true;
+ }
+
+ return jit::DoTrialInlining(cx, frame);
+}
+
+static bool ReturnStringCopy(JSContext* cx, CallArgs& args,
+ const char* message) {
+ JSString* str = JS_NewStringCopyZ(cx, message);
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+ return true;
+}
+
+static bool MaybeGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ JS_MaybeGC(cx);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ /*
+ * If the first argument is 'zone', we collect any zones previously
+ * scheduled for GC via schedulegc. If the first argument is an object, we
+ * collect the object's zone (and any other zones scheduled for
+ * GC). Otherwise, we collect all zones.
+ */
+ bool zone = false;
+ if (args.length() >= 1) {
+ Value arg = args[0];
+ if (arg.isString()) {
+ if (!JS_StringEqualsLiteral(cx, arg.toString(), "zone", &zone)) {
+ return false;
+ }
+ } else if (arg.isObject()) {
+ PrepareZoneForGC(cx, UncheckedUnwrap(&arg.toObject())->zone());
+ zone = true;
+ }
+ }
+
+ JS::GCOptions options = JS::GCOptions::Normal;
+ JS::GCReason reason = JS::GCReason::API;
+ if (args.length() >= 2) {
+ Value arg = args[1];
+ if (arg.isString()) {
+ bool shrinking = false;
+ bool last_ditch = false;
+ if (!JS_StringEqualsLiteral(cx, arg.toString(), "shrinking",
+ &shrinking)) {
+ return false;
+ }
+ if (!JS_StringEqualsLiteral(cx, arg.toString(), "last-ditch",
+ &last_ditch)) {
+ return false;
+ }
+ if (shrinking) {
+ options = JS::GCOptions::Shrink;
+ } else if (last_ditch) {
+ options = JS::GCOptions::Shrink;
+ reason = JS::GCReason::LAST_DITCH;
+ }
+ }
+ }
+
+ size_t preBytes = cx->runtime()->gc.heapSize.bytes();
+
+ if (zone) {
+ PrepareForDebugGC(cx->runtime());
+ } else {
+ JS::PrepareForFullGC(cx);
+ }
+
+ JS::NonIncrementalGC(cx, options, reason);
+
+ char buf[256] = {'\0'};
+ if (!js::SupportDifferentialTesting()) {
+ SprintfLiteral(buf, "before %zu, after %zu\n", preBytes,
+ cx->runtime()->gc.heapSize.bytes());
+ }
+ return ReturnStringCopy(cx, args, buf);
+}
+
+static bool MinorGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.get(0) == BooleanValue(true)) {
+ cx->runtime()->gc.storeBuffer().setAboutToOverflow(
+ JS::GCReason::FULL_GENERIC_BUFFER);
+ }
+
+ cx->minorGC(JS::GCReason::API);
+ args.rval().setUndefined();
+ return true;
+}
+
+#define PARAM_NAME_LIST_ENTRY(name, key, writable) " " name
+#define GC_PARAMETER_ARGS_LIST FOR_EACH_GC_PARAM(PARAM_NAME_LIST_ENTRY)
+
+static bool GCParameter(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ JSString* str = ToString(cx, args.get(0));
+ if (!str) {
+ return false;
+ }
+
+ UniqueChars name = EncodeLatin1(cx, str);
+ if (!name) {
+ return false;
+ }
+
+ JSGCParamKey param;
+ bool writable;
+ if (!GetGCParameterInfo(name.get(), &param, &writable)) {
+ JS_ReportErrorASCII(
+ cx, "the first argument must be one of:" GC_PARAMETER_ARGS_LIST);
+ return false;
+ }
+
+ // Request mode.
+ if (args.length() == 1) {
+ uint32_t value = JS_GetGCParameter(cx, param);
+ args.rval().setNumber(value);
+ return true;
+ }
+
+ if (!writable) {
+ JS_ReportErrorASCII(cx, "Attempt to change read-only parameter %s",
+ name.get());
+ return false;
+ }
+
+ if (disableOOMFunctions) {
+ switch (param) {
+ case JSGC_MAX_BYTES:
+ case JSGC_MAX_NURSERY_BYTES:
+ args.rval().setUndefined();
+ return true;
+ default:
+ break;
+ }
+ }
+
+ double d;
+ if (!ToNumber(cx, args[1], &d)) {
+ return false;
+ }
+
+ if (d < 0 || d > UINT32_MAX) {
+ JS_ReportErrorASCII(cx, "Parameter value out of range");
+ return false;
+ }
+
+ uint32_t value = floor(d);
+ bool ok = cx->runtime()->gc.setParameter(cx, param, value);
+ if (!ok) {
+ JS_ReportErrorASCII(cx, "Parameter value out of range");
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool RelazifyFunctions(JSContext* cx, unsigned argc, Value* vp) {
+ // Relazifying functions on GC is usually only done for compartments that are
+ // not active. To aid fuzzing, this testing function allows us to relazify
+ // even if the compartment is active.
+
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ // Disable relazification of all scripts on stack. It is a pervasive
+ // assumption in the engine that running scripts still have bytecode.
+ for (AllScriptFramesIter i(cx); !i.done(); ++i) {
+ i.script()->clearAllowRelazify();
+ }
+
+ cx->runtime()->allowRelazificationForTesting = true;
+
+ JS::PrepareForFullGC(cx);
+ JS::NonIncrementalGC(cx, JS::GCOptions::Shrink, JS::GCReason::API);
+
+ cx->runtime()->allowRelazificationForTesting = false;
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool IsProxy(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "the function takes exactly one argument");
+ return false;
+ }
+ if (!args[0].isObject()) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+ args.rval().setBoolean(args[0].toObject().is<ProxyObject>());
+ return true;
+}
+
+static bool WasmIsSupported(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::HasSupport(cx) &&
+ wasm::AnyCompilerAvailable(cx));
+ return true;
+}
+
+static bool WasmIsSupportedByHardware(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::HasPlatformSupport(cx));
+ return true;
+}
+
+static bool WasmDebuggingEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::HasSupport(cx) && wasm::BaselineAvailable(cx));
+ return true;
+}
+
+static bool WasmStreamingEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::StreamingCompilationAvailable(cx));
+ return true;
+}
+
+static bool WasmCachingEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::CodeCachingAvailable(cx));
+ return true;
+}
+
+static bool WasmHugeMemorySupported(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+#ifdef WASM_SUPPORTS_HUGE_MEMORY
+ args.rval().setBoolean(true);
+#else
+ args.rval().setBoolean(false);
+#endif
+ return true;
+}
+
+static bool WasmMaxMemoryPages(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() < 1) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+ if (!args.get(0).isString()) {
+ JS_ReportErrorASCII(cx, "index type must be a string");
+ return false;
+ }
+ RootedString s(cx, args.get(0).toString());
+ Rooted<JSLinearString*> ls(cx, s->ensureLinear(cx));
+ if (!ls) {
+ return false;
+ }
+ if (StringEqualsLiteral(ls, "i32")) {
+ args.rval().setInt32(
+ int32_t(wasm::MaxMemoryPages(wasm::IndexType::I32).value()));
+ return true;
+ }
+ if (StringEqualsLiteral(ls, "i64")) {
+#ifdef ENABLE_WASM_MEMORY64
+ if (wasm::Memory64Available(cx)) {
+ args.rval().setInt32(
+ int32_t(wasm::MaxMemoryPages(wasm::IndexType::I64).value()));
+ return true;
+ }
+#endif
+ JS_ReportErrorASCII(cx, "memory64 not enabled");
+ return false;
+ }
+ JS_ReportErrorASCII(cx, "bad index type");
+ return false;
+}
+
+static bool WasmThreadsEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::ThreadsAvailable(cx));
+ return true;
+}
+
+#define WASM_FEATURE(NAME, ...) \
+ static bool Wasm##NAME##Enabled(JSContext* cx, unsigned argc, Value* vp) { \
+ CallArgs args = CallArgsFromVp(argc, vp); \
+ args.rval().setBoolean(wasm::NAME##Available(cx)); \
+ return true; \
+ }
+JS_FOR_WASM_FEATURES(WASM_FEATURE, WASM_FEATURE, WASM_FEATURE);
+#undef WASM_FEATURE
+
+static bool WasmSimdEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(wasm::SimdAvailable(cx));
+ return true;
+}
+
+static bool WasmCompilersPresent(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ char buf[256];
+ *buf = 0;
+ if (wasm::BaselinePlatformSupport()) {
+ strcat(buf, "baseline");
+ }
+ if (wasm::IonPlatformSupport()) {
+ if (*buf) {
+ strcat(buf, ",");
+ }
+ strcat(buf, "ion");
+ }
+
+ JSString* result = JS_NewStringCopyZ(cx, buf);
+ if (!result) {
+ return false;
+ }
+
+ args.rval().setString(result);
+ return true;
+}
+
+static bool WasmCompileMode(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ // This triplet of predicates will select zero or one baseline compiler and
+ // zero or one optimizing compiler.
+ bool baseline = wasm::BaselineAvailable(cx);
+ bool ion = wasm::IonAvailable(cx);
+ bool none = !baseline && !ion;
+ bool tiered = baseline && ion;
+
+ JSStringBuilder result(cx);
+ if (none && !result.append("none")) {
+ return false;
+ }
+ if (baseline && !result.append("baseline")) {
+ return false;
+ }
+ if (tiered && !result.append("+")) {
+ return false;
+ }
+ if (ion && !result.append("ion")) {
+ return false;
+ }
+ if (JSString* str = result.finishString()) {
+ args.rval().setString(str);
+ return true;
+ }
+ return false;
+}
+
+static bool WasmBaselineDisabledByFeatures(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ bool isDisabled = false;
+ JSStringBuilder reason(cx);
+ if (!wasm::BaselineDisabledByFeatures(cx, &isDisabled, &reason)) {
+ return false;
+ }
+ if (isDisabled) {
+ JSString* result = reason.finishString();
+ if (!result) {
+ return false;
+ }
+ args.rval().setString(result);
+ } else {
+ args.rval().setBoolean(false);
+ }
+ return true;
+}
+
+static bool WasmIonDisabledByFeatures(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ bool isDisabled = false;
+ JSStringBuilder reason(cx);
+ if (!wasm::IonDisabledByFeatures(cx, &isDisabled, &reason)) {
+ return false;
+ }
+ if (isDisabled) {
+ JSString* result = reason.finishString();
+ if (!result) {
+ return false;
+ }
+ args.rval().setString(result);
+ } else {
+ args.rval().setBoolean(false);
+ }
+ return true;
+}
+
+#ifdef ENABLE_WASM_SIMD
+# ifdef DEBUG
+static char lastAnalysisResult[1024];
+
+namespace js {
+namespace wasm {
+void ReportSimdAnalysis(const char* data) {
+ strncpy(lastAnalysisResult, data, sizeof(lastAnalysisResult));
+ lastAnalysisResult[sizeof(lastAnalysisResult) - 1] = 0;
+}
+} // namespace wasm
+} // namespace js
+
+// Unstable API for white-box testing of SIMD optimizations.
+//
+// Current API: takes no arguments, returns a string describing the last Simd
+// simplification applied.
+
+static bool WasmSimdAnalysis(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ JSString* result =
+ JS_NewStringCopyZ(cx, *lastAnalysisResult ? lastAnalysisResult : "none");
+ if (!result) {
+ return false;
+ }
+ args.rval().setString(result);
+ *lastAnalysisResult = (char)0;
+ return true;
+}
+# endif
+#endif
+
+static bool WasmGlobalFromArrayBuffer(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() < 2) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+
+ // Get the type of the value
+ wasm::ValType valType;
+ if (!wasm::ToValType(cx, args.get(0), &valType)) {
+ return false;
+ }
+
+ // Get the array buffer for the value
+ if (!args.get(1).isObject() ||
+ !args.get(1).toObject().is<ArrayBufferObject>()) {
+ JS_ReportErrorASCII(cx, "argument is not an array buffer");
+ return false;
+ }
+ RootedArrayBufferObject buffer(
+ cx, &args.get(1).toObject().as<ArrayBufferObject>());
+
+ // Only allow POD to be created from bytes
+ switch (valType.kind()) {
+ case wasm::ValType::I32:
+ case wasm::ValType::I64:
+ case wasm::ValType::F32:
+ case wasm::ValType::F64:
+ case wasm::ValType::V128:
+ break;
+ default:
+ JS_ReportErrorASCII(
+ cx, "invalid valtype for creating WebAssembly.Global from bytes");
+ return false;
+ }
+
+ // Check we have all the bytes we need
+ if (valType.size() != buffer->byteLength()) {
+ JS_ReportErrorASCII(cx, "array buffer has incorrect size");
+ return false;
+ }
+
+ // Copy the bytes from buffer into a tagged val
+ wasm::RootedVal val(cx);
+ val.get().initFromRootedLocation(valType, buffer->dataPointer());
+
+ // Create the global object
+ RootedObject proto(
+ cx, GlobalObject::getOrCreatePrototype(cx, JSProto_WasmGlobal));
+ if (!proto) {
+ return false;
+ }
+ Rooted<WasmGlobalObject*> result(
+ cx, WasmGlobalObject::create(cx, val, false, proto));
+ if (!result) {
+ return false;
+ }
+
+ args.rval().setObject(*result.get());
+ return true;
+}
+
+enum class LaneInterp {
+ I32x4,
+ I64x2,
+ F32x4,
+ F64x2,
+};
+
+size_t LaneInterpLanes(LaneInterp interp) {
+ switch (interp) {
+ case LaneInterp::I32x4:
+ return 4;
+ case LaneInterp::I64x2:
+ return 2;
+ case LaneInterp::F32x4:
+ return 4;
+ case LaneInterp::F64x2:
+ return 2;
+ default:
+ MOZ_ASSERT_UNREACHABLE();
+ return 0;
+ }
+}
+
+static bool ToLaneInterp(JSContext* cx, HandleValue v, LaneInterp* out) {
+ RootedString interpStr(cx, ToString(cx, v));
+ if (!interpStr) {
+ return false;
+ }
+ Rooted<JSLinearString*> interpLinearStr(cx, interpStr->ensureLinear(cx));
+ if (!interpLinearStr) {
+ return false;
+ }
+
+ if (StringEqualsLiteral(interpLinearStr, "i32x4")) {
+ *out = LaneInterp::I32x4;
+ return true;
+ } else if (StringEqualsLiteral(interpLinearStr, "i64x2")) {
+ *out = LaneInterp::I64x2;
+ return true;
+ } else if (StringEqualsLiteral(interpLinearStr, "f32x4")) {
+ *out = LaneInterp::F32x4;
+ return true;
+ } else if (StringEqualsLiteral(interpLinearStr, "f64x2")) {
+ *out = LaneInterp::F64x2;
+ return true;
+ }
+
+ JS_ReportErrorASCII(cx, "invalid lane interpretation");
+ return false;
+}
+
+static bool WasmGlobalExtractLane(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() < 3) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+
+ // Get the global value
+ if (!args.get(0).isObject() ||
+ !args.get(0).toObject().is<WasmGlobalObject>()) {
+ JS_ReportErrorASCII(cx, "argument is not wasm value");
+ return false;
+ }
+ Rooted<WasmGlobalObject*> global(
+ cx, &args.get(0).toObject().as<WasmGlobalObject>());
+
+ // Check that we have a v128 value
+ if (global->type().kind() != wasm::ValType::V128) {
+ JS_ReportErrorASCII(cx, "global is not a v128 value");
+ return false;
+ }
+ wasm::V128 v128 = global->val().get().v128();
+
+ // Get the passed interpretation of lanes
+ LaneInterp interp;
+ if (!ToLaneInterp(cx, args.get(1), &interp)) {
+ return false;
+ }
+
+ // Get the lane to extract
+ int32_t lane;
+ if (!ToInt32(cx, args.get(2), &lane)) {
+ return false;
+ }
+
+ // Check that the lane interp is valid
+ if (lane < 0 || size_t(lane) >= LaneInterpLanes(interp)) {
+ JS_ReportErrorASCII(cx, "invalid lane for interp");
+ return false;
+ }
+
+ wasm::RootedVal val(cx);
+ switch (interp) {
+ case LaneInterp::I32x4: {
+ uint32_t i;
+ v128.extractLane<uint32_t>(lane, &i);
+ val.set(wasm::Val(i));
+ break;
+ }
+ case LaneInterp::I64x2: {
+ uint64_t i;
+ v128.extractLane<uint64_t>(lane, &i);
+ val.set(wasm::Val(i));
+ break;
+ }
+ case LaneInterp::F32x4: {
+ float f;
+ v128.extractLane<float>(lane, &f);
+ val.set(wasm::Val(f));
+ break;
+ }
+ case LaneInterp::F64x2: {
+ double d;
+ v128.extractLane<double>(lane, &d);
+ val.set(wasm::Val(d));
+ break;
+ }
+ default:
+ MOZ_ASSERT_UNREACHABLE();
+ }
+
+ RootedObject proto(
+ cx, GlobalObject::getOrCreatePrototype(cx, JSProto_WasmGlobal));
+ Rooted<WasmGlobalObject*> result(
+ cx, WasmGlobalObject::create(cx, val, false, proto));
+ args.rval().setObject(*result.get());
+ return true;
+}
+
+static bool WasmGlobalsEqual(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() < 2) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+
+ if (!args.get(0).isObject() ||
+ !args.get(0).toObject().is<WasmGlobalObject>() ||
+ !args.get(1).isObject() ||
+ !args.get(1).toObject().is<WasmGlobalObject>()) {
+ JS_ReportErrorASCII(cx, "argument is not wasm value");
+ return false;
+ }
+
+ Rooted<WasmGlobalObject*> a(cx,
+ &args.get(0).toObject().as<WasmGlobalObject>());
+ Rooted<WasmGlobalObject*> b(cx,
+ &args.get(1).toObject().as<WasmGlobalObject>());
+
+ if (a->type() != b->type()) {
+ JS_ReportErrorASCII(cx, "globals are of different type");
+ return false;
+ }
+
+ bool result;
+ const wasm::Val& aVal = a->val().get();
+ const wasm::Val& bVal = b->val().get();
+ switch (a->type().kind()) {
+ case wasm::ValType::I32: {
+ result = aVal.i32() == bVal.i32();
+ break;
+ }
+ case wasm::ValType::I64: {
+ result = aVal.i64() == bVal.i64();
+ break;
+ }
+ case wasm::ValType::F32: {
+ result = mozilla::BitwiseCast<uint32_t>(aVal.f32()) ==
+ mozilla::BitwiseCast<uint32_t>(bVal.f32());
+ break;
+ }
+ case wasm::ValType::F64: {
+ result = mozilla::BitwiseCast<uint64_t>(aVal.f64()) ==
+ mozilla::BitwiseCast<uint64_t>(bVal.f64());
+ break;
+ }
+ case wasm::ValType::V128: {
+ // Don't know the interpretation of the v128, so we only can do an exact
+ // bitwise equality. Testing code can use wasmGlobalExtractLane to
+ // workaround this if needed.
+ result = aVal.v128() == bVal.v128();
+ break;
+ }
+ case wasm::ValType::Ref: {
+ result = aVal.ref() == bVal.ref();
+ break;
+ }
+ default:
+ JS_ReportErrorASCII(cx, "unsupported type");
+ return false;
+ }
+ args.rval().setBoolean(result);
+ return true;
+}
+
+// Flavors of NaN values for WebAssembly.
+// See
+// https://webassembly.github.io/spec/core/syntax/values.html#floating-point.
+enum class NaNFlavor {
+ // A canonical NaN value.
+ // - the sign bit is unspecified,
+ // - the 8-bit exponent is set to all 1s
+ // - the MSB of the payload is set to 1 (a quieted NaN) and all others to 0.
+ Canonical,
+ // An arithmetic NaN. This is the same as a canonical NaN including that the
+ // payload MSB is set to 1, but one or more of the remaining payload bits MAY
+ // BE set to 1 (a canonical NaN specifies all 0s).
+ Arithmetic,
+};
+
+static bool IsNaNFlavor(uint32_t bits, NaNFlavor flavor) {
+ switch (flavor) {
+ case NaNFlavor::Canonical: {
+ return (bits & 0x7fffffff) == 0x7fc00000;
+ }
+ case NaNFlavor::Arithmetic: {
+ const uint32_t ArithmeticNaN = 0x7f800000;
+ const uint32_t ArithmeticPayloadMSB = 0x00400000;
+ bool isNaN = (bits & ArithmeticNaN) == ArithmeticNaN;
+ bool isMSBSet = (bits & ArithmeticPayloadMSB) == ArithmeticPayloadMSB;
+ return isNaN && isMSBSet;
+ }
+ default:
+ MOZ_CRASH();
+ }
+}
+
+static bool IsNaNFlavor(uint64_t bits, NaNFlavor flavor) {
+ switch (flavor) {
+ case NaNFlavor::Canonical: {
+ return (bits & 0x7fffffffffffffff) == 0x7ff8000000000000;
+ }
+ case NaNFlavor::Arithmetic: {
+ uint64_t ArithmeticNaN = 0x7ff0000000000000;
+ uint64_t ArithmeticPayloadMSB = 0x0008000000000000;
+ bool isNaN = (bits & ArithmeticNaN) == ArithmeticNaN;
+ bool isMsbSet = (bits & ArithmeticPayloadMSB) == ArithmeticPayloadMSB;
+ return isNaN && isMsbSet;
+ }
+ default:
+ MOZ_CRASH();
+ }
+}
+
+static bool ToNaNFlavor(JSContext* cx, HandleValue v, NaNFlavor* out) {
+ RootedString flavorStr(cx, ToString(cx, v));
+ if (!flavorStr) {
+ return false;
+ }
+ Rooted<JSLinearString*> flavorLinearStr(cx, flavorStr->ensureLinear(cx));
+ if (!flavorLinearStr) {
+ return false;
+ }
+
+ if (StringEqualsLiteral(flavorLinearStr, "canonical_nan")) {
+ *out = NaNFlavor::Canonical;
+ return true;
+ } else if (StringEqualsLiteral(flavorLinearStr, "arithmetic_nan")) {
+ *out = NaNFlavor::Arithmetic;
+ return true;
+ }
+
+ JS_ReportErrorASCII(cx, "invalid nan flavor");
+ return false;
+}
+
+static bool WasmGlobalIsNaN(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() < 2) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+
+ if (!args.get(0).isObject() ||
+ !args.get(0).toObject().is<WasmGlobalObject>()) {
+ JS_ReportErrorASCII(cx, "argument is not wasm value");
+ return false;
+ }
+ Rooted<WasmGlobalObject*> global(
+ cx, &args.get(0).toObject().as<WasmGlobalObject>());
+
+ NaNFlavor flavor;
+ if (!ToNaNFlavor(cx, args.get(1), &flavor)) {
+ return false;
+ }
+
+ bool result;
+ const wasm::Val& val = global->val().get();
+ switch (global->type().kind()) {
+ case wasm::ValType::F32: {
+ result = IsNaNFlavor(mozilla::BitwiseCast<uint32_t>(val.f32()), flavor);
+ break;
+ }
+ case wasm::ValType::F64: {
+ result = IsNaNFlavor(mozilla::BitwiseCast<uint64_t>(val.f64()), flavor);
+ break;
+ }
+ default:
+ JS_ReportErrorASCII(cx, "global is not a floating point value");
+ return false;
+ }
+ args.rval().setBoolean(result);
+ return true;
+}
+
+static bool WasmGlobalToString(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() < 1) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+ if (!args.get(0).isObject() ||
+ !args.get(0).toObject().is<WasmGlobalObject>()) {
+ JS_ReportErrorASCII(cx, "argument is not wasm value");
+ return false;
+ }
+ Rooted<WasmGlobalObject*> global(
+ cx, &args.get(0).toObject().as<WasmGlobalObject>());
+ const wasm::Val& globalVal = global->val().get();
+
+ UniqueChars result;
+ switch (globalVal.type().kind()) {
+ case wasm::ValType::I32: {
+ result = JS_smprintf("i32:%" PRIx32, globalVal.i32());
+ break;
+ }
+ case wasm::ValType::I64: {
+ result = JS_smprintf("i64:%" PRIx64, globalVal.i64());
+ break;
+ }
+ case wasm::ValType::F32: {
+ result = JS_smprintf("f32:%f", globalVal.f32());
+ break;
+ }
+ case wasm::ValType::F64: {
+ result = JS_smprintf("f64:%lf", globalVal.f64());
+ break;
+ }
+ case wasm::ValType::V128: {
+ wasm::V128 v128 = globalVal.v128();
+ result = JS_smprintf(
+ "v128:%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x", v128.bytes[0],
+ v128.bytes[1], v128.bytes[2], v128.bytes[3], v128.bytes[4],
+ v128.bytes[5], v128.bytes[6], v128.bytes[7], v128.bytes[8],
+ v128.bytes[9], v128.bytes[10], v128.bytes[11], v128.bytes[12],
+ v128.bytes[13], v128.bytes[14], v128.bytes[15]);
+ break;
+ }
+ case wasm::ValType::Ref: {
+ result = JS_smprintf("ref:%p", globalVal.ref().asJSObject());
+ break;
+ }
+ default:
+ MOZ_ASSERT_UNREACHABLE();
+ }
+
+ args.rval().setString(JS_NewStringCopyZ(cx, result.get()));
+ return true;
+}
+
+static bool WasmLosslessInvoke(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() < 1) {
+ JS_ReportErrorASCII(cx, "not enough arguments");
+ return false;
+ }
+ if (!args.get(0).isObject()) {
+ JS_ReportErrorASCII(cx, "argument is not an object");
+ return false;
+ }
+
+ RootedFunction func(cx, args[0].toObject().maybeUnwrapIf<JSFunction>());
+ if (!func || !wasm::IsWasmExportedFunction(func)) {
+ JS_ReportErrorASCII(cx, "argument is not an exported wasm function");
+ return false;
+ }
+
+ // Get the instance and funcIndex for calling the function
+ wasm::Instance& instance = wasm::ExportedFunctionToInstance(func);
+ uint32_t funcIndex = wasm::ExportedFunctionToFuncIndex(func);
+
+ // Set up a modified call frame following the standard JS
+ // [callee, this, arguments...] convention.
+ RootedValueVector wasmCallFrame(cx);
+ size_t len = 2 + args.length();
+ if (!wasmCallFrame.resize(len)) {
+ return false;
+ }
+ wasmCallFrame[0].set(args.calleev());
+ wasmCallFrame[1].set(args.thisv());
+ // Copy over the arguments needed to invoke the provided wasm function,
+ // skipping the wasm function we're calling that is at `args.get(0)`.
+ for (size_t i = 1; i < args.length(); i++) {
+ size_t wasmArg = i - 1;
+ wasmCallFrame[2 + wasmArg].set(args.get(i));
+ }
+ size_t wasmArgc = argc - 1;
+ CallArgs wasmCallArgs(CallArgsFromVp(wasmArgc, wasmCallFrame.begin()));
+
+ // Invoke the function with the new call frame
+ bool result = instance.callExport(cx, funcIndex, wasmCallArgs,
+ wasm::CoercionLevel::Lossless);
+ // Assign the wasm rval to our rval
+ args.rval().set(wasmCallArgs.rval());
+ return result;
+}
+
+static bool ConvertToTier(JSContext* cx, HandleValue value,
+ const wasm::Code& code, wasm::Tier* tier) {
+ RootedString option(cx, JS::ToString(cx, value));
+
+ if (!option) {
+ return false;
+ }
+
+ bool stableTier = false;
+ bool bestTier = false;
+ bool baselineTier = false;
+ bool ionTier = false;
+
+ if (!JS_StringEqualsLiteral(cx, option, "stable", &stableTier) ||
+ !JS_StringEqualsLiteral(cx, option, "best", &bestTier) ||
+ !JS_StringEqualsLiteral(cx, option, "baseline", &baselineTier) ||
+ !JS_StringEqualsLiteral(cx, option, "ion", &ionTier)) {
+ return false;
+ }
+
+ if (stableTier) {
+ *tier = code.stableTier();
+ } else if (bestTier) {
+ *tier = code.bestTier();
+ } else if (baselineTier) {
+ *tier = wasm::Tier::Baseline;
+ } else if (ionTier) {
+ *tier = wasm::Tier::Optimized;
+ } else {
+ // You can omit the argument but you can't pass just anything you like
+ return false;
+ }
+
+ return true;
+}
+
+static bool WasmExtractCode(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.get(0).isObject()) {
+ JS_ReportErrorASCII(cx, "argument is not an object");
+ return false;
+ }
+
+ Rooted<WasmModuleObject*> module(
+ cx, args[0].toObject().maybeUnwrapIf<WasmModuleObject>());
+ if (!module) {
+ JS_ReportErrorASCII(cx, "argument is not a WebAssembly.Module");
+ return false;
+ }
+
+ wasm::Tier tier = module->module().code().stableTier();
+ ;
+ if (args.length() > 1 &&
+ !ConvertToTier(cx, args[1], module->module().code(), &tier)) {
+ args.rval().setNull();
+ return false;
+ }
+
+ RootedValue result(cx);
+ if (!module->module().extractCode(cx, tier, &result)) {
+ return false;
+ }
+
+ args.rval().set(result);
+ return true;
+}
+
+struct DisasmBuffer {
+ JSStringBuilder builder;
+ bool oom;
+ explicit DisasmBuffer(JSContext* cx) : builder(cx), oom(false) {}
+};
+
+static bool HasDisassembler(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(jit::HasDisassembler());
+ return true;
+}
+
+MOZ_THREAD_LOCAL(DisasmBuffer*) disasmBuf;
+
+static void captureDisasmText(const char* text) {
+ DisasmBuffer* buf = disasmBuf.get();
+ if (!buf->builder.append(text, strlen(text)) || !buf->builder.append('\n')) {
+ buf->oom = true;
+ }
+}
+
+static bool DisassembleNative(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setUndefined();
+
+ if (args.length() < 1) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_MORE_ARGS_NEEDED, "disnative", "1", "",
+ "0");
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "The first argument must be a function.");
+ return false;
+ }
+
+ Sprinter sprinter(cx);
+ if (!sprinter.init()) {
+ return false;
+ }
+
+ RootedFunction fun(cx, &args[0].toObject().as<JSFunction>());
+
+ uint8_t* jit_begin = nullptr;
+ uint8_t* jit_end = nullptr;
+
+ if (fun->isAsmJSNative() || fun->isWasmWithJitEntry()) {
+ if (fun->isAsmJSNative() && !sprinter.jsprintf("; backend=asmjs\n")) {
+ return false;
+ }
+ if (!sprinter.jsprintf("; backend=wasm\n")) {
+ return false;
+ }
+
+ js::wasm::Instance& inst = fun->wasmInstance();
+ const js::wasm::Code& code = inst.code();
+ js::wasm::Tier tier = code.bestTier();
+
+ const js::wasm::MetadataTier& meta = inst.metadata(tier);
+
+ const js::wasm::CodeSegment& segment = code.segment(tier);
+ const uint32_t funcIndex = code.getFuncIndex(&*fun);
+ const js::wasm::FuncExport& func = meta.lookupFuncExport(funcIndex);
+ const js::wasm::CodeRange& codeRange = meta.codeRange(func);
+
+ jit_begin = segment.base() + codeRange.begin();
+ jit_end = segment.base() + codeRange.end();
+ } else if (fun->hasJitScript()) {
+ JSScript* script = fun->nonLazyScript();
+ if (script == nullptr) {
+ return false;
+ }
+
+ js::jit::IonScript* ion =
+ script->hasIonScript() ? script->ionScript() : nullptr;
+ js::jit::BaselineScript* baseline =
+ script->hasBaselineScript() ? script->baselineScript() : nullptr;
+ if (ion && ion->method()) {
+ if (!sprinter.jsprintf("; backend=ion\n")) {
+ return false;
+ }
+
+ jit_begin = ion->method()->raw();
+ jit_end = ion->method()->rawEnd();
+ } else if (baseline) {
+ if (!sprinter.jsprintf("; backend=baseline\n")) {
+ return false;
+ }
+
+ jit_begin = baseline->method()->raw();
+ jit_end = baseline->method()->rawEnd();
+ }
+ } else {
+ return false;
+ }
+
+ if (jit_begin == nullptr || jit_end == nullptr) {
+ return false;
+ }
+
+ DisasmBuffer buf(cx);
+ disasmBuf.set(&buf);
+ auto onFinish = mozilla::MakeScopeExit([&] { disasmBuf.set(nullptr); });
+
+ jit::Disassemble(jit_begin, jit_end - jit_begin, &captureDisasmText);
+
+ if (buf.oom) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ JSString* sresult = buf.builder.finishString();
+ if (!sresult) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ sprinter.putString(sresult);
+
+ if (args.length() > 1 && args[1].isString()) {
+ RootedString str(cx, args[1].toString());
+ JS::UniqueChars fileNameBytes = JS_EncodeStringToUTF8(cx, str);
+
+ const char* fileName = fileNameBytes.get();
+ if (!fileName) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+
+ FILE* f = fopen(fileName, "w");
+ if (!f) {
+ JS_ReportErrorASCII(cx, "Could not open file for writing.");
+ return false;
+ }
+
+ uintptr_t expected_length = reinterpret_cast<uintptr_t>(jit_end) -
+ reinterpret_cast<uintptr_t>(jit_begin);
+ if (expected_length != fwrite(jit_begin, jit_end - jit_begin, 1, f)) {
+ JS_ReportErrorASCII(cx, "Did not write all function bytes to the file.");
+ fclose(f);
+ return false;
+ }
+ fclose(f);
+ }
+
+ JSString* str = JS_NewStringCopyZ(cx, sprinter.string());
+ if (!str) {
+ return false;
+ }
+
+ args[0].setUndefined();
+ args.rval().setString(str);
+
+ return true;
+}
+
+static bool ComputeTier(JSContext* cx, const wasm::Code& code,
+ HandleValue tierSelection, wasm::Tier* tier) {
+ *tier = code.stableTier();
+ if (!tierSelection.isUndefined() &&
+ !ConvertToTier(cx, tierSelection, code, tier)) {
+ JS_ReportErrorASCII(cx, "invalid tier");
+ return false;
+ }
+
+ if (!code.hasTier(*tier)) {
+ JS_ReportErrorASCII(cx, "function missing selected tier");
+ return false;
+ }
+
+ return true;
+}
+
+template <typename DisasmFunction>
+static bool DisassembleIt(JSContext* cx, bool asString, MutableHandleValue rval,
+ DisasmFunction&& disassembleIt) {
+ if (asString) {
+ DisasmBuffer buf(cx);
+ disasmBuf.set(&buf);
+ auto onFinish = mozilla::MakeScopeExit([&] { disasmBuf.set(nullptr); });
+ disassembleIt(captureDisasmText);
+ if (buf.oom) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ JSString* sresult = buf.builder.finishString();
+ if (!sresult) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ rval.setString(sresult);
+ return true;
+ }
+
+ disassembleIt([](const char* text) { fprintf(stderr, "%s\n", text); });
+ return true;
+}
+
+static bool WasmDisassembleFunction(JSContext* cx, const HandleFunction& func,
+ HandleValue tierSelection, bool asString,
+ MutableHandleValue rval) {
+ wasm::Instance& instance = wasm::ExportedFunctionToInstance(func);
+ wasm::Tier tier;
+
+ if (!ComputeTier(cx, instance.code(), tierSelection, &tier)) {
+ return false;
+ }
+
+ uint32_t funcIndex = wasm::ExportedFunctionToFuncIndex(func);
+ return DisassembleIt(
+ cx, asString, rval, [&](void (*captureText)(const char*)) {
+ instance.disassembleExport(cx, funcIndex, tier, captureText);
+ });
+}
+
+static bool WasmDisassembleCode(JSContext* cx, const wasm::Code& code,
+ HandleValue tierSelection, int kindSelection,
+ bool asString, MutableHandleValue rval) {
+ wasm::Tier tier;
+ if (!ComputeTier(cx, code, tierSelection, &tier)) {
+ return false;
+ }
+
+ return DisassembleIt(cx, asString, rval,
+ [&](void (*captureText)(const char*)) {
+ code.disassemble(cx, tier, kindSelection, captureText);
+ });
+}
+
+static bool WasmDisassemble(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ args.rval().set(UndefinedValue());
+
+ if (!args.get(0).isObject()) {
+ JS_ReportErrorASCII(cx, "argument is not an object");
+ return false;
+ }
+
+ bool asString = false;
+ RootedValue tierSelection(cx);
+ int kindSelection = (1 << wasm::CodeRange::Function);
+ if (args.length() > 1 && args[1].isObject()) {
+ RootedObject options(cx, &args[1].toObject());
+ RootedValue val(cx);
+
+ if (!JS_GetProperty(cx, options, "asString", &val)) {
+ return false;
+ }
+ asString = val.isBoolean() && val.toBoolean();
+
+ if (!JS_GetProperty(cx, options, "tier", &tierSelection)) {
+ return false;
+ }
+
+ if (!JS_GetProperty(cx, options, "kinds", &val)) {
+ return false;
+ }
+ if (val.isString() && val.toString()->hasLatin1Chars()) {
+ AutoStableStringChars stable(cx);
+ if (!stable.init(cx, val.toString())) {
+ return false;
+ }
+ const char* p = (const char*)(stable.latin1Chars());
+ const char* end = p + val.toString()->length();
+ int selection = 0;
+ for (;;) {
+ if (strncmp(p, "Function", 8) == 0) {
+ selection |= (1 << wasm::CodeRange::Function);
+ p += 8;
+ } else if (strncmp(p, "InterpEntry", 11) == 0) {
+ selection |= (1 << wasm::CodeRange::InterpEntry);
+ p += 11;
+ } else if (strncmp(p, "JitEntry", 8) == 0) {
+ selection |= (1 << wasm::CodeRange::JitEntry);
+ p += 8;
+ } else if (strncmp(p, "ImportInterpExit", 16) == 0) {
+ selection |= (1 << wasm::CodeRange::ImportInterpExit);
+ p += 16;
+ } else if (strncmp(p, "ImportJitExit", 13) == 0) {
+ selection |= (1 << wasm::CodeRange::ImportJitExit);
+ p += 13;
+ } else if (strncmp(p, "all", 3) == 0) {
+ selection = ~0;
+ p += 3;
+ } else {
+ break;
+ }
+ if (p == end || *p != ',') {
+ break;
+ }
+ p++;
+ }
+ if (p == end) {
+ kindSelection = selection;
+ } else {
+ JS_ReportErrorASCII(cx, "argument object has invalid `kinds`");
+ return false;
+ }
+ }
+ }
+
+ RootedFunction func(cx, args[0].toObject().maybeUnwrapIf<JSFunction>());
+ if (func && wasm::IsWasmExportedFunction(func)) {
+ return WasmDisassembleFunction(cx, func, tierSelection, asString,
+ args.rval());
+ }
+ if (args[0].toObject().is<WasmModuleObject>()) {
+ return WasmDisassembleCode(
+ cx, args[0].toObject().as<WasmModuleObject>().module().code(),
+ tierSelection, kindSelection, asString, args.rval());
+ }
+ if (args[0].toObject().is<WasmInstanceObject>()) {
+ return WasmDisassembleCode(
+ cx, args[0].toObject().as<WasmInstanceObject>().instance().code(),
+ tierSelection, kindSelection, asString, args.rval());
+ }
+ JS_ReportErrorASCII(
+ cx, "argument is not an exported wasm function or a wasm module");
+ return false;
+}
+
+enum class Flag { Tier2Complete, Deserialized };
+
+static bool WasmReturnFlag(JSContext* cx, unsigned argc, Value* vp, Flag flag) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.get(0).isObject()) {
+ JS_ReportErrorASCII(cx, "argument is not an object");
+ return false;
+ }
+
+ Rooted<WasmModuleObject*> module(
+ cx, args[0].toObject().maybeUnwrapIf<WasmModuleObject>());
+ if (!module) {
+ JS_ReportErrorASCII(cx, "argument is not a WebAssembly.Module");
+ return false;
+ }
+
+ bool b;
+ switch (flag) {
+ case Flag::Tier2Complete:
+ b = !module->module().testingTier2Active();
+ break;
+ case Flag::Deserialized:
+ b = module->module().loggingDeserialized();
+ break;
+ }
+
+ args.rval().set(BooleanValue(b));
+ return true;
+}
+
+static bool WasmHasTier2CompilationCompleted(JSContext* cx, unsigned argc,
+ Value* vp) {
+ return WasmReturnFlag(cx, argc, vp, Flag::Tier2Complete);
+}
+
+static bool WasmLoadedFromCache(JSContext* cx, unsigned argc, Value* vp) {
+ return WasmReturnFlag(cx, argc, vp, Flag::Deserialized);
+}
+
+static bool WasmIntrinsicI8VecMul(JSContext* cx, unsigned argc, Value* vp) {
+ if (!wasm::HasSupport(cx)) {
+ JS_ReportErrorASCII(cx, "wasm support unavailable");
+ return false;
+ }
+
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ wasm::IntrinsicId ids[] = {wasm::IntrinsicId::I8VecMul};
+ Rooted<WasmModuleObject*> module(cx);
+ if (!wasm::CompileIntrinsicModule(cx, ids, wasm::Shareable::False, &module)) {
+ return false;
+ }
+ args.rval().set(ObjectValue(*module.get()));
+ return true;
+}
+
+static bool LargeArrayBufferSupported(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(ArrayBufferObject::MaxByteLength >
+ ArrayBufferObject::MaxByteLengthForSmallBuffer);
+ return true;
+}
+
+static bool IsLazyFunction(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "The function takes exactly one argument.");
+ return false;
+ }
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "The first argument should be a function.");
+ return false;
+ }
+ JSFunction* fun = &args[0].toObject().as<JSFunction>();
+ args.rval().setBoolean(fun->isInterpreted() && !fun->hasBytecode());
+ return true;
+}
+
+static bool IsRelazifiableFunction(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "The function takes exactly one argument.");
+ return false;
+ }
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "The first argument should be a function.");
+ return false;
+ }
+
+ JSFunction* fun = &args[0].toObject().as<JSFunction>();
+ args.rval().setBoolean(fun->hasBytecode() &&
+ fun->nonLazyScript()->allowRelazify());
+ return true;
+}
+
+static bool IsInStencilCache(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "The function takes exactly one argument.");
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "The first argument should be a function.");
+ return false;
+ }
+
+ if (fuzzingSafe) {
+ // When running code concurrently to fill-up the stencil cache, the content
+ // is not garanteed to be present.
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ JSFunction* fun = &args[0].toObject().as<JSFunction>();
+ BaseScript* script = fun->baseScript();
+ RefPtr<ScriptSource> ss = script->scriptSource();
+ StencilCache& cache = cx->runtime()->caches().delazificationCache;
+ auto guard = cache.isSourceCached(ss);
+ if (!guard) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ StencilContext key(ss, script->extent());
+ frontend::CompilationStencil* stencil = cache.lookup(guard, key);
+ args.rval().setBoolean(bool(stencil));
+ return true;
+}
+
+static bool WaitForStencilCache(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "The function takes exactly one argument.");
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "The first argument should be a function.");
+ return false;
+ }
+ args.rval().setUndefined();
+
+ JSFunction* fun = &args[0].toObject().as<JSFunction>();
+ BaseScript* script = fun->baseScript();
+ RefPtr<ScriptSource> ss = script->scriptSource();
+ StencilCache& cache = cx->runtime()->caches().delazificationCache;
+ StencilContext key(ss, script->extent());
+
+ AutoLockHelperThreadState lock;
+ if (!HelperThreadState().isInitialized(lock)) {
+ return true;
+ }
+
+ while (true) {
+ {
+ // This capture a Mutex that we have to release before using the wait
+ // function.
+ auto guard = cache.isSourceCached(ss);
+ if (!guard) {
+ return true;
+ }
+
+ frontend::CompilationStencil* stencil = cache.lookup(guard, key);
+ if (stencil) {
+ break;
+ }
+ }
+
+ HelperThreadState().wait(lock);
+ }
+ return true;
+}
+
+static bool HasSameBytecodeData(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 2) {
+ JS_ReportErrorASCII(cx, "The function takes exactly two argument.");
+ return false;
+ }
+
+ auto GetSharedData = [](JSContext* cx,
+ HandleValue v) -> SharedImmutableScriptData* {
+ if (!v.isObject()) {
+ JS_ReportErrorASCII(cx, "The arguments must be interpreted functions.");
+ return nullptr;
+ }
+
+ RootedObject obj(cx, CheckedUnwrapDynamic(&v.toObject(), cx));
+ if (!obj) {
+ return nullptr;
+ }
+
+ if (!obj->is<JSFunction>() || !obj->as<JSFunction>().isInterpreted()) {
+ JS_ReportErrorASCII(cx, "The arguments must be interpreted functions.");
+ return nullptr;
+ }
+
+ AutoRealm ar(cx, obj);
+ RootedFunction fun(cx, &obj->as<JSFunction>());
+ RootedScript script(cx, JSFunction::getOrCreateScript(cx, fun));
+ if (!script) {
+ return nullptr;
+ }
+
+ MOZ_ASSERT(script->sharedData());
+ return script->sharedData();
+ };
+
+ // NOTE: We use RefPtr below to keep the data alive across possible GC since
+ // the functions may be in different Zones.
+
+ RefPtr<SharedImmutableScriptData> sharedData1 = GetSharedData(cx, args[0]);
+ if (!sharedData1) {
+ return false;
+ }
+
+ RefPtr<SharedImmutableScriptData> sharedData2 = GetSharedData(cx, args[1]);
+ if (!sharedData2) {
+ return false;
+ }
+
+ args.rval().setBoolean(sharedData1 == sharedData2);
+ return true;
+}
+
+static bool InternalConst(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() == 0) {
+ JS_ReportErrorASCII(cx, "the function takes exactly one argument");
+ return false;
+ }
+
+ JSString* str = ToString(cx, args[0]);
+ if (!str) {
+ return false;
+ }
+ JSLinearString* linear = JS_EnsureLinearString(cx, str);
+ if (!linear) {
+ return false;
+ }
+
+ if (JS_LinearStringEqualsLiteral(linear, "MARK_STACK_BASE_CAPACITY")) {
+ args.rval().setNumber(uint32_t(js::MARK_STACK_BASE_CAPACITY));
+ } else {
+ JS_ReportErrorASCII(cx, "unknown const name");
+ return false;
+ }
+ return true;
+}
+
+static bool GCPreserveCode(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 0) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ cx->runtime()->gc.setAlwaysPreserveCode();
+
+ args.rval().setUndefined();
+ return true;
+}
+
+#ifdef JS_GC_ZEAL
+
+static bool ParseGCZealMode(JSContext* cx, const CallArgs& args,
+ uint8_t* zeal) {
+ uint32_t value;
+ if (!ToUint32(cx, args.get(0), &value)) {
+ return false;
+ }
+
+ if (value > uint32_t(gc::ZealMode::Limit)) {
+ JS_ReportErrorASCII(cx, "gczeal argument out of range");
+ return false;
+ }
+
+ *zeal = static_cast<uint8_t>(value);
+ return true;
+}
+
+static bool GCZeal(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 2) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ uint8_t zeal;
+ if (!ParseGCZealMode(cx, args, &zeal)) {
+ return false;
+ }
+
+ uint32_t frequency = JS_DEFAULT_ZEAL_FREQ;
+ if (args.length() >= 2) {
+ if (!ToUint32(cx, args.get(1), &frequency)) {
+ return false;
+ }
+ }
+
+ JS_SetGCZeal(cx, zeal, frequency);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool UnsetGCZeal(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ uint8_t zeal;
+ if (!ParseGCZealMode(cx, args, &zeal)) {
+ return false;
+ }
+
+ JS_UnsetGCZeal(cx, zeal);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool ScheduleGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ if (args.length() == 0) {
+ /* Fetch next zeal trigger only. */
+ } else if (args[0].isNumber()) {
+ /* Schedule a GC to happen after |arg| allocations. */
+ JS_ScheduleGC(cx, std::max(int(args[0].toNumber()), 0));
+ } else {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Bad argument - expecting number");
+ return false;
+ }
+
+ uint32_t zealBits;
+ uint32_t freq;
+ uint32_t next;
+ JS_GetGCZealBits(cx, &zealBits, &freq, &next);
+ args.rval().setInt32(next);
+ return true;
+}
+
+static bool SelectForGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ /*
+ * The selectedForMarking set is intended to be manually marked at slice
+ * start to detect missing pre-barriers. It is invalid for nursery things
+ * to be in the set, so evict the nursery before adding items.
+ */
+ cx->runtime()->gc.evictNursery();
+
+ for (unsigned i = 0; i < args.length(); i++) {
+ if (args[i].isObject()) {
+ if (!cx->runtime()->gc.selectForMarking(&args[i].toObject())) {
+ return false;
+ }
+ }
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool VerifyPreBarriers(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 0) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ gc::VerifyBarriers(cx->runtime(), gc::PreBarrierVerifier);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool VerifyPostBarriers(JSContext* cx, unsigned argc, Value* vp) {
+ // This is a no-op since the post barrier verifier was removed.
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool CurrentGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 0) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ RootedObject result(cx, JS_NewPlainObject(cx));
+ if (!result) {
+ return false;
+ }
+
+ js::gc::GCRuntime& gc = cx->runtime()->gc;
+ const char* state = StateName(gc.state());
+
+ RootedString str(cx, JS_NewStringCopyZ(cx, state));
+ if (!str) {
+ return false;
+ }
+ RootedValue val(cx, StringValue(str));
+ if (!JS_DefineProperty(cx, result, "incrementalState", val,
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ if (gc.state() == js::gc::State::Sweep) {
+ val = Int32Value(gc.getCurrentSweepGroupIndex());
+ if (!JS_DefineProperty(cx, result, "sweepGroup", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+ }
+
+ val = BooleanValue(gc.isIncrementalGCInProgress() && gc.isShrinkingGC());
+ if (!JS_DefineProperty(cx, result, "isShrinking", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ val = Int32Value(gc.gcNumber());
+ if (!JS_DefineProperty(cx, result, "number", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ val = Int32Value(gc.minorGCCount());
+ if (!JS_DefineProperty(cx, result, "minorCount", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ val = Int32Value(gc.majorGCCount());
+ if (!JS_DefineProperty(cx, result, "majorCount", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ val = BooleanValue(gc.isFullGc());
+ if (!JS_DefineProperty(cx, result, "isFull", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ val = BooleanValue(gc.isCompactingGc());
+ if (!JS_DefineProperty(cx, result, "isCompacting", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+# ifdef DEBUG
+ val = Int32Value(gc.testMarkQueuePos());
+ if (!JS_DefineProperty(cx, result, "queuePos", val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+# endif
+
+ args.rval().setObject(*result);
+ return true;
+}
+
+static bool DeterministicGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ cx->runtime()->gc.setDeterministic(ToBoolean(args[0]));
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool DumpGCArenaInfo(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ js::gc::DumpArenaInfo();
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool SetMarkStackLimit(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ int32_t value;
+ if (!ToInt32(cx, args[0], &value) || value <= 0) {
+ JS_ReportErrorASCII(cx, "Bad argument to SetMarkStackLimit");
+ return false;
+ }
+
+ if (JS::IsIncrementalGCInProgress(cx)) {
+ JS_ReportErrorASCII(
+ cx, "Attempt to set markStackLimit while a GC is in progress");
+ return false;
+ }
+
+ JSRuntime* runtime = cx->runtime();
+ AutoLockGC lock(runtime);
+ runtime->gc.setMarkStackLimit(value, lock);
+ args.rval().setUndefined();
+ return true;
+}
+
+#endif /* JS_GC_ZEAL */
+
+static bool SetMallocMaxDirtyPageModifier(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ constexpr int32_t MinSupportedValue = -5;
+ constexpr int32_t MaxSupportedValue = 16;
+
+ int32_t value;
+ if (!ToInt32(cx, args[0], &value)) {
+ return false;
+ }
+ if (value < MinSupportedValue || value > MaxSupportedValue) {
+ JS_ReportErrorASCII(cx, "Bad argument to setMallocMaxDirtyPageModifier");
+ return false;
+ }
+
+ moz_set_max_dirty_page_modifier(value);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GCState(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ const char* state;
+
+ if (args.length() == 1) {
+ if (!args[0].isObject()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Expected object");
+ return false;
+ }
+
+ JSObject* obj = UncheckedUnwrap(&args[0].toObject());
+ state = gc::StateName(obj->zone()->gcState());
+ } else {
+ state = gc::StateName(cx->runtime()->gc.state());
+ }
+
+ return ReturnStringCopy(cx, args, state);
+}
+
+static bool ScheduleZoneForGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Expecting a single argument");
+ return false;
+ }
+
+ if (args[0].isObject()) {
+ // Ensure that |zone| is collected during the next GC.
+ Zone* zone = UncheckedUnwrap(&args[0].toObject())->zone();
+ PrepareZoneForGC(cx, zone);
+ } else if (args[0].isString()) {
+ // This allows us to schedule the atoms zone for GC.
+ Zone* zone = args[0].toString()->zoneFromAnyThread();
+ if (!CurrentThreadCanAccessZone(zone)) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Specified zone not accessible for GC");
+ return false;
+ }
+ PrepareZoneForGC(cx, zone);
+ } else {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee,
+ "Bad argument - expecting object or string");
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool StartGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 2) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ auto budget = SliceBudget::unlimited();
+ if (args.length() >= 1) {
+ uint32_t work = 0;
+ if (!ToUint32(cx, args[0], &work)) {
+ return false;
+ }
+ budget = SliceBudget(WorkBudget(work));
+ }
+
+ bool shrinking = false;
+ if (args.length() >= 2) {
+ Value arg = args[1];
+ if (arg.isString()) {
+ if (!JS_StringEqualsLiteral(cx, arg.toString(), "shrinking",
+ &shrinking)) {
+ return false;
+ }
+ }
+ }
+
+ JSRuntime* rt = cx->runtime();
+ if (rt->gc.isIncrementalGCInProgress()) {
+ RootedObject callee(cx, &args.callee());
+ JS_ReportErrorASCII(cx, "Incremental GC already in progress");
+ return false;
+ }
+
+ JS::GCOptions options =
+ shrinking ? JS::GCOptions::Shrink : JS::GCOptions::Normal;
+ rt->gc.startDebugGC(options, budget);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool FinishGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 0) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ JSRuntime* rt = cx->runtime();
+ if (rt->gc.isIncrementalGCInProgress()) {
+ rt->gc.finishGC(JS::GCReason::DEBUG_GC);
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GCSlice(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 2) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ auto budget = SliceBudget::unlimited();
+ if (args.length() >= 1) {
+ uint32_t work = 0;
+ if (!ToUint32(cx, args[0], &work)) {
+ return false;
+ }
+ budget = SliceBudget(WorkBudget(work));
+ }
+
+ bool dontStart = false;
+ if (args.get(1).isObject()) {
+ RootedObject options(cx, &args[1].toObject());
+ RootedValue v(cx);
+ if (!JS_GetProperty(cx, options, "dontStart", &v)) {
+ return false;
+ }
+ dontStart = ToBoolean(v);
+ }
+
+ JSRuntime* rt = cx->runtime();
+ if (rt->gc.isIncrementalGCInProgress()) {
+ rt->gc.debugGCSlice(budget);
+ } else if (!dontStart) {
+ rt->gc.startDebugGC(JS::GCOptions::Normal, budget);
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool AbortGC(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 0) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ JS::AbortIncrementalGC(cx);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool FullCompartmentChecks(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ cx->runtime()->gc.setFullCompartmentChecks(ToBoolean(args[0]));
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool NondeterministicGetWeakMapKeys(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+ if (!args[0].isObject()) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_NOT_EXPECTED_TYPE,
+ "nondeterministicGetWeakMapKeys", "WeakMap",
+ InformalValueTypeName(args[0]));
+ return false;
+ }
+ RootedObject arr(cx);
+ RootedObject mapObj(cx, &args[0].toObject());
+ if (!JS_NondeterministicGetWeakMapKeys(cx, mapObj, &arr)) {
+ return false;
+ }
+ if (!arr) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_NOT_EXPECTED_TYPE,
+ "nondeterministicGetWeakMapKeys", "WeakMap",
+ args[0].toObject().getClass()->name);
+ return false;
+ }
+ args.rval().setObject(*arr);
+ return true;
+}
+
+class HasChildTracer final : public JS::CallbackTracer {
+ RootedValue child_;
+ bool found_;
+
+ void onChild(JS::GCCellPtr thing, const char* name) override {
+ if (thing.asCell() == child_.toGCThing()) {
+ found_ = true;
+ }
+ }
+
+ public:
+ HasChildTracer(JSContext* cx, HandleValue child)
+ : JS::CallbackTracer(cx, JS::TracerKind::Callback,
+ JS::WeakMapTraceAction::TraceKeysAndValues),
+ child_(cx, child),
+ found_(false) {}
+
+ bool found() const { return found_; }
+};
+
+static bool HasChild(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedValue parent(cx, args.get(0));
+ RootedValue child(cx, args.get(1));
+
+ if (!parent.isGCThing() || !child.isGCThing()) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ HasChildTracer trc(cx, child);
+ TraceChildren(&trc, JS::GCCellPtr(parent.toGCThing(), parent.traceKind()));
+ args.rval().setBoolean(trc.found());
+ return true;
+}
+
+static bool SetSavedStacksRNGState(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "setSavedStacksRNGState", 1)) {
+ return false;
+ }
+
+ int32_t seed;
+ if (!ToInt32(cx, args[0], &seed)) {
+ return false;
+ }
+
+ // Either one or the other of the seed arguments must be non-zero;
+ // make this true no matter what value 'seed' has.
+ cx->realm()->savedStacks().setRNGState(seed, (seed + 1) * 33);
+ return true;
+}
+
+static bool GetSavedFrameCount(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setNumber(cx->realm()->savedStacks().count());
+ return true;
+}
+
+static bool ClearSavedFrames(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ js::SavedStacks& savedStacks = cx->realm()->savedStacks();
+ savedStacks.clear();
+
+ for (ActivationIterator iter(cx); !iter.done(); ++iter) {
+ iter->clearLiveSavedFrameCache();
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool SaveStack(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ JS::StackCapture capture((JS::AllFrames()));
+ if (args.length() >= 1) {
+ double maxDouble;
+ if (!ToNumber(cx, args[0], &maxDouble)) {
+ return false;
+ }
+ if (std::isnan(maxDouble) || maxDouble < 0 || maxDouble > UINT32_MAX) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[0],
+ nullptr, "not a valid maximum frame count");
+ return false;
+ }
+ uint32_t max = uint32_t(maxDouble);
+ if (max > 0) {
+ capture = JS::StackCapture(JS::MaxFrames(max));
+ }
+ }
+
+ RootedObject compartmentObject(cx);
+ if (args.length() >= 2) {
+ if (!args[1].isObject()) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[0],
+ nullptr, "not an object");
+ return false;
+ }
+ compartmentObject = UncheckedUnwrap(&args[1].toObject());
+ if (!compartmentObject) {
+ return false;
+ }
+ }
+
+ RootedObject stack(cx);
+ {
+ Maybe<AutoRealm> ar;
+ if (compartmentObject) {
+ ar.emplace(cx, compartmentObject);
+ }
+ if (!JS::CaptureCurrentStack(cx, &stack, std::move(capture))) {
+ return false;
+ }
+ }
+
+ if (stack && !cx->compartment()->wrap(cx, &stack)) {
+ return false;
+ }
+
+ args.rval().setObjectOrNull(stack);
+ return true;
+}
+
+static bool CaptureFirstSubsumedFrame(JSContext* cx, unsigned argc,
+ JS::Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "captureFirstSubsumedFrame", 1)) {
+ return false;
+ }
+
+ if (!args[0].isObject()) {
+ JS_ReportErrorASCII(cx, "The argument must be an object");
+ return false;
+ }
+
+ RootedObject obj(cx, &args[0].toObject());
+ obj = CheckedUnwrapStatic(obj);
+ if (!obj) {
+ JS_ReportErrorASCII(cx, "Denied permission to object.");
+ return false;
+ }
+
+ JS::StackCapture capture(
+ JS::FirstSubsumedFrame(cx, obj->nonCCWRealm()->principals()));
+ if (args.length() > 1) {
+ capture.as<JS::FirstSubsumedFrame>().ignoreSelfHosted =
+ JS::ToBoolean(args[1]);
+ }
+
+ JS::RootedObject capturedStack(cx);
+ if (!JS::CaptureCurrentStack(cx, &capturedStack, std::move(capture))) {
+ return false;
+ }
+
+ args.rval().setObjectOrNull(capturedStack);
+ return true;
+}
+
+static bool CallFunctionFromNativeFrame(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "The function takes exactly one argument.");
+ return false;
+ }
+ if (!args[0].isObject() || !IsCallable(args[0])) {
+ JS_ReportErrorASCII(cx, "The first argument should be a function.");
+ return false;
+ }
+
+ RootedObject function(cx, &args[0].toObject());
+ return Call(cx, UndefinedHandleValue, function, JS::HandleValueArray::empty(),
+ args.rval());
+}
+
+static bool CallFunctionWithAsyncStack(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 3) {
+ JS_ReportErrorASCII(cx, "The function takes exactly three arguments.");
+ return false;
+ }
+ if (!args[0].isObject() || !IsCallable(args[0])) {
+ JS_ReportErrorASCII(cx, "The first argument should be a function.");
+ return false;
+ }
+ if (!args[1].isObject() || !args[1].toObject().is<SavedFrame>()) {
+ JS_ReportErrorASCII(cx, "The second argument should be a SavedFrame.");
+ return false;
+ }
+ if (!args[2].isString() || args[2].toString()->empty()) {
+ JS_ReportErrorASCII(cx, "The third argument should be a non-empty string.");
+ return false;
+ }
+
+ RootedObject function(cx, &args[0].toObject());
+ RootedObject stack(cx, &args[1].toObject());
+ RootedString asyncCause(cx, args[2].toString());
+ UniqueChars utf8Cause = JS_EncodeStringToUTF8(cx, asyncCause);
+ if (!utf8Cause) {
+ MOZ_ASSERT(cx->isExceptionPending());
+ return false;
+ }
+
+ JS::AutoSetAsyncStackForNewCalls sas(
+ cx, stack, utf8Cause.get(),
+ JS::AutoSetAsyncStackForNewCalls::AsyncCallKind::EXPLICIT);
+ return Call(cx, UndefinedHandleValue, function, JS::HandleValueArray::empty(),
+ args.rval());
+}
+
+static bool EnableTrackAllocations(JSContext* cx, unsigned argc, Value* vp) {
+ SetAllocationMetadataBuilder(cx, &SavedStacks::metadataBuilder);
+ return true;
+}
+
+static bool DisableTrackAllocations(JSContext* cx, unsigned argc, Value* vp) {
+ SetAllocationMetadataBuilder(cx, nullptr);
+ return true;
+}
+
+static bool SetTestFilenameValidationCallback(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ // Accept all filenames that start with "safe". In system code also accept
+ // filenames starting with "system".
+ auto testCb = [](JSContext* cx, const char* filename) -> bool {
+ if (strstr(filename, "safe") == filename) {
+ return true;
+ }
+ if (cx->realm()->isSystem() && strstr(filename, "system") == filename) {
+ return true;
+ }
+
+ return false;
+ };
+ JS::SetFilenameValidationCallback(testCb);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static JSAtom* GetPropertiesAddedName(JSContext* cx) {
+ const char* propName = "_propertiesAdded";
+ return Atomize(cx, propName, strlen(propName));
+}
+
+static bool NewObjectWithAddPropertyHook(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ auto addPropHook = [](JSContext* cx, HandleObject obj, HandleId id,
+ HandleValue v) -> bool {
+ Rooted<JSAtom*> propName(cx, GetPropertiesAddedName(cx));
+ if (!propName) {
+ return false;
+ }
+ // Don't do anything if we're adding the _propertiesAdded property.
+ RootedId propId(cx, AtomToId(propName));
+ if (id == propId) {
+ return true;
+ }
+ // Increment _propertiesAdded.
+ RootedValue val(cx);
+ if (!JS_GetPropertyById(cx, obj, propId, &val)) {
+ return false;
+ }
+ if (!val.isInt32() || val.toInt32() == INT32_MAX) {
+ return true;
+ }
+ val.setInt32(val.toInt32() + 1);
+ return JS_DefinePropertyById(cx, obj, propId, val, 0);
+ };
+
+ static const JSClassOps classOps = {
+ addPropHook, // addProperty
+ nullptr, // delProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ nullptr, // finalize
+ nullptr, // call
+ nullptr, // construct
+ nullptr, // trace
+ };
+ static const JSClass cls = {
+ "ObjectWithAddPropHook",
+ 0,
+ &classOps,
+ };
+
+ RootedObject obj(cx, JS_NewObject(cx, &cls));
+ if (!obj) {
+ return false;
+ }
+
+ // Initialize _propertiesAdded to 0.
+ Rooted<JSAtom*> propName(cx, GetPropertiesAddedName(cx));
+ if (!propName) {
+ return false;
+ }
+ RootedId propId(cx, AtomToId(propName));
+ RootedValue val(cx, Int32Value(0));
+ if (!JS_DefinePropertyById(cx, obj, propId, val, 0)) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool NewObjectWithCallHook(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ static auto hookShared = [](JSContext* cx, CallArgs& args) {
+ Rooted<PlainObject*> obj(cx, NewPlainObject(cx));
+ if (!obj) {
+ return false;
+ }
+
+ // Define |this|. We can't expose the MagicValue to JS, so we use
+ // "<is_constructing>" in that case.
+ Rooted<Value> thisv(cx, args.thisv());
+ if (thisv.isMagic(JS_IS_CONSTRUCTING)) {
+ JSString* str = NewStringCopyZ<CanGC>(cx, "<is_constructing>");
+ if (!str) {
+ return false;
+ }
+ thisv.setString(str);
+ }
+ if (!DefineDataProperty(cx, obj, cx->names().this_, thisv,
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ // Define |callee|.
+ if (!DefineDataProperty(cx, obj, cx->names().callee, args.calleev(),
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ // Define |arguments| array.
+ Rooted<ArrayObject*> arr(
+ cx, NewDenseCopiedArray(cx, args.length(), args.array()));
+ if (!arr) {
+ return false;
+ }
+ Rooted<Value> arrVal(cx, ObjectValue(*arr));
+ if (!DefineDataProperty(cx, obj, cx->names().arguments, arrVal,
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ // Define |newTarget| if constructing.
+ if (args.isConstructing()) {
+ const char* propName = "newTarget";
+ Rooted<JSAtom*> name(cx, Atomize(cx, propName, strlen(propName)));
+ if (!name) {
+ return false;
+ }
+ Rooted<PropertyKey> key(cx, NameToId(name->asPropertyName()));
+ if (!DefineDataProperty(cx, obj, key, args.newTarget(),
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+ };
+
+ static auto callHook = [](JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ MOZ_ASSERT(!args.isConstructing());
+ return hookShared(cx, args);
+ };
+ static auto constructHook = [](JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ MOZ_ASSERT(args.isConstructing());
+ return hookShared(cx, args);
+ };
+
+ static const JSClassOps classOps = {
+ nullptr, // addProperty
+ nullptr, // delProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ nullptr, // finalize
+ callHook, // call
+ constructHook, // construct
+ nullptr, // trace
+ };
+ static const JSClass cls = {
+ "ObjectWithCallHook",
+ 0,
+ &classOps,
+ };
+
+ Rooted<JSObject*> obj(cx, JS_NewObject(cx, &cls));
+ if (!obj) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static constexpr JSClass ObjectWithManyReservedSlotsClass = {
+ "ObjectWithManyReservedSlots", JSCLASS_HAS_RESERVED_SLOTS(40)};
+
+static bool NewObjectWithManyReservedSlots(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ static constexpr size_t NumReservedSlots =
+ JSCLASS_RESERVED_SLOTS(&ObjectWithManyReservedSlotsClass);
+ static_assert(NumReservedSlots > NativeObject::MAX_FIXED_SLOTS);
+
+ RootedObject obj(cx, JS_NewObject(cx, &ObjectWithManyReservedSlotsClass));
+ if (!obj) {
+ return false;
+ }
+
+ for (size_t i = 0; i < NumReservedSlots; i++) {
+ JS_SetReservedSlot(obj, i, Int32Value(i));
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool CheckObjectWithManyReservedSlots(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1 || !args[0].isObject() ||
+ args[0].toObject().getClass() != &ObjectWithManyReservedSlotsClass) {
+ JS_ReportErrorASCII(cx,
+ "Expected object from newObjectWithManyReservedSlots");
+ return false;
+ }
+
+ JSObject* obj = &args[0].toObject();
+
+ static constexpr size_t NumReservedSlots =
+ JSCLASS_RESERVED_SLOTS(&ObjectWithManyReservedSlotsClass);
+
+ for (size_t i = 0; i < NumReservedSlots; i++) {
+ MOZ_RELEASE_ASSERT(JS::GetReservedSlot(obj, i).toInt32() == int32_t(i));
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetWatchtowerLog(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ Rooted<GCVector<Value>> values(cx, GCVector<Value>(cx));
+
+ if (auto* log = cx->runtime()->watchtowerTestingLog.ref().get()) {
+ Rooted<JSObject*> elem(cx);
+ for (PlainObject* obj : *log) {
+ elem = obj;
+ if (!cx->compartment()->wrap(cx, &elem)) {
+ return false;
+ }
+ if (!values.append(ObjectValue(*elem))) {
+ return false;
+ }
+ }
+ log->clearAndFree();
+ }
+
+ ArrayObject* arr = NewDenseCopiedArray(cx, values.length(), values.begin());
+ if (!arr) {
+ return false;
+ }
+
+ args.rval().setObject(*arr);
+ return true;
+}
+
+static bool AddWatchtowerTarget(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1 || !args[0].isObject()) {
+ JS_ReportErrorASCII(cx, "Expected a single object argument.");
+ return false;
+ }
+
+ if (!cx->runtime()->watchtowerTestingLog.ref()) {
+ auto vec = cx->make_unique<JSRuntime::RootedPlainObjVec>(cx);
+ if (!vec) {
+ return false;
+ }
+ cx->runtime()->watchtowerTestingLog = std::move(vec);
+ }
+
+ RootedObject obj(cx, &args[0].toObject());
+ if (!JSObject::setUseWatchtowerTestingLog(cx, obj)) {
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+struct TestExternalString : public JSExternalStringCallbacks {
+ void finalize(char16_t* chars) const override { js_free(chars); }
+ size_t sizeOfBuffer(const char16_t* chars,
+ mozilla::MallocSizeOf mallocSizeOf) const override {
+ return mallocSizeOf(chars);
+ }
+};
+
+static constexpr TestExternalString TestExternalStringCallbacks;
+
+static bool NewString(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ RootedString src(cx, ToString(cx, args.get(0)));
+ if (!src) {
+ return false;
+ }
+
+ gc::Heap heap = gc::Heap::Default;
+ bool wantTwoByte = false;
+ bool forceExternal = false;
+ bool maybeExternal = false;
+ uint32_t capacity = 0;
+
+ if (args.get(1).isObject()) {
+ RootedObject options(cx, &args[1].toObject());
+ RootedValue v(cx);
+ bool requestTenured = false;
+ struct BoolSetting {
+ const char* name;
+ bool* value;
+ };
+ for (auto [name, setting] :
+ {BoolSetting{"tenured", &requestTenured},
+ BoolSetting{"twoByte", &wantTwoByte},
+ BoolSetting{"external", &forceExternal},
+ BoolSetting{"maybeExternal", &maybeExternal}}) {
+ if (!JS_GetProperty(cx, options, name, &v)) {
+ return false;
+ }
+ *setting = ToBoolean(v); // false if not given (or otherwise undefined)
+ }
+ struct Uint32Setting {
+ const char* name;
+ uint32_t* value;
+ };
+ for (auto [name, setting] : {Uint32Setting{"capacity", &capacity}}) {
+ if (!JS_GetProperty(cx, options, name, &v)) {
+ return false;
+ }
+ int32_t i32;
+ if (!ToInt32(cx, v, &i32)) {
+ return false;
+ }
+ if (i32 < 0) {
+ JS_ReportErrorASCII(cx, "nonnegative value required");
+ return false;
+ }
+ *setting = static_cast<uint32_t>(i32);
+ }
+
+ heap = requestTenured ? gc::Heap::Tenured : gc::Heap::Default;
+ if (forceExternal || maybeExternal) {
+ wantTwoByte = true;
+ if (capacity != 0) {
+ JS_ReportErrorASCII(cx,
+ "strings cannot be both external and extensible");
+ return false;
+ }
+ }
+ }
+
+ auto len = src->length();
+ RootedString dest(cx);
+
+ if (forceExternal || maybeExternal) {
+ auto buf = cx->make_pod_array<char16_t>(len);
+ if (!buf) {
+ return false;
+ }
+
+ if (!JS_CopyStringChars(cx, mozilla::Range<char16_t>(buf.get(), len),
+ src)) {
+ return false;
+ }
+
+ bool isExternal = true;
+ if (forceExternal) {
+ dest = JSExternalString::new_(cx, buf.get(), len,
+ &TestExternalStringCallbacks);
+ } else {
+ dest = NewMaybeExternalString(
+ cx, buf.get(), len, &TestExternalStringCallbacks, &isExternal, heap);
+ }
+ if (dest && isExternal) {
+ (void)buf.release(); // Ownership was transferred.
+ }
+ } else {
+ AutoStableStringChars stable(cx);
+ if (!wantTwoByte && src->hasLatin1Chars()) {
+ if (!stable.init(cx, src)) {
+ return false;
+ }
+ } else {
+ if (!stable.initTwoByte(cx, src)) {
+ return false;
+ }
+ }
+ if (capacity) {
+ if (capacity < len) {
+ capacity = len;
+ }
+ if (len == 0) {
+ JS_ReportErrorASCII(cx, "Cannot set capacity of empty string");
+ return false;
+ }
+ if (stable.isLatin1()) {
+ auto news = cx->make_pod_arena_array<JS::Latin1Char>(
+ js::StringBufferArena, capacity);
+ if (!news) {
+ return false;
+ }
+ mozilla::PodCopy(news.get(), stable.latin1Chars(), len);
+ dest = JSLinearString::newValidLength<CanGC>(cx, std::move(news), len,
+ heap);
+ } else {
+ auto news =
+ cx->make_pod_arena_array<char16_t>(js::StringBufferArena, capacity);
+ if (!news) {
+ return false;
+ }
+ mozilla::PodCopy(news.get(), stable.twoByteChars(), len);
+ dest = JSLinearString::newValidLength<CanGC>(cx, std::move(news), len,
+ heap);
+ }
+ if (dest) {
+ dest->asLinear().makeExtensible(capacity);
+ }
+ } else if (wantTwoByte) {
+ dest = NewStringCopyNDontDeflate<CanGC>(cx, stable.twoByteChars(), len,
+ heap);
+ } else if (stable.isLatin1()) {
+ dest = NewStringCopyN<CanGC>(cx, stable.latin1Chars(), len, heap);
+ } else {
+ // Normal behavior: auto-deflate to latin1 if possible.
+ dest = NewStringCopyN<CanGC>(cx, stable.twoByteChars(), len, heap);
+ }
+ }
+
+ if (!dest) {
+ return false;
+ }
+
+ args.rval().setString(dest);
+ return true;
+}
+
+// Warning! This will let you create ropes that I'm not sure would be possible
+// otherwise, specifically:
+//
+// - a rope with a zero-length child
+// - a rope that would fit into an inline string
+//
+static bool NewRope(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.get(0).isString() || !args.get(1).isString()) {
+ JS_ReportErrorASCII(cx, "newRope requires two string arguments.");
+ return false;
+ }
+
+ gc::Heap heap = js::gc::Heap::Default;
+ if (args.get(2).isObject()) {
+ RootedObject options(cx, &args[2].toObject());
+ RootedValue v(cx);
+ if (!JS_GetProperty(cx, options, "nursery", &v)) {
+ return false;
+ }
+ if (!v.isUndefined() && !ToBoolean(v)) {
+ heap = js::gc::Heap::Tenured;
+ }
+ }
+
+ RootedString left(cx, args[0].toString());
+ RootedString right(cx, args[1].toString());
+ size_t length = JS_GetStringLength(left) + JS_GetStringLength(right);
+ if (length > JSString::MAX_LENGTH) {
+ JS_ReportErrorASCII(cx, "rope length exceeds maximum string length");
+ return false;
+ }
+
+ // Disallow creating ropes where one side is empty.
+ if (left->empty() || right->empty()) {
+ JS_ReportErrorASCII(cx, "rope child mustn't be the empty string");
+ return false;
+ }
+
+ auto* str = JSRope::new_<CanGC>(cx, left, right, length, heap);
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+ return true;
+}
+
+static bool IsRope(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.get(0).isString()) {
+ JS_ReportErrorASCII(cx, "isRope requires a string argument.");
+ return false;
+ }
+
+ JSString* str = args[0].toString();
+ args.rval().setBoolean(str->isRope());
+ return true;
+}
+
+static bool EnsureLinearString(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1 || !args[0].isString()) {
+ JS_ReportErrorASCII(
+ cx, "ensureLinearString takes exactly one string argument.");
+ return false;
+ }
+
+ JSLinearString* linear = args[0].toString()->ensureLinear(cx);
+ if (!linear) {
+ return false;
+ }
+
+ args.rval().setString(linear);
+ return true;
+}
+
+static bool RepresentativeStringArray(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ RootedObject array(cx, JS::NewArrayObject(cx, 0));
+ if (!array) {
+ return false;
+ }
+
+ if (!JSString::fillWithRepresentatives(cx, array.as<ArrayObject>())) {
+ return false;
+ }
+
+ args.rval().setObject(*array);
+ return true;
+}
+
+#if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
+
+static bool OOMThreadTypes(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setInt32(js::THREAD_TYPE_MAX);
+ return true;
+}
+
+static bool CheckCanSimulateOOM(JSContext* cx) {
+ if (js::oom::GetThreadType() != js::THREAD_TYPE_MAIN) {
+ JS_ReportErrorASCII(
+ cx, "Simulated OOM failure is only supported on the main thread");
+ return false;
+ }
+
+ return true;
+}
+
+static bool SetupOOMFailure(JSContext* cx, bool failAlways, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (disableOOMFunctions) {
+ args.rval().setUndefined();
+ return true;
+ }
+
+ if (args.length() < 1) {
+ JS_ReportErrorASCII(cx, "Count argument required");
+ return false;
+ }
+
+ if (args.length() > 2) {
+ JS_ReportErrorASCII(cx, "Too many arguments");
+ return false;
+ }
+
+ int32_t count;
+ if (!JS::ToInt32(cx, args.get(0), &count)) {
+ return false;
+ }
+
+ if (count <= 0) {
+ JS_ReportErrorASCII(cx, "OOM cutoff should be positive");
+ return false;
+ }
+
+ uint32_t targetThread = js::THREAD_TYPE_MAIN;
+ if (args.length() > 1 && !ToUint32(cx, args[1], &targetThread)) {
+ return false;
+ }
+
+ if (targetThread == js::THREAD_TYPE_NONE ||
+ targetThread == js::THREAD_TYPE_WORKER ||
+ targetThread >= js::THREAD_TYPE_MAX) {
+ JS_ReportErrorASCII(cx, "Invalid thread type specified");
+ return false;
+ }
+
+ if (!CheckCanSimulateOOM(cx)) {
+ return false;
+ }
+
+ js::oom::simulator.simulateFailureAfter(js::oom::FailureSimulator::Kind::OOM,
+ count, targetThread, failAlways);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool OOMAfterAllocations(JSContext* cx, unsigned argc, Value* vp) {
+ return SetupOOMFailure(cx, true, argc, vp);
+}
+
+static bool OOMAtAllocation(JSContext* cx, unsigned argc, Value* vp) {
+ return SetupOOMFailure(cx, false, argc, vp);
+}
+
+static bool ResetOOMFailure(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!CheckCanSimulateOOM(cx)) {
+ return false;
+ }
+
+ args.rval().setBoolean(js::oom::HadSimulatedOOM());
+ js::oom::simulator.reset();
+ return true;
+}
+
+static size_t CountCompartments(JSContext* cx) {
+ size_t count = 0;
+ for (auto zone : cx->runtime()->gc.zones()) {
+ count += zone->compartments().length();
+ }
+ return count;
+}
+
+// Iterative failure testing: test a function by simulating failures at indexed
+// locations throughout the normal execution path and checking that the
+// resulting state of the environment is consistent with the error result.
+//
+// For example, trigger OOM at every allocation point and test that the function
+// either recovers and succeeds or raises an exception and fails.
+
+class MOZ_STACK_CLASS IterativeFailureTest {
+ public:
+ struct FailureSimulator {
+ virtual void setup(JSContext* cx) {}
+ virtual void teardown(JSContext* cx) {}
+ virtual void startSimulating(JSContext* cx, unsigned iteration,
+ unsigned thread, bool keepFailing) = 0;
+ virtual bool stopSimulating() = 0;
+ virtual void cleanup(JSContext* cx) {}
+ };
+
+ IterativeFailureTest(JSContext* cx, FailureSimulator& simulator);
+ bool initParams(const CallArgs& args);
+ bool test();
+
+ private:
+ bool setup();
+ bool testThread(unsigned thread);
+ bool testIteration(unsigned thread, unsigned iteration,
+ bool& failureWasSimulated, MutableHandleValue exception);
+ void cleanup();
+ void teardown();
+
+ JSContext* const cx;
+ FailureSimulator& simulator;
+ size_t compartmentCount;
+
+ // Test parameters set by initParams.
+ RootedFunction testFunction;
+ unsigned threadStart = 0;
+ unsigned threadEnd = 0;
+ bool expectExceptionOnFailure = true;
+ bool keepFailing = false;
+ bool verbose = false;
+};
+
+bool RunIterativeFailureTest(
+ JSContext* cx, const CallArgs& args,
+ IterativeFailureTest::FailureSimulator& simulator) {
+ IterativeFailureTest test(cx, simulator);
+ return test.initParams(args) && test.test();
+}
+
+IterativeFailureTest::IterativeFailureTest(JSContext* cx,
+ FailureSimulator& simulator)
+ : cx(cx), simulator(simulator), testFunction(cx) {}
+
+bool IterativeFailureTest::test() {
+ if (disableOOMFunctions) {
+ return true;
+ }
+
+ if (!setup()) {
+ return false;
+ }
+
+ auto onExit = mozilla::MakeScopeExit([this] { teardown(); });
+
+ for (unsigned thread = threadStart; thread <= threadEnd; thread++) {
+ if (!testThread(thread)) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+bool IterativeFailureTest::setup() {
+ if (!CheckCanSimulateOOM(cx)) {
+ return false;
+ }
+
+ // Disallow nested tests.
+ if (cx->runningOOMTest) {
+ JS_ReportErrorASCII(
+ cx, "Nested call to iterative failure test is not allowed.");
+ return false;
+ }
+ cx->runningOOMTest = true;
+
+ MOZ_ASSERT(!cx->isExceptionPending());
+
+# ifdef JS_GC_ZEAL
+ JS_SetGCZeal(cx, 0, JS_DEFAULT_ZEAL_FREQ);
+# endif
+
+ // Delazify the function here if necessary so we don't end up testing that.
+ if (testFunction->isInterpreted() &&
+ !JSFunction::getOrCreateScript(cx, testFunction)) {
+ return false;
+ }
+
+ compartmentCount = CountCompartments(cx);
+
+ simulator.setup(cx);
+
+ return true;
+}
+
+bool IterativeFailureTest::testThread(unsigned thread) {
+ if (verbose) {
+ fprintf(stderr, "thread %u\n", thread);
+ }
+
+ RootedValue exception(cx);
+
+ unsigned iteration = 1;
+ bool failureWasSimulated;
+ do {
+ if (!testIteration(thread, iteration, failureWasSimulated, &exception)) {
+ return false;
+ }
+
+ iteration++;
+ } while (failureWasSimulated);
+
+ if (verbose) {
+ fprintf(stderr, " finished after %u iterations\n", iteration - 1);
+ if (!exception.isUndefined()) {
+ RootedString str(cx, JS::ToString(cx, exception));
+ if (!str) {
+ fprintf(stderr, " error while trying to print exception, giving up\n");
+ return false;
+ }
+ UniqueChars bytes(JS_EncodeStringToUTF8(cx, str));
+ if (!bytes) {
+ return false;
+ }
+ fprintf(stderr, " threw %s\n", bytes.get());
+ }
+ }
+
+ return true;
+}
+
+bool IterativeFailureTest::testIteration(unsigned thread, unsigned iteration,
+ bool& failureWasSimulated,
+ MutableHandleValue exception) {
+ if (verbose) {
+ fprintf(stderr, " iteration %u\n", iteration);
+ }
+
+ MOZ_RELEASE_ASSERT(!cx->isExceptionPending());
+
+ simulator.startSimulating(cx, iteration, thread, keepFailing);
+
+ RootedValue result(cx);
+ bool ok = JS_CallFunction(cx, cx->global(), testFunction,
+ HandleValueArray::empty(), &result);
+
+ failureWasSimulated = simulator.stopSimulating();
+
+ if (ok && cx->isExceptionPending()) {
+ MOZ_CRASH(
+ "Thunk execution succeeded but an exception was raised - missing error "
+ "check?");
+ }
+
+ if (!ok && !cx->isExceptionPending() && expectExceptionOnFailure) {
+ MOZ_CRASH(
+ "Thunk execution failed but no exception was raised - missing call to "
+ "js::ReportOutOfMemory()?");
+ }
+
+ // Note that it is possible that the function throws an exception unconnected
+ // to the simulated failure, in which case we ignore it. More correct would be
+ // to have the caller pass some kind of exception specification and to check
+ // the exception against it.
+ if (!failureWasSimulated && cx->isExceptionPending()) {
+ if (!cx->getPendingException(exception)) {
+ return false;
+ }
+ }
+ cx->clearPendingException();
+
+ cleanup();
+
+ return true;
+}
+
+void IterativeFailureTest::cleanup() {
+ simulator.cleanup(cx);
+
+ gc::FinishGC(cx);
+
+ // Some tests create a new compartment or zone on every iteration. Our GC is
+ // triggered by GC allocations and not by number of compartments or zones, so
+ // these won't normally get cleaned up. The check here stops some tests
+ // running out of memory. ("Gentlemen, you can't fight in here! This is the
+ // War oom!")
+ if (CountCompartments(cx) > compartmentCount + 100) {
+ JS_GC(cx);
+ compartmentCount = CountCompartments(cx);
+ }
+}
+
+void IterativeFailureTest::teardown() {
+ simulator.teardown(cx);
+
+ cx->runningOOMTest = false;
+}
+
+bool IterativeFailureTest::initParams(const CallArgs& args) {
+ if (args.length() < 1 || args.length() > 2) {
+ JS_ReportErrorASCII(cx, "function takes between 1 and 2 arguments.");
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "The first argument must be the function to test.");
+ return false;
+ }
+ testFunction = &args[0].toObject().as<JSFunction>();
+
+ if (args.length() == 2) {
+ if (args[1].isBoolean()) {
+ expectExceptionOnFailure = args[1].toBoolean();
+ } else if (args[1].isObject()) {
+ RootedObject options(cx, &args[1].toObject());
+ RootedValue value(cx);
+
+ if (!JS_GetProperty(cx, options, "expectExceptionOnFailure", &value)) {
+ return false;
+ }
+ if (!value.isUndefined()) {
+ expectExceptionOnFailure = ToBoolean(value);
+ }
+
+ if (!JS_GetProperty(cx, options, "keepFailing", &value)) {
+ return false;
+ }
+ if (!value.isUndefined()) {
+ keepFailing = ToBoolean(value);
+ }
+ } else {
+ JS_ReportErrorASCII(
+ cx, "The optional second argument must be an object or a boolean.");
+ return false;
+ }
+ }
+
+ // There are some places where we do fail without raising an exception, so
+ // we can't expose this to the fuzzers by default.
+ if (fuzzingSafe) {
+ expectExceptionOnFailure = false;
+ }
+
+ // Test all threads by default except worker threads.
+ threadStart = oom::FirstThreadTypeToTest;
+ threadEnd = oom::LastThreadTypeToTest;
+
+ // Test a single thread type if specified by the OOM_THREAD environment
+ // variable.
+ int threadOption = 0;
+ if (EnvVarAsInt("OOM_THREAD", &threadOption)) {
+ if (threadOption < oom::FirstThreadTypeToTest ||
+ threadOption > oom::LastThreadTypeToTest) {
+ JS_ReportErrorASCII(cx, "OOM_THREAD value out of range.");
+ return false;
+ }
+
+ threadStart = threadOption;
+ threadEnd = threadOption;
+ }
+
+ verbose = EnvVarIsDefined("OOM_VERBOSE");
+
+ return true;
+}
+
+struct OOMSimulator : public IterativeFailureTest::FailureSimulator {
+ void setup(JSContext* cx) override { cx->runtime()->hadOutOfMemory = false; }
+
+ void startSimulating(JSContext* cx, unsigned i, unsigned thread,
+ bool keepFailing) override {
+ MOZ_ASSERT(!cx->runtime()->hadOutOfMemory);
+ js::oom::simulator.simulateFailureAfter(
+ js::oom::FailureSimulator::Kind::OOM, i, thread, keepFailing);
+ }
+
+ bool stopSimulating() override {
+ bool handledOOM = js::oom::HadSimulatedOOM();
+ js::oom::simulator.reset();
+ return handledOOM;
+ }
+
+ void cleanup(JSContext* cx) override {
+ cx->runtime()->hadOutOfMemory = false;
+ }
+};
+
+static bool OOMTest(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ OOMSimulator simulator;
+ if (!RunIterativeFailureTest(cx, args, simulator)) {
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+struct StackOOMSimulator : public IterativeFailureTest::FailureSimulator {
+ void startSimulating(JSContext* cx, unsigned i, unsigned thread,
+ bool keepFailing) override {
+ js::oom::simulator.simulateFailureAfter(
+ js::oom::FailureSimulator::Kind::StackOOM, i, thread, keepFailing);
+ }
+
+ bool stopSimulating() override {
+ bool handledOOM = js::oom::HadSimulatedStackOOM();
+ js::oom::simulator.reset();
+ return handledOOM;
+ }
+};
+
+static bool StackTest(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ StackOOMSimulator simulator;
+ if (!RunIterativeFailureTest(cx, args, simulator)) {
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+struct FailingIterruptSimulator
+ : public IterativeFailureTest::FailureSimulator {
+ JSInterruptCallback* prevEnd = nullptr;
+
+ static bool failingInterruptCallback(JSContext* cx) { return false; }
+
+ void setup(JSContext* cx) override {
+ prevEnd = cx->interruptCallbacks().end();
+ JS_AddInterruptCallback(cx, failingInterruptCallback);
+ }
+
+ void teardown(JSContext* cx) override {
+ cx->interruptCallbacks().erase(prevEnd, cx->interruptCallbacks().end());
+ }
+
+ void startSimulating(JSContext* cx, unsigned i, unsigned thread,
+ bool keepFailing) override {
+ js::oom::simulator.simulateFailureAfter(
+ js::oom::FailureSimulator::Kind::Interrupt, i, thread, keepFailing);
+ }
+
+ bool stopSimulating() override {
+ bool handledInterrupt = js::oom::HadSimulatedInterrupt();
+ js::oom::simulator.reset();
+ return handledInterrupt;
+ }
+};
+
+static bool InterruptTest(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ FailingIterruptSimulator simulator;
+ if (!RunIterativeFailureTest(cx, args, simulator)) {
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+#endif // defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
+
+static bool SettlePromiseNow(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "settlePromiseNow", 1)) {
+ return false;
+ }
+ if (!args[0].isObject() || !args[0].toObject().is<PromiseObject>()) {
+ JS_ReportErrorASCII(cx, "first argument must be a Promise object");
+ return false;
+ }
+
+ Rooted<PromiseObject*> promise(cx, &args[0].toObject().as<PromiseObject>());
+ if (IsPromiseForAsyncFunctionOrGenerator(promise)) {
+ JS_ReportErrorASCII(
+ cx, "async function/generator's promise shouldn't be manually settled");
+ return false;
+ }
+
+ if (promise->state() != JS::PromiseState::Pending) {
+ JS_ReportErrorASCII(cx, "cannot settle an already-resolved promise");
+ return false;
+ }
+
+ if (IsPromiseWithDefaultResolvingFunction(promise)) {
+ SetAlreadyResolvedPromiseWithDefaultResolvingFunction(promise);
+ }
+
+ int32_t flags = promise->flags();
+ promise->setFixedSlot(
+ PromiseSlot_Flags,
+ Int32Value(flags | PROMISE_FLAG_RESOLVED | PROMISE_FLAG_FULFILLED));
+ promise->setFixedSlot(PromiseSlot_ReactionsOrResult, UndefinedValue());
+
+ DebugAPI::onPromiseSettled(cx, promise);
+ return true;
+}
+
+static bool GetWaitForAllPromise(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "getWaitForAllPromise", 1)) {
+ return false;
+ }
+ if (!args[0].isObject() || !args[0].toObject().is<ArrayObject>() ||
+ args[0].toObject().as<NativeObject>().isIndexed()) {
+ JS_ReportErrorASCII(
+ cx, "first argument must be a dense Array of Promise objects");
+ return false;
+ }
+ Rooted<NativeObject*> list(cx, &args[0].toObject().as<NativeObject>());
+ RootedObjectVector promises(cx);
+ uint32_t count = list->getDenseInitializedLength();
+ if (!promises.resize(count)) {
+ return false;
+ }
+
+ for (uint32_t i = 0; i < count; i++) {
+ RootedValue elem(cx, list->getDenseElement(i));
+ if (!elem.isObject() || !elem.toObject().is<PromiseObject>()) {
+ JS_ReportErrorASCII(
+ cx, "Each entry in the passed-in Array must be a Promise");
+ return false;
+ }
+ promises[i].set(&elem.toObject());
+ }
+
+ RootedObject resultPromise(cx, JS::GetWaitForAllPromise(cx, promises));
+ if (!resultPromise) {
+ return false;
+ }
+
+ args.rval().set(ObjectValue(*resultPromise));
+ return true;
+}
+
+static bool ResolvePromise(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "resolvePromise", 2)) {
+ return false;
+ }
+ if (!args[0].isObject() ||
+ !UncheckedUnwrap(&args[0].toObject())->is<PromiseObject>()) {
+ JS_ReportErrorASCII(
+ cx, "first argument must be a maybe-wrapped Promise object");
+ return false;
+ }
+
+ RootedObject promise(cx, &args[0].toObject());
+ RootedValue resolution(cx, args[1]);
+ mozilla::Maybe<AutoRealm> ar;
+ if (IsWrapper(promise)) {
+ promise = UncheckedUnwrap(promise);
+ ar.emplace(cx, promise);
+ if (!cx->compartment()->wrap(cx, &resolution)) {
+ return false;
+ }
+ }
+
+ if (IsPromiseForAsyncFunctionOrGenerator(promise)) {
+ JS_ReportErrorASCII(
+ cx,
+ "async function/generator's promise shouldn't be manually resolved");
+ return false;
+ }
+
+ bool result = JS::ResolvePromise(cx, promise, resolution);
+ if (result) {
+ args.rval().setUndefined();
+ }
+ return result;
+}
+
+static bool RejectPromise(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "rejectPromise", 2)) {
+ return false;
+ }
+ if (!args[0].isObject() ||
+ !UncheckedUnwrap(&args[0].toObject())->is<PromiseObject>()) {
+ JS_ReportErrorASCII(
+ cx, "first argument must be a maybe-wrapped Promise object");
+ return false;
+ }
+
+ RootedObject promise(cx, &args[0].toObject());
+ RootedValue reason(cx, args[1]);
+ mozilla::Maybe<AutoRealm> ar;
+ if (IsWrapper(promise)) {
+ promise = UncheckedUnwrap(promise);
+ ar.emplace(cx, promise);
+ if (!cx->compartment()->wrap(cx, &reason)) {
+ return false;
+ }
+ }
+
+ if (IsPromiseForAsyncFunctionOrGenerator(promise)) {
+ JS_ReportErrorASCII(
+ cx,
+ "async function/generator's promise shouldn't be manually rejected");
+ return false;
+ }
+
+ bool result = JS::RejectPromise(cx, promise, reason);
+ if (result) {
+ args.rval().setUndefined();
+ }
+ return result;
+}
+
+static unsigned finalizeCount = 0;
+
+static void finalize_counter_finalize(JS::GCContext* gcx, JSObject* obj) {
+ ++finalizeCount;
+}
+
+static const JSClassOps FinalizeCounterClassOps = {
+ nullptr, // addProperty
+ nullptr, // delProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ finalize_counter_finalize, // finalize
+ nullptr, // call
+ nullptr, // construct
+ nullptr, // trace
+};
+
+static const JSClass FinalizeCounterClass = {
+ "FinalizeCounter", JSCLASS_FOREGROUND_FINALIZE, &FinalizeCounterClassOps};
+
+static bool MakeFinalizeObserver(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ JSObject* obj =
+ JS_NewObjectWithGivenProto(cx, &FinalizeCounterClass, nullptr);
+ if (!obj) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool FinalizeCount(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setInt32(finalizeCount);
+ return true;
+}
+
+static bool ResetFinalizeCount(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ finalizeCount = 0;
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool DumpHeap(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ FILE* dumpFile = stdout;
+ auto closeFile = mozilla::MakeScopeExit([&dumpFile] {
+ if (dumpFile != stdout) {
+ fclose(dumpFile);
+ }
+ });
+
+ if (args.length() > 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ if (!args.get(0).isUndefined()) {
+ RootedString str(cx, ToString(cx, args[0]));
+ if (!str) {
+ return false;
+ }
+ if (!fuzzingSafe) {
+ UniqueChars fileNameBytes = JS_EncodeStringToUTF8(cx, str);
+ if (!fileNameBytes) {
+ return false;
+ }
+#ifdef XP_WIN
+ UniqueWideChars wideFileNameBytes =
+ JS::EncodeUtf8ToWide(cx, fileNameBytes.get());
+ if (!wideFileNameBytes) {
+ return false;
+ }
+ dumpFile = _wfopen(wideFileNameBytes.get(), L"w");
+#else
+ UniqueChars narrowFileNameBytes =
+ JS::EncodeUtf8ToNarrow(cx, fileNameBytes.get());
+ if (!narrowFileNameBytes) {
+ return false;
+ }
+ dumpFile = fopen(narrowFileNameBytes.get(), "w");
+#endif
+ if (!dumpFile) {
+ JS_ReportErrorUTF8(cx, "can't open %s", fileNameBytes.get());
+ return false;
+ }
+ }
+ }
+
+ js::DumpHeap(cx, dumpFile, js::IgnoreNurseryObjects);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool Terminate(JSContext* cx, unsigned arg, Value* vp) {
+ // Print a message to stderr in differential testing to help jsfunfuzz
+ // find uncatchable-exception bugs.
+ if (js::SupportDifferentialTesting()) {
+ fprintf(stderr, "terminate called\n");
+ }
+
+ JS_ClearPendingException(cx);
+ return false;
+}
+
+static bool ReadGeckoProfilingStack(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setUndefined();
+
+ // Return boolean 'false' if profiler is not enabled.
+ if (!cx->runtime()->geckoProfiler().enabled()) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ // Array holding physical jit stack frames.
+ RootedObject stack(cx, NewDenseEmptyArray(cx));
+ if (!stack) {
+ return false;
+ }
+
+ // If profiler sampling has been suppressed, return an empty
+ // stack.
+ if (!cx->isProfilerSamplingEnabled()) {
+ args.rval().setObject(*stack);
+ return true;
+ }
+
+ struct InlineFrameInfo {
+ InlineFrameInfo(const char* kind, UniqueChars label)
+ : kind(kind), label(std::move(label)) {}
+ const char* kind;
+ UniqueChars label;
+ };
+
+ Vector<Vector<InlineFrameInfo, 0, TempAllocPolicy>, 0, TempAllocPolicy>
+ frameInfo(cx);
+
+ JS::ProfilingFrameIterator::RegisterState state;
+ for (JS::ProfilingFrameIterator i(cx, state); !i.done(); ++i) {
+ MOZ_ASSERT(i.stackAddress() != nullptr);
+
+ if (!frameInfo.emplaceBack(cx)) {
+ return false;
+ }
+
+ const size_t MaxInlineFrames = 16;
+ JS::ProfilingFrameIterator::Frame frames[MaxInlineFrames];
+ uint32_t nframes = i.extractStack(frames, 0, MaxInlineFrames);
+ MOZ_ASSERT(nframes <= MaxInlineFrames);
+ for (uint32_t i = 0; i < nframes; i++) {
+ const char* frameKindStr = nullptr;
+ switch (frames[i].kind) {
+ case JS::ProfilingFrameIterator::Frame_BaselineInterpreter:
+ frameKindStr = "baseline-interpreter";
+ break;
+ case JS::ProfilingFrameIterator::Frame_Baseline:
+ frameKindStr = "baseline-jit";
+ break;
+ case JS::ProfilingFrameIterator::Frame_Ion:
+ frameKindStr = "ion";
+ break;
+ case JS::ProfilingFrameIterator::Frame_Wasm:
+ frameKindStr = "wasm";
+ break;
+ default:
+ frameKindStr = "unknown";
+ }
+
+ UniqueChars label =
+ DuplicateStringToArena(js::StringBufferArena, cx, frames[i].label);
+ if (!label) {
+ return false;
+ }
+
+ if (!frameInfo.back().emplaceBack(frameKindStr, std::move(label))) {
+ return false;
+ }
+ }
+ }
+
+ RootedObject inlineFrameInfo(cx);
+ RootedString frameKind(cx);
+ RootedString frameLabel(cx);
+ RootedId idx(cx);
+
+ const unsigned propAttrs = JSPROP_ENUMERATE;
+
+ uint32_t physicalFrameNo = 0;
+ for (auto& frame : frameInfo) {
+ // Array holding all inline frames in a single physical jit stack frame.
+ RootedObject inlineStack(cx, NewDenseEmptyArray(cx));
+ if (!inlineStack) {
+ return false;
+ }
+
+ uint32_t inlineFrameNo = 0;
+ for (auto& inlineFrame : frame) {
+ // Object holding frame info.
+ RootedObject inlineFrameInfo(cx, NewPlainObject(cx));
+ if (!inlineFrameInfo) {
+ return false;
+ }
+
+ frameKind = NewStringCopyZ<CanGC>(cx, inlineFrame.kind);
+ if (!frameKind) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, inlineFrameInfo, "kind", frameKind,
+ propAttrs)) {
+ return false;
+ }
+
+ frameLabel = NewLatin1StringZ(cx, std::move(inlineFrame.label));
+ if (!frameLabel) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, inlineFrameInfo, "label", frameLabel,
+ propAttrs)) {
+ return false;
+ }
+
+ idx = PropertyKey::Int(inlineFrameNo);
+ if (!JS_DefinePropertyById(cx, inlineStack, idx, inlineFrameInfo, 0)) {
+ return false;
+ }
+
+ ++inlineFrameNo;
+ }
+
+ // Push inline array into main array.
+ idx = PropertyKey::Int(physicalFrameNo);
+ if (!JS_DefinePropertyById(cx, stack, idx, inlineStack, 0)) {
+ return false;
+ }
+
+ ++physicalFrameNo;
+ }
+
+ args.rval().setObject(*stack);
+ return true;
+}
+
+static bool ReadGeckoInterpProfilingStack(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setUndefined();
+
+ // Return boolean 'false' if profiler is not enabled.
+ if (!cx->runtime()->geckoProfiler().enabled()) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ // Array with information about each frame.
+ Rooted<JSObject*> stack(cx, NewDenseEmptyArray(cx));
+ if (!stack) {
+ return false;
+ }
+ uint32_t stackIndex = 0;
+
+ ProfilingStack* profStack = cx->geckoProfiler().getProfilingStack();
+ MOZ_ASSERT(profStack);
+
+ for (size_t i = 0; i < profStack->stackSize(); i++) {
+ const auto& frame = profStack->frames[i];
+ if (!frame.isJsFrame()) {
+ continue;
+ }
+
+ // Skip fake JS frame pushed for js::RunScript by GeckoProfilerEntryMarker.
+ const char* dynamicStr = frame.dynamicString();
+ if (!dynamicStr) {
+ continue;
+ }
+
+ Rooted<PlainObject*> frameInfo(cx, NewPlainObject(cx));
+ if (!frameInfo) {
+ return false;
+ }
+
+ Rooted<JSString*> dynamicString(
+ cx, JS_NewStringCopyUTF8Z(
+ cx, JS::ConstUTF8CharsZ(dynamicStr, strlen(dynamicStr))));
+ if (!dynamicString) {
+ return false;
+ }
+ if (!JS_DefineProperty(cx, frameInfo, "dynamicString", dynamicString,
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ if (!JS_DefineElement(cx, stack, stackIndex, frameInfo, JSPROP_ENUMERATE)) {
+ return false;
+ }
+ stackIndex++;
+ }
+
+ args.rval().setObject(*stack);
+ return true;
+}
+
+static bool EnableOsiPointRegisterChecks(JSContext*, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+#ifdef CHECK_OSIPOINT_REGISTERS
+ jit::JitOptions.checkOsiPointRegisters = true;
+#endif
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool DisplayName(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.get(0).isObject() || !args[0].toObject().is<JSFunction>()) {
+ RootedObject arg(cx, &args.callee());
+ ReportUsageErrorASCII(cx, arg, "Must have one function argument");
+ return false;
+ }
+
+ JSFunction* fun = &args[0].toObject().as<JSFunction>();
+ JSString* str = fun->displayAtom();
+ args.rval().setString(str ? str : cx->runtime()->emptyString.ref());
+ return true;
+}
+
+static bool IsAvxPresent(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+#if defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_X86)
+ int minVersion = 1;
+ if (argc > 0 && args.get(0).isNumber()) {
+ minVersion = std::max(1, int(args[0].toNumber()));
+ }
+ switch (minVersion) {
+ case 1:
+ args.rval().setBoolean(jit::Assembler::HasAVX());
+ return true;
+ case 2:
+ args.rval().setBoolean(jit::Assembler::HasAVX2());
+ return true;
+ }
+#endif
+ args.rval().setBoolean(false);
+ return true;
+}
+
+class ShellAllocationMetadataBuilder : public AllocationMetadataBuilder {
+ public:
+ ShellAllocationMetadataBuilder() : AllocationMetadataBuilder() {}
+
+ virtual JSObject* build(JSContext* cx, HandleObject,
+ AutoEnterOOMUnsafeRegion& oomUnsafe) const override;
+
+ static const ShellAllocationMetadataBuilder metadataBuilder;
+};
+
+JSObject* ShellAllocationMetadataBuilder::build(
+ JSContext* cx, HandleObject, AutoEnterOOMUnsafeRegion& oomUnsafe) const {
+ RootedObject obj(cx, NewPlainObject(cx));
+ if (!obj) {
+ oomUnsafe.crash("ShellAllocationMetadataBuilder::build");
+ }
+
+ RootedObject stack(cx, NewDenseEmptyArray(cx));
+ if (!stack) {
+ oomUnsafe.crash("ShellAllocationMetadataBuilder::build");
+ }
+
+ static int createdIndex = 0;
+ createdIndex++;
+
+ if (!JS_DefineProperty(cx, obj, "index", createdIndex, 0)) {
+ oomUnsafe.crash("ShellAllocationMetadataBuilder::build");
+ }
+
+ if (!JS_DefineProperty(cx, obj, "stack", stack, 0)) {
+ oomUnsafe.crash("ShellAllocationMetadataBuilder::build");
+ }
+
+ int stackIndex = 0;
+ RootedId id(cx);
+ RootedValue callee(cx);
+ for (NonBuiltinScriptFrameIter iter(cx); !iter.done(); ++iter) {
+ if (iter.isFunctionFrame() && iter.compartment() == cx->compartment()) {
+ id = PropertyKey::Int(stackIndex);
+ RootedObject callee(cx, iter.callee(cx));
+ if (!JS_DefinePropertyById(cx, stack, id, callee, JSPROP_ENUMERATE)) {
+ oomUnsafe.crash("ShellAllocationMetadataBuilder::build");
+ }
+ stackIndex++;
+ }
+ }
+
+ return obj;
+}
+
+const ShellAllocationMetadataBuilder
+ ShellAllocationMetadataBuilder::metadataBuilder;
+
+static bool EnableShellAllocationMetadataBuilder(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ SetAllocationMetadataBuilder(
+ cx, &ShellAllocationMetadataBuilder::metadataBuilder);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetAllocationMetadata(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1 || !args[0].isObject()) {
+ JS_ReportErrorASCII(cx, "Argument must be an object");
+ return false;
+ }
+
+ args.rval().setObjectOrNull(GetAllocationMetadata(&args[0].toObject()));
+ return true;
+}
+
+static bool testingFunc_bailout(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ // NOP when not in IonMonkey
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool testingFunc_bailAfter(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1 || !args[0].isInt32() || args[0].toInt32() < 0) {
+ JS_ReportErrorASCII(
+ cx, "Argument must be a positive number that fits in an int32");
+ return false;
+ }
+
+#ifdef DEBUG
+ if (auto* jitRuntime = cx->runtime()->jitRuntime()) {
+ uint32_t bailAfter = args[0].toInt32();
+ bool enableBailAfter = bailAfter > 0;
+ if (jitRuntime->ionBailAfterEnabled() != enableBailAfter) {
+ // Force JIT code to be recompiled with (or without) instrumentation.
+ ReleaseAllJITCode(cx->gcContext());
+ jitRuntime->setIonBailAfterEnabled(enableBailAfter);
+ }
+ jitRuntime->setIonBailAfterCounter(bailAfter);
+ }
+#endif
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool testingFunc_invalidate(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ // If the topmost frame is Ion/Warp, find the IonScript and invalidate it.
+ FrameIter iter(cx);
+ if (!iter.done() && iter.isIon()) {
+ while (!iter.isPhysicalJitFrame()) {
+ ++iter;
+ }
+ if (iter.script()->hasIonScript()) {
+ js::jit::Invalidate(cx, iter.script());
+ }
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static constexpr unsigned JitWarmupResetLimit = 20;
+static_assert(JitWarmupResetLimit <=
+ unsigned(JSScript::MutableFlags::WarmupResets_MASK),
+ "JitWarmupResetLimit exceeds max value");
+
+static bool testingFunc_inJit(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!jit::IsBaselineJitEnabled(cx)) {
+ return ReturnStringCopy(cx, args, "Baseline is disabled.");
+ }
+
+ // Use frame iterator to inspect caller.
+ FrameIter iter(cx);
+
+ // We may be invoked directly, not in a JS context, e.g. if inJit is added as
+ // a callback on the event queue.
+ if (iter.done()) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ if (iter.hasScript()) {
+ // Detect repeated attempts to compile, resetting the counter if inJit
+ // succeeds. Note: This script may have be inlined into its caller.
+ if (iter.isJSJit()) {
+ iter.script()->resetWarmUpResetCounter();
+ } else if (iter.script()->getWarmUpResetCount() >= JitWarmupResetLimit) {
+ return ReturnStringCopy(
+ cx, args, "Compilation is being repeatedly prevented. Giving up.");
+ }
+ }
+
+ // Returns true for any JIT (including WASM).
+ MOZ_ASSERT_IF(iter.isJSJit(), cx->currentlyRunningInJit());
+ args.rval().setBoolean(cx->currentlyRunningInJit());
+ return true;
+}
+
+static bool testingFunc_inIon(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!jit::IsIonEnabled(cx)) {
+ return ReturnStringCopy(cx, args, "Ion is disabled.");
+ }
+
+ // Use frame iterator to inspect caller.
+ FrameIter iter(cx);
+
+ // We may be invoked directly, not in a JS context, e.g. if inJson is added as
+ // a callback on the event queue.
+ if (iter.done()) {
+ args.rval().setBoolean(false);
+ return true;
+ }
+
+ if (iter.hasScript()) {
+ // Detect repeated attempts to compile, resetting the counter if inIon
+ // succeeds. Note: This script may have be inlined into its caller.
+ if (iter.isIon()) {
+ iter.script()->resetWarmUpResetCounter();
+ } else if (!iter.script()->canIonCompile()) {
+ return ReturnStringCopy(cx, args, "Unable to Ion-compile this script.");
+ } else if (iter.script()->getWarmUpResetCount() >= JitWarmupResetLimit) {
+ return ReturnStringCopy(
+ cx, args, "Compilation is being repeatedly prevented. Giving up.");
+ }
+ }
+
+ args.rval().setBoolean(iter.isIon());
+ return true;
+}
+
+bool js::testingFunc_assertFloat32(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 2) {
+ JS_ReportErrorASCII(cx, "Expects only 2 arguments");
+ return false;
+ }
+
+ // NOP when not in IonMonkey
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool TestingFunc_assertJitStackInvariants(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ jit::AssertJitStackInvariants(cx);
+ args.rval().setUndefined();
+ return true;
+}
+
+bool js::testingFunc_assertRecoveredOnBailout(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 2) {
+ JS_ReportErrorASCII(cx, "Expects only 2 arguments");
+ return false;
+ }
+
+ // NOP when not in IonMonkey
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetJitCompilerOptions(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject info(cx, JS_NewPlainObject(cx));
+ if (!info) {
+ return false;
+ }
+
+ uint32_t intValue = 0;
+ RootedValue value(cx);
+
+#define JIT_COMPILER_MATCH(key, string) \
+ opt = JSJITCOMPILER_##key; \
+ if (JS_GetGlobalJitCompilerOption(cx, opt, &intValue)) { \
+ value.setInt32(intValue); \
+ if (!JS_SetProperty(cx, info, string, value)) return false; \
+ }
+
+ JSJitCompilerOption opt = JSJITCOMPILER_NOT_AN_OPTION;
+ JIT_COMPILER_OPTIONS(JIT_COMPILER_MATCH);
+#undef JIT_COMPILER_MATCH
+
+ args.rval().setObject(*info);
+ return true;
+}
+
+static bool SetIonCheckGraphCoherency(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ jit::JitOptions.checkGraphConsistency = ToBoolean(args.get(0));
+ args.rval().setUndefined();
+ return true;
+}
+
+// A JSObject that holds structured clone data, similar to the C++ class
+// JSAutoStructuredCloneBuffer.
+class CloneBufferObject : public NativeObject {
+ static const JSPropertySpec props_[3];
+
+ static const size_t DATA_SLOT = 0;
+ static const size_t SYNTHETIC_SLOT = 1;
+ static const size_t NUM_SLOTS = 2;
+
+ public:
+ static const JSClass class_;
+
+ static CloneBufferObject* Create(JSContext* cx) {
+ RootedObject obj(cx, JS_NewObject(cx, &class_));
+ if (!obj) {
+ return nullptr;
+ }
+ obj->as<CloneBufferObject>().setReservedSlot(DATA_SLOT,
+ PrivateValue(nullptr));
+ obj->as<CloneBufferObject>().setReservedSlot(SYNTHETIC_SLOT,
+ BooleanValue(false));
+
+ if (!JS_DefineProperties(cx, obj, props_)) {
+ return nullptr;
+ }
+
+ return &obj->as<CloneBufferObject>();
+ }
+
+ static CloneBufferObject* Create(JSContext* cx,
+ JSAutoStructuredCloneBuffer* buffer) {
+ Rooted<CloneBufferObject*> obj(cx, Create(cx));
+ if (!obj) {
+ return nullptr;
+ }
+ auto data = js::MakeUnique<JSStructuredCloneData>(buffer->scope());
+ if (!data) {
+ ReportOutOfMemory(cx);
+ return nullptr;
+ }
+ buffer->giveTo(data.get());
+ obj->setData(data.release(), false);
+ return obj;
+ }
+
+ JSStructuredCloneData* data() const {
+ return static_cast<JSStructuredCloneData*>(
+ getReservedSlot(DATA_SLOT).toPrivate());
+ }
+
+ bool isSynthetic() const {
+ return getReservedSlot(SYNTHETIC_SLOT).toBoolean();
+ }
+
+ void setData(JSStructuredCloneData* aData, bool synthetic) {
+ MOZ_ASSERT(!data());
+ setReservedSlot(DATA_SLOT, PrivateValue(aData));
+ setReservedSlot(SYNTHETIC_SLOT, BooleanValue(synthetic));
+ }
+
+ // Discard an owned clone buffer.
+ void discard() {
+ js_delete(data());
+ setReservedSlot(DATA_SLOT, PrivateValue(nullptr));
+ }
+
+ static bool setCloneBuffer_impl(JSContext* cx, const CallArgs& args) {
+ Rooted<CloneBufferObject*> obj(
+ cx, &args.thisv().toObject().as<CloneBufferObject>());
+
+ const char* data = nullptr;
+ UniqueChars dataOwner;
+ size_t nbytes;
+
+ if (args.get(0).isObject() && args[0].toObject().is<ArrayBufferObject>()) {
+ ArrayBufferObject* buffer = &args[0].toObject().as<ArrayBufferObject>();
+ bool isSharedMemory;
+ uint8_t* dataBytes = nullptr;
+ JS::GetArrayBufferLengthAndData(buffer, &nbytes, &isSharedMemory,
+ &dataBytes);
+ MOZ_ASSERT(!isSharedMemory);
+ data = reinterpret_cast<char*>(dataBytes);
+ } else {
+ JSString* str = JS::ToString(cx, args.get(0));
+ if (!str) {
+ return false;
+ }
+ dataOwner = JS_EncodeStringToLatin1(cx, str);
+ if (!dataOwner) {
+ return false;
+ }
+ data = dataOwner.get();
+ nbytes = JS_GetStringLength(str);
+ }
+
+ if (nbytes == 0 || (nbytes % sizeof(uint64_t) != 0)) {
+ JS_ReportErrorASCII(cx, "Invalid length for clonebuffer data");
+ return false;
+ }
+
+ auto buf = js::MakeUnique<JSStructuredCloneData>(
+ JS::StructuredCloneScope::DifferentProcess);
+ if (!buf || !buf->Init(nbytes)) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+
+ MOZ_ALWAYS_TRUE(buf->AppendBytes(data, nbytes));
+ obj->discard();
+ obj->setData(buf.release(), true);
+
+ args.rval().setUndefined();
+ return true;
+ }
+
+ static bool is(HandleValue v) {
+ return v.isObject() && v.toObject().is<CloneBufferObject>();
+ }
+
+ static bool setCloneBuffer(JSContext* cx, unsigned int argc, JS::Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ return CallNonGenericMethod<is, setCloneBuffer_impl>(cx, args);
+ }
+
+ static bool getData(JSContext* cx, Handle<CloneBufferObject*> obj,
+ JSStructuredCloneData** data) {
+ if (!obj->data()) {
+ *data = nullptr;
+ return true;
+ }
+
+ bool hasTransferable;
+ if (!JS_StructuredCloneHasTransferables(*obj->data(), &hasTransferable)) {
+ return false;
+ }
+
+ if (hasTransferable) {
+ JS_ReportErrorASCII(
+ cx, "cannot retrieve structured clone buffer with transferables");
+ return false;
+ }
+
+ *data = obj->data();
+ return true;
+ }
+
+ static bool getCloneBuffer_impl(JSContext* cx, const CallArgs& args) {
+ Rooted<CloneBufferObject*> obj(
+ cx, &args.thisv().toObject().as<CloneBufferObject>());
+ MOZ_ASSERT(args.length() == 0);
+
+ JSStructuredCloneData* data;
+ if (!getData(cx, obj, &data)) {
+ return false;
+ }
+
+ size_t size = data->Size();
+ UniqueChars buffer(js_pod_malloc<char>(size));
+ if (!buffer) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ auto iter = data->Start();
+ if (!data->ReadBytes(iter, buffer.get(), size)) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ JSString* str = JS_NewStringCopyN(cx, buffer.get(), size);
+ if (!str) {
+ return false;
+ }
+ args.rval().setString(str);
+ return true;
+ }
+
+ static bool getCloneBuffer(JSContext* cx, unsigned int argc, JS::Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ return CallNonGenericMethod<is, getCloneBuffer_impl>(cx, args);
+ }
+
+ static bool getCloneBufferAsArrayBuffer_impl(JSContext* cx,
+ const CallArgs& args) {
+ Rooted<CloneBufferObject*> obj(
+ cx, &args.thisv().toObject().as<CloneBufferObject>());
+ MOZ_ASSERT(args.length() == 0);
+
+ JSStructuredCloneData* data;
+ if (!getData(cx, obj, &data)) {
+ return false;
+ }
+
+ size_t size = data->Size();
+ UniqueChars buffer(js_pod_malloc<char>(size));
+ if (!buffer) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ auto iter = data->Start();
+ if (!data->ReadBytes(iter, buffer.get(), size)) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+
+ auto* rawBuffer = buffer.release();
+ JSObject* arrayBuffer = JS::NewArrayBufferWithContents(cx, size, rawBuffer);
+ if (!arrayBuffer) {
+ js_free(rawBuffer);
+ return false;
+ }
+
+ args.rval().setObject(*arrayBuffer);
+ return true;
+ }
+
+ static bool getCloneBufferAsArrayBuffer(JSContext* cx, unsigned int argc,
+ JS::Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ return CallNonGenericMethod<is, getCloneBufferAsArrayBuffer_impl>(cx, args);
+ }
+
+ static void Finalize(JS::GCContext* gcx, JSObject* obj) {
+ obj->as<CloneBufferObject>().discard();
+ }
+};
+
+static const JSClassOps CloneBufferObjectClassOps = {
+ nullptr, // addProperty
+ nullptr, // delProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ CloneBufferObject::Finalize, // finalize
+ nullptr, // call
+ nullptr, // construct
+ nullptr, // trace
+};
+
+const JSClass CloneBufferObject::class_ = {
+ "CloneBuffer",
+ JSCLASS_HAS_RESERVED_SLOTS(CloneBufferObject::NUM_SLOTS) |
+ JSCLASS_FOREGROUND_FINALIZE,
+ &CloneBufferObjectClassOps};
+
+const JSPropertySpec CloneBufferObject::props_[] = {
+ JS_PSGS("clonebuffer", getCloneBuffer, setCloneBuffer, 0),
+ JS_PSGS("arraybuffer", getCloneBufferAsArrayBuffer, setCloneBuffer, 0),
+ JS_PS_END};
+
+static mozilla::Maybe<JS::StructuredCloneScope> ParseCloneScope(
+ JSContext* cx, HandleString str) {
+ mozilla::Maybe<JS::StructuredCloneScope> scope;
+
+ JSLinearString* scopeStr = str->ensureLinear(cx);
+ if (!scopeStr) {
+ return scope;
+ }
+
+ if (StringEqualsLiteral(scopeStr, "SameProcess")) {
+ scope.emplace(JS::StructuredCloneScope::SameProcess);
+ } else if (StringEqualsLiteral(scopeStr, "DifferentProcess")) {
+ scope.emplace(JS::StructuredCloneScope::DifferentProcess);
+ } else if (StringEqualsLiteral(scopeStr, "DifferentProcessForIndexedDB")) {
+ scope.emplace(JS::StructuredCloneScope::DifferentProcessForIndexedDB);
+ }
+
+ return scope;
+}
+
+// A custom object that is serializable and transferable using
+// the engine's custom hooks. The callbacks log their activity
+// to a JSRuntime-wide log (tagging actions with IDs to distinguish them).
+class CustomSerializableObject : public NativeObject {
+ static const size_t ID_SLOT = 0;
+ static const size_t DETACHED_SLOT = 1;
+ static const size_t BEHAVIOR_SLOT = 2;
+ static const size_t NUM_SLOTS = 3;
+
+ static constexpr size_t MAX_LOG_LEN = 100;
+
+ // The activity log should be specific to a JSRuntime.
+ struct ActivityLog {
+ uint32_t buffer[MAX_LOG_LEN];
+ size_t length = 0;
+
+ static MOZ_THREAD_LOCAL(ActivityLog*) self;
+ static ActivityLog* getThreadLog() {
+ if (!self.initialized() || !self.get()) {
+ self.infallibleInit();
+ self.set(js_new<ActivityLog>());
+ MOZ_RELEASE_ASSERT(self.get());
+ }
+ return self.get();
+ }
+
+ static bool log(int32_t id, char action) {
+ return getThreadLog()->logImpl(id, action);
+ }
+
+ bool logImpl(int32_t id, char action) {
+ if (length + 2 > MAX_LOG_LEN) {
+ return false;
+ }
+ buffer[length++] = id;
+ buffer[length++] = uint32_t(action);
+ return true;
+ }
+ };
+
+ public:
+ enum class Behavior {
+ Nothing = 0,
+ FailDuringReadTransfer = 1,
+ FailDuringRead = 2
+ };
+
+ static constexpr JSClass class_ = {"CustomSerializable",
+ JSCLASS_HAS_RESERVED_SLOTS(NUM_SLOTS)};
+
+ static bool is(HandleValue v) {
+ return v.isObject() && v.toObject().is<CustomSerializableObject>();
+ }
+
+ static CustomSerializableObject* Create(JSContext* cx, int32_t id,
+ Behavior behavior) {
+ Rooted<CustomSerializableObject*> obj(
+ cx, static_cast<CustomSerializableObject*>(JS_NewObject(cx, &class_)));
+ if (!obj) {
+ return nullptr;
+ }
+ obj->setReservedSlot(ID_SLOT, Int32Value(id));
+ obj->setReservedSlot(DETACHED_SLOT, BooleanValue(false));
+ obj->setReservedSlot(BEHAVIOR_SLOT,
+ Int32Value(static_cast<int32_t>(behavior)));
+
+ if (!JS_DefineProperty(cx, obj, "log", getLog, clearLog, 0)) {
+ return nullptr;
+ }
+
+ return obj;
+ }
+
+ public:
+ static uint32_t tag() { return JS_SCTAG_USER_MIN; }
+
+ static bool log(int32_t id, char action) {
+ return ActivityLog::log(id, action);
+ }
+ bool log(char action) {
+ return log(getReservedSlot(ID_SLOT).toInt32(), action);
+ }
+
+ void detach() { setReservedSlot(DETACHED_SLOT, BooleanValue(true)); }
+ bool isDetached() { return getReservedSlot(DETACHED_SLOT).toBoolean(); }
+
+ uint32_t id() const { return getReservedSlot(ID_SLOT).toInt32(); }
+ Behavior behavior() {
+ return static_cast<Behavior>(getReservedSlot(BEHAVIOR_SLOT).toInt32());
+ }
+
+ static bool getLog(JSContext* cx, unsigned int argc, JS::Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ return CallNonGenericMethod<is, getLog_impl>(cx, args);
+ }
+
+ static bool getLog_impl(JSContext* cx, const CallArgs& args) {
+ Rooted<CustomSerializableObject*> obj(
+ cx, &args.thisv().toObject().as<CustomSerializableObject>());
+
+ size_t len = ActivityLog::getThreadLog()->length;
+ uint32_t* logBuffer = ActivityLog::getThreadLog()->buffer;
+
+ Rooted<ArrayObject*> result(cx, NewDenseFullyAllocatedArray(cx, len));
+ if (!result) {
+ return false;
+ }
+ result->ensureDenseInitializedLength(0, len);
+
+ for (size_t p = 0; p < len; p += 2) {
+ int32_t id = int32_t(logBuffer[p]);
+ char action = char(logBuffer[p + 1]);
+ result->setDenseElement(p, Int32Value(id));
+ JSString* str = JS_NewStringCopyN(cx, &action, 1);
+ if (!str) {
+ return false;
+ }
+ result->setDenseElement(p + 1, StringValue(str));
+ }
+
+ args.rval().setObject(*result);
+ return true;
+ }
+
+ static bool clearLog(JSContext* cx, unsigned int argc, JS::Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.get(0).isNullOrUndefined()) {
+ JS_ReportErrorASCII(cx, "log may only be assigned null/undefined");
+ return false;
+ }
+ ActivityLog::getThreadLog()->length = 0;
+ args.rval().setUndefined();
+ return true;
+ }
+
+ static bool Write(JSContext* cx, JSStructuredCloneWriter* w,
+ JS::HandleObject aObj, bool* sameProcessScopeRequired,
+ void* closure) {
+ Rooted<CustomSerializableObject*> obj(cx);
+
+ if ((obj = aObj->maybeUnwrapIf<CustomSerializableObject>())) {
+ obj->log('w');
+ // Write a regular clone as a <tag, id> pair, followed by <0, behavior>.
+ // Note that transferring will communicate the behavior via a different
+ // mechanism.
+ return JS_WriteUint32Pair(w, obj->tag(), obj->id()) &&
+ JS_WriteUint32Pair(w, 0, static_cast<uint32_t>(obj->behavior()));
+ }
+
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_SC_UNSUPPORTED_TYPE);
+ return false;
+ }
+
+ static JSObject* Read(JSContext* cx, JSStructuredCloneReader* r,
+ const JS::CloneDataPolicy& cloneDataPolicy,
+ uint32_t tag, uint32_t id, void* closure) {
+ uint32_t dummy, behaviorData;
+ if (!JS_ReadUint32Pair(r, &dummy, &behaviorData)) {
+ return nullptr;
+ }
+ if (dummy != 0 || id > INT32_MAX) {
+ JS_ReportErrorASCII(cx, "out of range");
+ return nullptr;
+ }
+
+ auto b = static_cast<Behavior>(behaviorData);
+ Rooted<CustomSerializableObject*> obj(
+ cx, Create(cx, static_cast<int32_t>(id), b));
+ if (!obj) {
+ return nullptr;
+ }
+
+ obj->log('r');
+ if (obj->behavior() == Behavior::FailDuringRead) {
+ JS_ReportErrorASCII(cx,
+ "Failed as requested in read during deserialization");
+ return nullptr;
+ }
+ return obj;
+ }
+
+ static bool CanTransfer(JSContext* cx, JS::Handle<JSObject*> wrapped,
+ bool* sameProcessScopeRequired, void* closure) {
+ Rooted<CustomSerializableObject*> obj(cx);
+
+ if ((obj = wrapped->maybeUnwrapIf<CustomSerializableObject>())) {
+ obj->log('?');
+ // For now, all CustomSerializable objects are considered to be
+ // transferable.
+ return true;
+ }
+
+ return false;
+ }
+
+ static bool WriteTransfer(JSContext* cx, JS::Handle<JSObject*> aObj,
+ void* closure, uint32_t* tag,
+ JS::TransferableOwnership* ownership,
+ void** content, uint64_t* extraData) {
+ Rooted<CustomSerializableObject*> obj(cx);
+
+ if ((obj = aObj->maybeUnwrapIf<CustomSerializableObject>())) {
+ if (obj->isDetached()) {
+ JS_ReportErrorASCII(cx, "Attempted to transfer detached object");
+ return false;
+ }
+ obj->log('W');
+ *content = reinterpret_cast<void*>(obj->id());
+ *extraData = static_cast<uint64_t>(obj->behavior());
+ *tag = obj->tag();
+ *ownership = JS::SCTAG_TMO_CUSTOM;
+ obj->detach();
+ return true;
+ }
+
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_SC_NOT_TRANSFERABLE);
+ return false;
+ }
+
+ static bool ReadTransfer(JSContext* cx, JSStructuredCloneReader* r,
+ uint32_t tag, void* content, uint64_t extraData,
+ void* closure,
+ JS::MutableHandleObject returnObject) {
+ if (tag == CustomSerializableObject::tag()) {
+ int32_t id = int32_t(reinterpret_cast<uintptr_t>(content));
+ Rooted<CustomSerializableObject*> obj(
+ cx, CustomSerializableObject::Create(
+ cx, id, static_cast<Behavior>(extraData)));
+ if (!obj) {
+ return false;
+ }
+ obj->log('R');
+ if (obj->behavior() == Behavior::FailDuringReadTransfer) {
+ return false;
+ }
+ returnObject.set(obj);
+ return true;
+ }
+
+ return false;
+ }
+
+ static void FreeTransfer(uint32_t tag, JS::TransferableOwnership ownership,
+ void* content, uint64_t extraData, void* closure) {
+ CustomSerializableObject::log(uint32_t(reinterpret_cast<intptr_t>(content)),
+ 'F');
+ }
+};
+
+MOZ_THREAD_LOCAL(CustomSerializableObject::ActivityLog*)
+CustomSerializableObject::ActivityLog::self;
+
+static bool MakeSerializable(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ int32_t id = 0;
+ if (args.get(0).isInt32()) {
+ id = args[0].toInt32();
+ if (id < 0) {
+ JS_ReportErrorASCII(cx, "id out of range");
+ return false;
+ }
+ }
+ CustomSerializableObject::Behavior behavior =
+ CustomSerializableObject::Behavior::Nothing;
+ if (args.get(1).isInt32()) {
+ int32_t iv = args[1].toInt32();
+ constexpr int32_t min =
+ static_cast<int32_t>(CustomSerializableObject::Behavior::Nothing);
+ constexpr int32_t max = static_cast<int32_t>(
+ CustomSerializableObject::Behavior::FailDuringRead);
+ if (iv < min || iv > max) {
+ JS_ReportErrorASCII(cx, "behavior out of range");
+ return false;
+ }
+ behavior = static_cast<CustomSerializableObject::Behavior>(iv);
+ }
+
+ JSObject* obj = CustomSerializableObject::Create(cx, id, behavior);
+ if (!obj) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static JSStructuredCloneCallbacks gCloneCallbacks = {
+ .read = CustomSerializableObject::Read,
+ .write = CustomSerializableObject::Write,
+ .reportError = nullptr,
+ .readTransfer = CustomSerializableObject::ReadTransfer,
+ .writeTransfer = CustomSerializableObject::WriteTransfer,
+ .freeTransfer = CustomSerializableObject::FreeTransfer,
+ .canTransfer = CustomSerializableObject::CanTransfer,
+ .sabCloned = nullptr};
+
+bool js::testingFunc_serialize(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (js::SupportDifferentialTesting()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee,
+ "Function unavailable in differential testing mode.");
+ return false;
+ }
+
+ mozilla::Maybe<JSAutoStructuredCloneBuffer> clonebuf;
+ JS::CloneDataPolicy policy;
+
+ if (!args.get(2).isUndefined()) {
+ RootedObject opts(cx, ToObject(cx, args.get(2)));
+ if (!opts) {
+ return false;
+ }
+
+ RootedValue v(cx);
+ if (!JS_GetProperty(cx, opts, "SharedArrayBuffer", &v)) {
+ return false;
+ }
+
+ if (!v.isUndefined()) {
+ JSString* str = JS::ToString(cx, v);
+ if (!str) {
+ return false;
+ }
+ JSLinearString* poli = str->ensureLinear(cx);
+ if (!poli) {
+ return false;
+ }
+
+ if (StringEqualsLiteral(poli, "allow")) {
+ policy.allowSharedMemoryObjects();
+ policy.allowIntraClusterClonableSharedObjects();
+ } else if (StringEqualsLiteral(poli, "deny")) {
+ // default
+ } else {
+ JS_ReportErrorASCII(cx, "Invalid policy value for 'SharedArrayBuffer'");
+ return false;
+ }
+ }
+
+ if (!JS_GetProperty(cx, opts, "scope", &v)) {
+ return false;
+ }
+
+ if (!v.isUndefined()) {
+ RootedString str(cx, JS::ToString(cx, v));
+ if (!str) {
+ return false;
+ }
+ auto scope = ParseCloneScope(cx, str);
+ if (!scope) {
+ JS_ReportErrorASCII(cx, "Invalid structured clone scope");
+ return false;
+ }
+ clonebuf.emplace(*scope, &gCloneCallbacks, nullptr);
+ }
+ }
+
+ if (!clonebuf) {
+ clonebuf.emplace(JS::StructuredCloneScope::SameProcess, &gCloneCallbacks,
+ nullptr);
+ }
+
+ if (!clonebuf->write(cx, args.get(0), args.get(1), policy)) {
+ return false;
+ }
+
+ RootedObject obj(cx, CloneBufferObject::Create(cx, clonebuf.ptr()));
+ if (!obj) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool Deserialize(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (js::SupportDifferentialTesting()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee,
+ "Function unavailable in differential testing mode.");
+ return false;
+ }
+
+ if (!args.get(0).isObject() || !args[0].toObject().is<CloneBufferObject>()) {
+ JS_ReportErrorASCII(cx, "deserialize requires a clonebuffer argument");
+ return false;
+ }
+ Rooted<CloneBufferObject*> obj(cx,
+ &args[0].toObject().as<CloneBufferObject>());
+
+ JS::CloneDataPolicy policy;
+
+ JS::StructuredCloneScope scope =
+ obj->isSynthetic() ? JS::StructuredCloneScope::DifferentProcess
+ : JS::StructuredCloneScope::SameProcess;
+ if (args.get(1).isObject()) {
+ RootedObject opts(cx, &args[1].toObject());
+ if (!opts) {
+ return false;
+ }
+
+ RootedValue v(cx);
+ if (!JS_GetProperty(cx, opts, "SharedArrayBuffer", &v)) {
+ return false;
+ }
+
+ if (!v.isUndefined()) {
+ JSString* str = JS::ToString(cx, v);
+ if (!str) {
+ return false;
+ }
+ JSLinearString* poli = str->ensureLinear(cx);
+ if (!poli) {
+ return false;
+ }
+
+ if (StringEqualsLiteral(poli, "allow")) {
+ policy.allowSharedMemoryObjects();
+ policy.allowIntraClusterClonableSharedObjects();
+ } else if (StringEqualsLiteral(poli, "deny")) {
+ // default
+ } else {
+ JS_ReportErrorASCII(cx, "Invalid policy value for 'SharedArrayBuffer'");
+ return false;
+ }
+ }
+
+ if (!JS_GetProperty(cx, opts, "scope", &v)) {
+ return false;
+ }
+
+ if (!v.isUndefined()) {
+ RootedString str(cx, JS::ToString(cx, v));
+ if (!str) {
+ return false;
+ }
+ auto maybeScope = ParseCloneScope(cx, str);
+ if (!maybeScope) {
+ JS_ReportErrorASCII(cx, "Invalid structured clone scope");
+ return false;
+ }
+
+ if (*maybeScope < scope) {
+ JS_ReportErrorASCII(cx,
+ "Cannot use less restrictive scope "
+ "than the deserialized clone buffer's scope");
+ return false;
+ }
+
+ scope = *maybeScope;
+ }
+ }
+
+ // Clone buffer was already consumed?
+ if (!obj->data()) {
+ JS_ReportErrorASCII(cx,
+ "deserialize given invalid clone buffer "
+ "(transferables already consumed?)");
+ return false;
+ }
+
+ bool hasTransferable;
+ if (!JS_StructuredCloneHasTransferables(*obj->data(), &hasTransferable)) {
+ return false;
+ }
+
+ RootedValue deserialized(cx);
+ if (!JS_ReadStructuredClone(cx, *obj->data(), JS_STRUCTURED_CLONE_VERSION,
+ scope, &deserialized, policy, &gCloneCallbacks,
+ nullptr)) {
+ return false;
+ }
+ args.rval().set(deserialized);
+
+ // Consume any clone buffer with transferables; throw an error if it is
+ // deserialized again.
+ if (hasTransferable) {
+ obj->discard();
+ }
+
+ return true;
+}
+
+static bool DetachArrayBuffer(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "detachArrayBuffer() requires a single argument");
+ return false;
+ }
+
+ if (!args[0].isObject()) {
+ JS_ReportErrorASCII(cx, "detachArrayBuffer must be passed an object");
+ return false;
+ }
+
+ RootedObject obj(cx, &args[0].toObject());
+ if (!JS::DetachArrayBuffer(cx, obj)) {
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool HelperThreadCount(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (js::SupportDifferentialTesting()) {
+ // Always return 0 to get consistent output with and without --no-threads.
+ args.rval().setInt32(0);
+ return true;
+ }
+
+ if (CanUseExtraThreads()) {
+ args.rval().setInt32(GetHelperThreadCount());
+ } else {
+ args.rval().setInt32(0);
+ }
+ return true;
+}
+
+static bool EnableShapeConsistencyChecks(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+#ifdef DEBUG
+ NativeObject::enableShapeConsistencyChecks();
+#endif
+ args.rval().setUndefined();
+ return true;
+}
+
+// ShapeSnapshot holds information about an object's properties. This is used
+// for checking object and shape changes between two points in time.
+class ShapeSnapshot {
+ HeapPtr<JSObject*> object_;
+ HeapPtr<Shape*> shape_;
+ HeapPtr<BaseShape*> baseShape_;
+ ObjectFlags objectFlags_;
+
+ GCVector<HeapPtr<Value>, 8> slots_;
+
+ struct PropertySnapshot {
+ HeapPtr<PropMap*> propMap;
+ uint32_t propMapIndex;
+ HeapPtr<PropertyKey> key;
+ PropertyInfo prop;
+
+ explicit PropertySnapshot(PropMap* map, uint32_t index)
+ : propMap(map),
+ propMapIndex(index),
+ key(map->getKey(index)),
+ prop(map->getPropertyInfo(index)) {}
+
+ void trace(JSTracer* trc) {
+ TraceEdge(trc, &propMap, "propMap");
+ TraceEdge(trc, &key, "key");
+ }
+
+ bool operator==(const PropertySnapshot& other) const {
+ return propMap == other.propMap && propMapIndex == other.propMapIndex &&
+ key == other.key && prop == other.prop;
+ }
+ bool operator!=(const PropertySnapshot& other) const {
+ return !operator==(other);
+ }
+ };
+ GCVector<PropertySnapshot, 8> properties_;
+
+ public:
+ explicit ShapeSnapshot(JSContext* cx) : slots_(cx), properties_(cx) {}
+ void checkSelf(JSContext* cx) const;
+ void check(JSContext* cx, const ShapeSnapshot& other) const;
+ bool init(JSObject* obj);
+ void trace(JSTracer* trc);
+
+ JSObject* object() const { return object_; }
+};
+
+// A JSObject that holds a ShapeSnapshot.
+class ShapeSnapshotObject : public NativeObject {
+ static constexpr size_t SnapshotSlot = 0;
+ static constexpr size_t ReservedSlots = 1;
+
+ public:
+ static const JSClassOps classOps_;
+ static const JSClass class_;
+
+ bool hasSnapshot() const {
+ // The snapshot may not be present yet if we GC during initialization.
+ return !getReservedSlot(SnapshotSlot).isUndefined();
+ }
+
+ ShapeSnapshot& snapshot() const {
+ void* ptr = getReservedSlot(SnapshotSlot).toPrivate();
+ MOZ_ASSERT(ptr);
+ return *static_cast<ShapeSnapshot*>(ptr);
+ }
+
+ static ShapeSnapshotObject* create(JSContext* cx, HandleObject obj);
+
+ static void finalize(JS::GCContext* gcx, JSObject* obj) {
+ if (obj->as<ShapeSnapshotObject>().hasSnapshot()) {
+ js_delete(&obj->as<ShapeSnapshotObject>().snapshot());
+ }
+ }
+ static void trace(JSTracer* trc, JSObject* obj) {
+ if (obj->as<ShapeSnapshotObject>().hasSnapshot()) {
+ obj->as<ShapeSnapshotObject>().snapshot().trace(trc);
+ }
+ }
+};
+
+/*static */ const JSClassOps ShapeSnapshotObject::classOps_ = {
+ nullptr, // addProperty
+ nullptr, // delProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ ShapeSnapshotObject::finalize, // finalize
+ nullptr, // call
+ nullptr, // construct
+ ShapeSnapshotObject::trace, // trace
+};
+
+/*static */ const JSClass ShapeSnapshotObject::class_ = {
+ "ShapeSnapshotObject",
+ JSCLASS_HAS_RESERVED_SLOTS(ShapeSnapshotObject::ReservedSlots) |
+ JSCLASS_BACKGROUND_FINALIZE,
+ &ShapeSnapshotObject::classOps_};
+
+bool ShapeSnapshot::init(JSObject* obj) {
+ object_ = obj;
+ shape_ = obj->shape();
+ baseShape_ = shape_->base();
+ objectFlags_ = shape_->objectFlags();
+
+ if (obj->is<NativeObject>()) {
+ NativeObject* nobj = &obj->as<NativeObject>();
+
+ // Snapshot the slot values.
+ size_t slotSpan = nobj->slotSpan();
+ if (!slots_.growBy(slotSpan)) {
+ return false;
+ }
+ for (size_t i = 0; i < slotSpan; i++) {
+ slots_[i] = nobj->getSlot(i);
+ }
+
+ // Snapshot property information.
+ if (uint32_t len = nobj->shape()->propMapLength(); len > 0) {
+ PropMap* map = nobj->shape()->propMap();
+ while (true) {
+ for (uint32_t i = 0; i < len; i++) {
+ if (!map->hasKey(i)) {
+ continue;
+ }
+ if (!properties_.append(PropertySnapshot(map, i))) {
+ return false;
+ }
+ }
+ if (!map->hasPrevious()) {
+ break;
+ }
+ map = map->asLinked()->previous();
+ len = PropMap::Capacity;
+ }
+ }
+ }
+
+ return true;
+}
+
+void ShapeSnapshot::trace(JSTracer* trc) {
+ TraceEdge(trc, &object_, "object");
+ TraceEdge(trc, &shape_, "shape");
+ TraceEdge(trc, &baseShape_, "baseShape");
+ slots_.trace(trc);
+ properties_.trace(trc);
+}
+
+void ShapeSnapshot::checkSelf(JSContext* cx) const {
+ // Assertions based on a single snapshot.
+
+ // Non-dictionary shapes must not be mutated.
+ if (!shape_->isDictionary()) {
+ MOZ_RELEASE_ASSERT(shape_->base() == baseShape_);
+ MOZ_RELEASE_ASSERT(shape_->objectFlags() == objectFlags_);
+ }
+
+ for (const PropertySnapshot& propSnapshot : properties_) {
+ PropMap* propMap = propSnapshot.propMap;
+ uint32_t propMapIndex = propSnapshot.propMapIndex;
+ PropertyInfo prop = propSnapshot.prop;
+
+ // Skip if the map no longer matches the snapshotted data. This can
+ // only happen for non-configurable dictionary properties.
+ if (PropertySnapshot(propMap, propMapIndex) != propSnapshot) {
+ MOZ_RELEASE_ASSERT(propMap->isDictionary());
+ MOZ_RELEASE_ASSERT(prop.configurable());
+ continue;
+ }
+
+ // Ensure ObjectFlags depending on property information are set if needed.
+ ObjectFlags expectedFlags = GetObjectFlagsForNewProperty(
+ shape_->getObjectClass(), shape_->objectFlags(), propSnapshot.key,
+ prop.flags(), cx);
+ MOZ_RELEASE_ASSERT(expectedFlags == objectFlags_);
+
+ // Accessors must have a PrivateGCThingValue(GetterSetter*) slot value.
+ if (prop.isAccessorProperty()) {
+ Value slotVal = slots_[prop.slot()];
+ MOZ_RELEASE_ASSERT(slotVal.isPrivateGCThing());
+ MOZ_RELEASE_ASSERT(slotVal.toGCThing()->is<GetterSetter>());
+ }
+
+ // Data properties must not have a PrivateGCThingValue slot value.
+ if (prop.isDataProperty()) {
+ Value slotVal = slots_[prop.slot()];
+ MOZ_RELEASE_ASSERT(!slotVal.isPrivateGCThing());
+ }
+ }
+}
+
+void ShapeSnapshot::check(JSContext* cx, const ShapeSnapshot& later) const {
+ checkSelf(cx);
+ later.checkSelf(cx);
+
+ if (object_ != later.object_) {
+ // Snapshots are for different objects. Assert dictionary shapes aren't
+ // shared.
+ if (object_->is<NativeObject>()) {
+ NativeObject* nobj = &object_->as<NativeObject>();
+ if (nobj->inDictionaryMode()) {
+ MOZ_RELEASE_ASSERT(shape_ != later.shape_);
+ }
+ }
+ return;
+ }
+
+ // We have two snapshots for the same object. Check the shape information
+ // wasn't changed in invalid ways.
+
+ // If the Shape is still the same, the object must have the same BaseShape,
+ // ObjectFlags and property information.
+ if (shape_ == later.shape_) {
+ MOZ_RELEASE_ASSERT(objectFlags_ == later.objectFlags_);
+ MOZ_RELEASE_ASSERT(baseShape_ == later.baseShape_);
+ MOZ_RELEASE_ASSERT(slots_.length() == later.slots_.length());
+ MOZ_RELEASE_ASSERT(properties_.length() == later.properties_.length());
+
+ for (size_t i = 0; i < properties_.length(); i++) {
+ MOZ_RELEASE_ASSERT(properties_[i] == later.properties_[i]);
+ // Non-configurable accessor properties and non-configurable, non-writable
+ // data properties shouldn't have had their slot mutated.
+ PropertyInfo prop = properties_[i].prop;
+ if (!prop.configurable()) {
+ if (prop.isAccessorProperty() ||
+ (prop.isDataProperty() && !prop.writable())) {
+ size_t slot = prop.slot();
+ MOZ_RELEASE_ASSERT(slots_[slot] == later.slots_[slot]);
+ }
+ }
+ }
+ }
+
+ // Object flags should not be lost. The exception is the Indexed flag, it
+ // can be cleared when densifying elements, so clear that flag first.
+ {
+ ObjectFlags flags = objectFlags_;
+ ObjectFlags flagsLater = later.objectFlags_;
+ flags.clearFlag(ObjectFlag::Indexed);
+ flagsLater.clearFlag(ObjectFlag::Indexed);
+ MOZ_RELEASE_ASSERT((flags.toRaw() & flagsLater.toRaw()) == flags.toRaw());
+ }
+
+ // If the HadGetterSetterChange flag wasn't set, all GetterSetter slots must
+ // be unchanged.
+ if (!later.objectFlags_.hasFlag(ObjectFlag::HadGetterSetterChange)) {
+ for (size_t i = 0; i < slots_.length(); i++) {
+ if (slots_[i].isPrivateGCThing() &&
+ slots_[i].toGCThing()->is<GetterSetter>()) {
+ MOZ_RELEASE_ASSERT(i < later.slots_.length());
+ MOZ_RELEASE_ASSERT(later.slots_[i] == slots_[i]);
+ }
+ }
+ }
+}
+
+// static
+ShapeSnapshotObject* ShapeSnapshotObject::create(JSContext* cx,
+ HandleObject obj) {
+ Rooted<UniquePtr<ShapeSnapshot>> snapshot(cx,
+ cx->make_unique<ShapeSnapshot>(cx));
+ if (!snapshot || !snapshot->init(obj)) {
+ return nullptr;
+ }
+
+ auto* snapshotObj = NewObjectWithGivenProto<ShapeSnapshotObject>(cx, nullptr);
+ if (!snapshotObj) {
+ return nullptr;
+ }
+ snapshotObj->initReservedSlot(SnapshotSlot, PrivateValue(snapshot.release()));
+ return snapshotObj;
+}
+
+static bool CreateShapeSnapshot(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.get(0).isObject()) {
+ JS_ReportErrorASCII(cx, "createShapeSnapshot requires an object argument");
+ return false;
+ }
+
+ RootedObject obj(cx, &args[0].toObject());
+ auto* res = ShapeSnapshotObject::create(cx, obj);
+ if (!res) {
+ return false;
+ }
+
+ res->snapshot().check(cx, res->snapshot());
+
+ args.rval().setObject(*res);
+ return true;
+}
+
+static bool CheckShapeSnapshot(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.get(0).isObject() ||
+ !args[0].toObject().is<ShapeSnapshotObject>()) {
+ JS_ReportErrorASCII(cx, "checkShapeSnapshot requires a snapshot argument");
+ return false;
+ }
+
+ // Get the object to use from the snapshot if the second argument is not an
+ // object.
+ RootedObject obj(cx);
+ if (args.get(1).isObject()) {
+ obj = &args[1].toObject();
+ } else {
+ auto& snapshot = args[0].toObject().as<ShapeSnapshotObject>().snapshot();
+ obj = snapshot.object();
+ }
+
+ RootedObject otherSnapshot(cx, ShapeSnapshotObject::create(cx, obj));
+ if (!otherSnapshot) {
+ return false;
+ }
+
+ auto& snapshot1 = args[0].toObject().as<ShapeSnapshotObject>().snapshot();
+ auto& snapshot2 = otherSnapshot->as<ShapeSnapshotObject>().snapshot();
+ snapshot1.check(cx, snapshot2);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+#if defined(DEBUG) || defined(JS_JITSPEW)
+static bool DumpObject(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject obj(cx, ToObject(cx, args.get(0)));
+ if (!obj) {
+ return false;
+ }
+
+ DumpObject(obj);
+
+ args.rval().setUndefined();
+ return true;
+}
+#endif
+
+static bool SharedMemoryEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(
+ cx->realm()->creationOptions().getSharedMemoryAndAtomicsEnabled());
+ return true;
+}
+
+static bool SharedArrayRawBufferRefcount(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() != 1 || !args[0].isObject()) {
+ JS_ReportErrorASCII(cx, "Expected SharedArrayBuffer object");
+ return false;
+ }
+ RootedObject obj(cx, &args[0].toObject());
+ if (!obj->is<SharedArrayBufferObject>()) {
+ JS_ReportErrorASCII(cx, "Expected SharedArrayBuffer object");
+ return false;
+ }
+ args.rval().setInt32(
+ obj->as<SharedArrayBufferObject>().rawBufferObject()->refcount());
+ return true;
+}
+
+#ifdef NIGHTLY_BUILD
+static bool ObjectAddress(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (js::SupportDifferentialTesting()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee,
+ "Function unavailable in differential testing mode.");
+ return false;
+ }
+
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+ if (!args[0].isObject()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Expected object");
+ return false;
+ }
+
+ void* ptr = js::UncheckedUnwrap(&args[0].toObject(), true);
+ char buffer[64];
+ SprintfLiteral(buffer, "%p", ptr);
+
+ return ReturnStringCopy(cx, args, buffer);
+}
+
+static bool SharedAddress(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (js::SupportDifferentialTesting()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee,
+ "Function unavailable in differential testing mode.");
+ return false;
+ }
+
+ if (args.length() != 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+ if (!args[0].isObject()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Expected object");
+ return false;
+ }
+
+ RootedObject obj(cx, CheckedUnwrapStatic(&args[0].toObject()));
+ if (!obj) {
+ ReportAccessDenied(cx);
+ return false;
+ }
+ if (!obj->is<SharedArrayBufferObject>()) {
+ JS_ReportErrorASCII(cx, "Argument must be a SharedArrayBuffer");
+ return false;
+ }
+ char buffer[64];
+ uint32_t nchar = SprintfLiteral(
+ buffer, "%p",
+ obj->as<SharedArrayBufferObject>().dataPointerShared().unwrap(
+ /*safeish*/));
+
+ JSString* str = JS_NewStringCopyN(cx, buffer, nchar);
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+
+ return true;
+}
+#endif
+
+static bool HasInvalidatedTeleporting(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1 || !args[0].isObject()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Expected single object argument");
+ return false;
+ }
+
+ args.rval().setBoolean(args[0].toObject().hasInvalidatedTeleporting());
+ return true;
+}
+
+static bool DumpBacktrace(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ DumpBacktrace(cx);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetBacktrace(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ bool showArgs = false;
+ bool showLocals = false;
+ bool showThisProps = false;
+
+ if (args.length() > 1) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "Too many arguments");
+ return false;
+ }
+
+ if (args.length() == 1) {
+ RootedObject cfg(cx, ToObject(cx, args[0]));
+ if (!cfg) {
+ return false;
+ }
+ RootedValue v(cx);
+
+ if (!JS_GetProperty(cx, cfg, "args", &v)) {
+ return false;
+ }
+ showArgs = ToBoolean(v);
+
+ if (!JS_GetProperty(cx, cfg, "locals", &v)) {
+ return false;
+ }
+ showLocals = ToBoolean(v);
+
+ if (!JS_GetProperty(cx, cfg, "thisprops", &v)) {
+ return false;
+ }
+ showThisProps = ToBoolean(v);
+ }
+
+ JS::UniqueChars buf =
+ JS::FormatStackDump(cx, showArgs, showLocals, showThisProps);
+ if (!buf) {
+ return false;
+ }
+
+ size_t len;
+ UniqueTwoByteChars ucbuf(JS::LossyUTF8CharsToNewTwoByteCharsZ(
+ cx, JS::UTF8Chars(buf.get(), strlen(buf.get())),
+ &len, js::MallocArena)
+ .get());
+ if (!ucbuf) {
+ return false;
+ }
+ JSString* str = JS_NewUCStringCopyN(cx, ucbuf.get(), len);
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+ return true;
+}
+
+static bool ReportOutOfMemory(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ JS_ReportOutOfMemory(cx);
+ cx->clearPendingException();
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool ThrowOutOfMemory(JSContext* cx, unsigned argc, Value* vp) {
+ JS_ReportOutOfMemory(cx);
+ return false;
+}
+
+static bool ReportLargeAllocationFailure(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ size_t bytes = JSRuntime::LARGE_ALLOCATION;
+ if (args.length() >= 1) {
+ if (!args[0].isInt32()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee,
+ "First argument must be an integer if specified.");
+ return false;
+ }
+ bytes = args[0].toInt32();
+ }
+
+ void* buf = cx->runtime()->onOutOfMemoryCanGC(AllocFunction::Malloc,
+ js::MallocArena, bytes);
+
+ js_free(buf);
+ args.rval().setUndefined();
+ return true;
+}
+
+namespace heaptools {
+
+using EdgeName = UniqueTwoByteChars;
+
+// An edge to a node from its predecessor in a path through the graph.
+class BackEdge {
+ // The node from which this edge starts.
+ JS::ubi::Node predecessor_;
+
+ // The name of this edge.
+ EdgeName name_;
+
+ public:
+ BackEdge() : name_(nullptr) {}
+ // Construct an initialized back edge, taking ownership of |name|.
+ BackEdge(JS::ubi::Node predecessor, EdgeName name)
+ : predecessor_(predecessor), name_(std::move(name)) {}
+ BackEdge(BackEdge&& rhs)
+ : predecessor_(rhs.predecessor_), name_(std::move(rhs.name_)) {}
+ BackEdge& operator=(BackEdge&& rhs) {
+ MOZ_ASSERT(&rhs != this);
+ this->~BackEdge();
+ new (this) BackEdge(std::move(rhs));
+ return *this;
+ }
+
+ EdgeName forgetName() { return std::move(name_); }
+ JS::ubi::Node predecessor() const { return predecessor_; }
+
+ private:
+ // No copy constructor or copying assignment.
+ BackEdge(const BackEdge&) = delete;
+ BackEdge& operator=(const BackEdge&) = delete;
+};
+
+// A path-finding handler class for use with JS::ubi::BreadthFirst.
+struct FindPathHandler {
+ using NodeData = BackEdge;
+ using Traversal = JS::ubi::BreadthFirst<FindPathHandler>;
+
+ FindPathHandler(JSContext* cx, JS::ubi::Node start, JS::ubi::Node target,
+ MutableHandle<GCVector<Value>> nodes, Vector<EdgeName>& edges)
+ : cx(cx),
+ start(start),
+ target(target),
+ foundPath(false),
+ nodes(nodes),
+ edges(edges) {}
+
+ bool operator()(Traversal& traversal, JS::ubi::Node origin,
+ const JS::ubi::Edge& edge, BackEdge* backEdge, bool first) {
+ // We take care of each node the first time we visit it, so there's
+ // nothing to be done on subsequent visits.
+ if (!first) {
+ return true;
+ }
+
+ // Record how we reached this node. This is the last edge on a
+ // shortest path to this node.
+ EdgeName edgeName =
+ DuplicateStringToArena(js::StringBufferArena, cx, edge.name.get());
+ if (!edgeName) {
+ return false;
+ }
+ *backEdge = BackEdge(origin, std::move(edgeName));
+
+ // Have we reached our final target node?
+ if (edge.referent == target) {
+ // Record the path that got us here, which must be a shortest path.
+ if (!recordPath(traversal, backEdge)) {
+ return false;
+ }
+ foundPath = true;
+ traversal.stop();
+ }
+
+ return true;
+ }
+
+ // We've found a path to our target. Walk the backlinks to produce the
+ // (reversed) path, saving the path in |nodes| and |edges|. |nodes| is
+ // rooted, so it can hold the path's nodes as we leave the scope of
+ // the AutoCheckCannotGC. Note that nodes are added to |visited| after we
+ // return from operator() so we have to pass the target BackEdge* to this
+ // function.
+ bool recordPath(Traversal& traversal, BackEdge* targetBackEdge) {
+ JS::ubi::Node here = target;
+
+ do {
+ BackEdge* backEdge = targetBackEdge;
+ if (here != target) {
+ Traversal::NodeMap::Ptr p = traversal.visited.lookup(here);
+ MOZ_ASSERT(p);
+ backEdge = &p->value();
+ }
+ JS::ubi::Node predecessor = backEdge->predecessor();
+ if (!nodes.append(predecessor.exposeToJS()) ||
+ !edges.append(backEdge->forgetName())) {
+ return false;
+ }
+ here = predecessor;
+ } while (here != start);
+
+ return true;
+ }
+
+ JSContext* cx;
+
+ // The node we're starting from.
+ JS::ubi::Node start;
+
+ // The node we're looking for.
+ JS::ubi::Node target;
+
+ // True if we found a path to target, false if we didn't.
+ bool foundPath;
+
+ // The nodes and edges of the path --- should we find one. The path is
+ // stored in reverse order, because that's how it's easiest for us to
+ // construct it:
+ // - edges[i] is the name of the edge from nodes[i] to nodes[i-1].
+ // - edges[0] is the name of the edge from nodes[0] to the target.
+ // - The last node, nodes[n-1], is the start node.
+ MutableHandle<GCVector<Value>> nodes;
+ Vector<EdgeName>& edges;
+};
+
+} // namespace heaptools
+
+static bool FindPath(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "findPath", 2)) {
+ return false;
+ }
+
+ // We don't ToString non-objects given as 'start' or 'target', because this
+ // test is all about object identity, and ToString doesn't preserve that.
+ // Non-GCThing endpoints don't make much sense.
+ if (!args[0].isObject() && !args[0].isString() && !args[0].isSymbol()) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[0],
+ nullptr, "not an object, string, or symbol");
+ return false;
+ }
+
+ if (!args[1].isObject() && !args[1].isString() && !args[1].isSymbol()) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[0],
+ nullptr, "not an object, string, or symbol");
+ return false;
+ }
+
+ Rooted<GCVector<Value>> nodes(cx, GCVector<Value>(cx));
+ Vector<heaptools::EdgeName> edges(cx);
+
+ {
+ // We can't tolerate the GC moving things around while we're searching
+ // the heap. Check that nothing we do causes a GC.
+ JS::AutoCheckCannotGC autoCannotGC;
+
+ JS::ubi::Node start(args[0]), target(args[1]);
+
+ heaptools::FindPathHandler handler(cx, start, target, &nodes, edges);
+ heaptools::FindPathHandler::Traversal traversal(cx, handler, autoCannotGC);
+ if (!traversal.addStart(start)) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+
+ if (!traversal.traverse()) {
+ if (!cx->isExceptionPending()) {
+ ReportOutOfMemory(cx);
+ }
+ return false;
+ }
+
+ if (!handler.foundPath) {
+ // We didn't find any paths from the start to the target.
+ args.rval().setUndefined();
+ return true;
+ }
+ }
+
+ // |nodes| and |edges| contain the path from |start| to |target|, reversed.
+ // Construct a JavaScript array describing the path from the start to the
+ // target. Each element has the form:
+ //
+ // {
+ // node: <object or string or symbol>,
+ // edge: <string describing outgoing edge from node>
+ // }
+ //
+ // or, if the node is some internal thing that isn't a proper JavaScript
+ // value:
+ //
+ // { node: undefined, edge: <string> }
+ size_t length = nodes.length();
+ Rooted<ArrayObject*> result(cx, NewDenseFullyAllocatedArray(cx, length));
+ if (!result) {
+ return false;
+ }
+ result->ensureDenseInitializedLength(0, length);
+
+ // Walk |nodes| and |edges| in the stored order, and construct the result
+ // array in start-to-target order.
+ for (size_t i = 0; i < length; i++) {
+ // Build an object describing the node and edge.
+ RootedObject obj(cx, NewPlainObject(cx));
+ if (!obj) {
+ return false;
+ }
+
+ // Only define the "node" property if we're not fuzzing, to prevent the
+ // fuzzers from messing with internal objects that we don't want to expose
+ // to arbitrary JS.
+ if (!fuzzingSafe) {
+ RootedValue wrapped(cx, nodes[i]);
+ if (!cx->compartment()->wrap(cx, &wrapped)) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, obj, "node", wrapped, JSPROP_ENUMERATE)) {
+ return false;
+ }
+ }
+
+ heaptools::EdgeName edgeName = std::move(edges[i]);
+
+ size_t edgeNameLength = js_strlen(edgeName.get());
+ RootedString edgeStr(
+ cx, NewString<CanGC>(cx, std::move(edgeName), edgeNameLength));
+ if (!edgeStr) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, obj, "edge", edgeStr, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ result->setDenseElement(length - i - 1, ObjectValue(*obj));
+ }
+
+ args.rval().setObject(*result);
+ return true;
+}
+
+static bool ShortestPaths(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "shortestPaths", 1)) {
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<ArrayObject>()) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[0],
+ nullptr, "not an array object");
+ return false;
+ }
+
+ Rooted<ArrayObject*> objs(cx, &args[0].toObject().as<ArrayObject>());
+
+ RootedValue start(cx, NullValue());
+ int32_t maxNumPaths = 3;
+
+ if (!args.get(1).isUndefined()) {
+ if (!args[1].isObject()) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[1],
+ nullptr, "not an options object");
+ return false;
+ }
+
+ RootedObject options(cx, &args[1].toObject());
+ bool exists;
+ if (!JS_HasProperty(cx, options, "start", &exists)) {
+ return false;
+ }
+ if (exists) {
+ if (!JS_GetProperty(cx, options, "start", &start)) {
+ return false;
+ }
+
+ // Non-GCThing endpoints don't make much sense.
+ if (!start.isGCThing()) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, start,
+ nullptr, "not a GC thing");
+ return false;
+ }
+ }
+
+ RootedValue v(cx, Int32Value(maxNumPaths));
+ if (!JS_HasProperty(cx, options, "maxNumPaths", &exists)) {
+ return false;
+ }
+ if (exists) {
+ if (!JS_GetProperty(cx, options, "maxNumPaths", &v)) {
+ return false;
+ }
+ if (!JS::ToInt32(cx, v, &maxNumPaths)) {
+ return false;
+ }
+ }
+ if (maxNumPaths <= 0) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, v,
+ nullptr, "not greater than 0");
+ return false;
+ }
+ }
+
+ // Ensure we have at least one target.
+ size_t length = objs->getDenseInitializedLength();
+ if (length == 0) {
+ ReportValueError(cx, JSMSG_UNEXPECTED_TYPE, JSDVG_SEARCH_STACK, args[0],
+ nullptr,
+ "not a dense array object with one or more elements");
+ return false;
+ }
+
+ for (size_t i = 0; i < length; i++) {
+ RootedValue el(cx, objs->getDenseElement(i));
+ if (!el.isGCThing()) {
+ JS_ReportErrorASCII(cx, "Each target must be a GC thing");
+ return false;
+ }
+ }
+
+ // We accumulate the results into a GC-stable form, due to the fact that the
+ // JS::ubi::ShortestPaths lifetime (when operating on the live heap graph)
+ // is bounded within an AutoCheckCannotGC.
+ Rooted<GCVector<GCVector<GCVector<Value>>>> values(
+ cx, GCVector<GCVector<GCVector<Value>>>(cx));
+ Vector<Vector<Vector<JS::ubi::EdgeName>>> names(cx);
+
+ {
+ JS::ubi::Node root;
+
+ JS::ubi::RootList rootList(cx, true);
+ if (start.isNull()) {
+ auto [ok, nogc] = rootList.init();
+ (void)nogc; // Old compilers get anxious about nogc being unused.
+ if (!ok) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ root = JS::ubi::Node(&rootList);
+ } else {
+ root = JS::ubi::Node(start);
+ }
+ JS::AutoCheckCannotGC noGC(cx);
+
+ JS::ubi::NodeSet targets;
+
+ for (size_t i = 0; i < length; i++) {
+ RootedValue val(cx, objs->getDenseElement(i));
+ JS::ubi::Node node(val);
+ if (!targets.put(node)) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ }
+
+ auto maybeShortestPaths = JS::ubi::ShortestPaths::Create(
+ cx, noGC, maxNumPaths, root, std::move(targets));
+ if (maybeShortestPaths.isNothing()) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ auto& shortestPaths = *maybeShortestPaths;
+
+ for (size_t i = 0; i < length; i++) {
+ if (!values.append(GCVector<GCVector<Value>>(cx)) ||
+ !names.append(Vector<Vector<JS::ubi::EdgeName>>(cx))) {
+ return false;
+ }
+
+ RootedValue val(cx, objs->getDenseElement(i));
+ JS::ubi::Node target(val);
+
+ bool ok = shortestPaths.forEachPath(target, [&](JS::ubi::Path& path) {
+ Rooted<GCVector<Value>> pathVals(cx, GCVector<Value>(cx));
+ Vector<JS::ubi::EdgeName> pathNames(cx);
+
+ for (auto& part : path) {
+ if (!pathVals.append(part->predecessor().exposeToJS()) ||
+ !pathNames.append(std::move(part->name()))) {
+ return false;
+ }
+ }
+
+ return values.back().append(std::move(pathVals.get())) &&
+ names.back().append(std::move(pathNames));
+ });
+
+ if (!ok) {
+ return false;
+ }
+ }
+ }
+
+ MOZ_ASSERT(values.length() == names.length());
+ MOZ_ASSERT(values.length() == length);
+
+ Rooted<ArrayObject*> results(cx, NewDenseFullyAllocatedArray(cx, length));
+ if (!results) {
+ return false;
+ }
+ results->ensureDenseInitializedLength(0, length);
+
+ for (size_t i = 0; i < length; i++) {
+ size_t numPaths = values[i].length();
+ MOZ_ASSERT(names[i].length() == numPaths);
+
+ Rooted<ArrayObject*> pathsArray(cx,
+ NewDenseFullyAllocatedArray(cx, numPaths));
+ if (!pathsArray) {
+ return false;
+ }
+ pathsArray->ensureDenseInitializedLength(0, numPaths);
+
+ for (size_t j = 0; j < numPaths; j++) {
+ size_t pathLength = values[i][j].length();
+ MOZ_ASSERT(names[i][j].length() == pathLength);
+
+ Rooted<ArrayObject*> path(cx,
+ NewDenseFullyAllocatedArray(cx, pathLength));
+ if (!path) {
+ return false;
+ }
+ path->ensureDenseInitializedLength(0, pathLength);
+
+ for (size_t k = 0; k < pathLength; k++) {
+ Rooted<PlainObject*> part(cx, NewPlainObject(cx));
+ if (!part) {
+ return false;
+ }
+
+ RootedValue predecessor(cx, values[i][j][k]);
+ if (!cx->compartment()->wrap(cx, &predecessor) ||
+ !JS_DefineProperty(cx, part, "predecessor", predecessor,
+ JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ if (names[i][j][k]) {
+ RootedString edge(cx,
+ NewStringCopyZ<CanGC>(cx, names[i][j][k].get()));
+ if (!edge ||
+ !JS_DefineProperty(cx, part, "edge", edge, JSPROP_ENUMERATE)) {
+ return false;
+ }
+ }
+
+ path->setDenseElement(k, ObjectValue(*part));
+ }
+
+ pathsArray->setDenseElement(j, ObjectValue(*path));
+ }
+
+ results->setDenseElement(i, ObjectValue(*pathsArray));
+ }
+
+ args.rval().setObject(*results);
+ return true;
+}
+
+static bool EvalReturningScope(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "evalReturningScope", 1)) {
+ return false;
+ }
+
+ RootedString str(cx, ToString(cx, args[0]));
+ if (!str) {
+ return false;
+ }
+
+ RootedObject global(cx);
+ if (args.hasDefined(1)) {
+ global = ToObject(cx, args[1]);
+ if (!global) {
+ return false;
+ }
+ }
+
+ JS::AutoFilename filename;
+ unsigned lineno;
+
+ JS::DescribeScriptedCaller(cx, &filename, &lineno);
+
+ JS::CompileOptions options(cx);
+ options.setFileAndLine(filename.get(), lineno);
+ options.setNoScriptRval(true);
+ options.setNonSyntacticScope(true);
+
+ AutoStableStringChars linearChars(cx);
+ if (!linearChars.initTwoByte(cx, str)) {
+ return false;
+ }
+ JS::SourceText<char16_t> srcBuf;
+ if (!srcBuf.initMaybeBorrowed(cx, linearChars)) {
+ return false;
+ }
+
+ if (global) {
+ global = CheckedUnwrapDynamic(global, cx, /* stopAtWindowProxy = */ false);
+ if (!global) {
+ JS_ReportErrorASCII(cx, "Permission denied to access global");
+ return false;
+ }
+ if (!global->is<GlobalObject>()) {
+ JS_ReportErrorASCII(cx, "Argument must be a global object");
+ return false;
+ }
+ } else {
+ global = JS::CurrentGlobalOrNull(cx);
+ }
+
+ RootedObject varObj(cx);
+
+ {
+ // ExecuteInFrameScriptEnvironment requires the script be in the same
+ // realm as the global. The script compilation should be done after
+ // switching globals.
+ AutoRealm ar(cx, global);
+
+ RootedScript script(cx, JS::Compile(cx, options, srcBuf));
+ if (!script) {
+ return false;
+ }
+
+ JS::RootedObject obj(cx, JS_NewPlainObject(cx));
+ if (!obj) {
+ return false;
+ }
+
+ RootedObject lexicalScope(cx);
+ if (!js::ExecuteInFrameScriptEnvironment(cx, obj, script, &lexicalScope)) {
+ return false;
+ }
+
+ varObj = lexicalScope->enclosingEnvironment()->enclosingEnvironment();
+ MOZ_ASSERT(varObj->is<NonSyntacticVariablesObject>());
+ }
+
+ RootedValue varObjVal(cx, ObjectValue(*varObj));
+ if (!cx->compartment()->wrap(cx, &varObjVal)) {
+ return false;
+ }
+
+ args.rval().set(varObjVal);
+ return true;
+}
+
+static bool ByteSize(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ mozilla::MallocSizeOf mallocSizeOf = cx->runtime()->debuggerMallocSizeOf;
+
+ {
+ // We can't tolerate the GC moving things around while we're using a
+ // ubi::Node. Check that nothing we do causes a GC.
+ JS::AutoCheckCannotGC autoCannotGC;
+
+ JS::ubi::Node node = args.get(0);
+ if (node) {
+ args.rval().setNumber(uint32_t(node.size(mallocSizeOf)));
+ } else {
+ args.rval().setUndefined();
+ }
+ }
+ return true;
+}
+
+static bool ByteSizeOfScript(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "byteSizeOfScript", 1)) {
+ return false;
+ }
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "Argument must be a Function object");
+ return false;
+ }
+
+ RootedFunction fun(cx, &args[0].toObject().as<JSFunction>());
+ if (fun->isNativeFun()) {
+ JS_ReportErrorASCII(cx, "Argument must be a scripted function");
+ return false;
+ }
+
+ RootedScript script(cx, JSFunction::getOrCreateScript(cx, fun));
+ if (!script) {
+ return false;
+ }
+
+ mozilla::MallocSizeOf mallocSizeOf = cx->runtime()->debuggerMallocSizeOf;
+
+ {
+ // We can't tolerate the GC moving things around while we're using a
+ // ubi::Node. Check that nothing we do causes a GC.
+ JS::AutoCheckCannotGC autoCannotGC;
+
+ JS::ubi::Node node = script;
+ if (node) {
+ args.rval().setNumber(uint32_t(node.size(mallocSizeOf)));
+ } else {
+ args.rval().setUndefined();
+ }
+ }
+ return true;
+}
+
+static bool SetImmutablePrototype(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.get(0).isObject()) {
+ JS_ReportErrorASCII(cx, "setImmutablePrototype: object expected");
+ return false;
+ }
+
+ RootedObject obj(cx, &args[0].toObject());
+
+ bool succeeded;
+ if (!js::SetImmutablePrototype(cx, obj, &succeeded)) {
+ return false;
+ }
+
+ args.rval().setBoolean(succeeded);
+ return true;
+}
+
+#ifdef DEBUG
+static bool DumpStringRepresentation(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ RootedString str(cx, ToString(cx, args.get(0)));
+ if (!str) {
+ return false;
+ }
+
+ Fprinter out(stderr);
+ str->dumpRepresentation(out, 0);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetStringRepresentation(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ RootedString str(cx, ToString(cx, args.get(0)));
+ if (!str) {
+ return false;
+ }
+
+ Sprinter out(cx, true);
+ if (!out.init()) {
+ return false;
+ }
+ str->dumpRepresentation(out, 0);
+
+ if (out.hadOutOfMemory()) {
+ return false;
+ }
+
+ JSString* rep = JS_NewStringCopyN(cx, out.string(), out.getOffset());
+ if (!rep) {
+ return false;
+ }
+
+ args.rval().setString(rep);
+ return true;
+}
+
+#endif
+
+static bool ParseCompileOptionsForModule(JSContext* cx,
+ JS::CompileOptions& options,
+ JS::Handle<JSObject*> opts,
+ bool& isModule) {
+ JS::Rooted<JS::Value> v(cx);
+
+ if (!JS_GetProperty(cx, opts, "module", &v)) {
+ return false;
+ }
+ if (!v.isUndefined() && JS::ToBoolean(v)) {
+ options.setModule();
+ isModule = true;
+ } else {
+ isModule = false;
+ }
+
+ return true;
+}
+
+static bool ParseCompileOptionsForInstantiate(JSContext* cx,
+ JS::CompileOptions& options,
+ JS::Handle<JSObject*> opts,
+ bool& prepareForInstantiate) {
+ JS::Rooted<JS::Value> v(cx);
+
+ if (!JS_GetProperty(cx, opts, "prepareForInstantiate", &v)) {
+ return false;
+ }
+ if (!v.isUndefined()) {
+ prepareForInstantiate = JS::ToBoolean(v);
+ } else {
+ prepareForInstantiate = false;
+ }
+
+ return true;
+}
+
+static bool CompileToStencil(JSContext* cx, uint32_t argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.requireAtLeast(cx, "compileToStencil", 1)) {
+ return false;
+ }
+ if (!args[0].isString()) {
+ const char* typeName = InformalValueTypeName(args[0]);
+ JS_ReportErrorASCII(cx, "expected string to parse, got %s", typeName);
+ return false;
+ }
+
+ RootedString src(cx, ToString<CanGC>(cx, args[0]));
+ if (!src) {
+ return false;
+ }
+
+ /* Linearize the string to obtain a char16_t* range. */
+ AutoStableStringChars linearChars(cx);
+ if (!linearChars.initTwoByte(cx, src)) {
+ return false;
+ }
+ JS::SourceText<char16_t> srcBuf;
+ if (!srcBuf.initMaybeBorrowed(cx, linearChars)) {
+ return false;
+ }
+
+ CompileOptions options(cx);
+ RootedString displayURL(cx);
+ RootedString sourceMapURL(cx);
+ UniqueChars fileNameBytes;
+ bool isModule = false;
+ bool prepareForInstantiate = false;
+ if (args.length() == 2) {
+ if (!args[1].isObject()) {
+ JS_ReportErrorASCII(
+ cx, "compileToStencil: The 2nd argument must be an object");
+ return false;
+ }
+
+ RootedObject opts(cx, &args[1].toObject());
+
+ if (!js::ParseCompileOptions(cx, options, opts, &fileNameBytes)) {
+ return false;
+ }
+ if (!ParseCompileOptionsForModule(cx, options, opts, isModule)) {
+ return false;
+ }
+ if (!ParseCompileOptionsForInstantiate(cx, options, opts,
+ prepareForInstantiate)) {
+ return false;
+ }
+ if (!js::ParseSourceOptions(cx, opts, &displayURL, &sourceMapURL)) {
+ return false;
+ }
+ }
+
+ AutoReportFrontendContext fc(cx);
+ RefPtr<JS::Stencil> stencil;
+ JS::CompilationStorage compileStorage;
+ if (isModule) {
+ stencil =
+ JS::CompileModuleScriptToStencil(&fc, options, srcBuf, compileStorage);
+ } else {
+ stencil =
+ JS::CompileGlobalScriptToStencil(&fc, options, srcBuf, compileStorage);
+ }
+ if (!stencil) {
+ return false;
+ }
+
+ if (!SetSourceOptions(cx, &fc, stencil->source, displayURL, sourceMapURL)) {
+ return false;
+ }
+
+ JS::InstantiationStorage storage;
+ if (prepareForInstantiate) {
+ if (!JS::PrepareForInstantiate(&fc, compileStorage, *stencil, storage)) {
+ return false;
+ }
+ }
+
+ Rooted<js::StencilObject*> stencilObj(
+ cx, js::StencilObject::create(cx, std::move(stencil)));
+ if (!stencilObj) {
+ return false;
+ }
+
+ args.rval().setObject(*stencilObj);
+ return true;
+}
+
+static bool EvalStencil(JSContext* cx, uint32_t argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.requireAtLeast(cx, "evalStencil", 1)) {
+ return false;
+ }
+
+ /* Prepare the input byte array. */
+ if (!args[0].isObject() || !args[0].toObject().is<js::StencilObject>()) {
+ JS_ReportErrorASCII(cx, "evalStencil: Stencil object expected");
+ return false;
+ }
+ Rooted<js::StencilObject*> stencilObj(
+ cx, &args[0].toObject().as<js::StencilObject>());
+
+ if (stencilObj->stencil()->isModule()) {
+ JS_ReportErrorASCII(cx,
+ "evalStencil: Module stencil cannot be evaluated. Use "
+ "instantiateModuleStencil instead");
+ return false;
+ }
+
+ CompileOptions options(cx);
+ UniqueChars fileNameBytes;
+ Rooted<JS::Value> privateValue(cx);
+ Rooted<JSString*> elementAttributeName(cx);
+ if (args.length() == 2) {
+ if (!args[1].isObject()) {
+ JS_ReportErrorASCII(cx,
+ "evalStencil: The 2nd argument must be an object");
+ return false;
+ }
+
+ RootedObject opts(cx, &args[1].toObject());
+
+ if (!js::ParseCompileOptions(cx, options, opts, &fileNameBytes)) {
+ return false;
+ }
+ if (!js::ParseDebugMetadata(cx, opts, &privateValue,
+ &elementAttributeName)) {
+ return false;
+ }
+ }
+
+ bool useDebugMetadata = !privateValue.isUndefined() || elementAttributeName;
+
+ JS::InstantiateOptions instantiateOptions(options);
+ if (useDebugMetadata) {
+ instantiateOptions.hideScriptFromDebugger = true;
+ }
+ RootedScript script(cx, JS::InstantiateGlobalStencil(cx, instantiateOptions,
+ stencilObj->stencil()));
+ if (!script) {
+ return false;
+ }
+
+ if (useDebugMetadata) {
+ instantiateOptions.hideScriptFromDebugger = false;
+ if (!JS::UpdateDebugMetadata(cx, script, instantiateOptions, privateValue,
+ elementAttributeName, nullptr, nullptr)) {
+ return false;
+ }
+ }
+
+ RootedValue retVal(cx);
+ if (!JS_ExecuteScript(cx, script, &retVal)) {
+ return false;
+ }
+
+ args.rval().set(retVal);
+ return true;
+}
+
+static bool CompileToStencilXDR(JSContext* cx, uint32_t argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.requireAtLeast(cx, "compileToStencilXDR", 1)) {
+ return false;
+ }
+
+ RootedString src(cx, ToString<CanGC>(cx, args[0]));
+ if (!src) {
+ return false;
+ }
+
+ /* Linearize the string to obtain a char16_t* range. */
+ AutoStableStringChars linearChars(cx);
+ if (!linearChars.initTwoByte(cx, src)) {
+ return false;
+ }
+ JS::SourceText<char16_t> srcBuf;
+ if (!srcBuf.initMaybeBorrowed(cx, linearChars)) {
+ return false;
+ }
+
+ CompileOptions options(cx);
+ RootedString displayURL(cx);
+ RootedString sourceMapURL(cx);
+ UniqueChars fileNameBytes;
+ bool isModule = false;
+ if (args.length() == 2) {
+ if (!args[1].isObject()) {
+ JS_ReportErrorASCII(
+ cx, "compileToStencilXDR: The 2nd argument must be an object");
+ return false;
+ }
+
+ RootedObject opts(cx, &args[1].toObject());
+
+ if (!js::ParseCompileOptions(cx, options, opts, &fileNameBytes)) {
+ return false;
+ }
+ if (!ParseCompileOptionsForModule(cx, options, opts, isModule)) {
+ return false;
+ }
+ if (!js::ParseSourceOptions(cx, opts, &displayURL, &sourceMapURL)) {
+ return false;
+ }
+ }
+
+ /* Compile the script text to stencil. */
+ AutoReportFrontendContext fc(cx);
+ frontend::NoScopeBindingCache scopeCache;
+ Rooted<frontend::CompilationInput> input(cx,
+ frontend::CompilationInput(options));
+ UniquePtr<frontend::ExtensibleCompilationStencil> stencil;
+ if (isModule) {
+ stencil = frontend::ParseModuleToExtensibleStencil(
+ cx, &fc, cx->tempLifoAlloc(), input.get(), &scopeCache, srcBuf);
+ } else {
+ stencil = frontend::CompileGlobalScriptToExtensibleStencil(
+ cx, &fc, input.get(), &scopeCache, srcBuf, ScopeKind::Global);
+ }
+ if (!stencil) {
+ return false;
+ }
+
+ if (!SetSourceOptions(cx, &fc, stencil->source, displayURL, sourceMapURL)) {
+ return false;
+ }
+
+ /* Serialize the stencil to XDR. */
+ JS::TranscodeBuffer xdrBytes;
+ {
+ frontend::BorrowingCompilationStencil borrowingStencil(*stencil);
+ bool succeeded = false;
+ if (!borrowingStencil.serializeStencils(cx, input.get(), xdrBytes,
+ &succeeded)) {
+ return false;
+ }
+ if (!succeeded) {
+ fc.clearAutoReport();
+ JS_ReportErrorASCII(cx, "Encoding failure");
+ return false;
+ }
+ }
+
+ Rooted<StencilXDRBufferObject*> xdrObj(
+ cx,
+ StencilXDRBufferObject::create(cx, xdrBytes.begin(), xdrBytes.length()));
+ if (!xdrObj) {
+ return false;
+ }
+
+ args.rval().setObject(*xdrObj);
+ return true;
+}
+
+static bool EvalStencilXDR(JSContext* cx, uint32_t argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.requireAtLeast(cx, "evalStencilXDR", 1)) {
+ return false;
+ }
+
+ /* Prepare the input byte array. */
+ if (!args[0].isObject() || !args[0].toObject().is<StencilXDRBufferObject>()) {
+ JS_ReportErrorASCII(cx, "evalStencilXDR: stencil XDR object expected");
+ return false;
+ }
+ Rooted<StencilXDRBufferObject*> xdrObj(
+ cx, &args[0].toObject().as<StencilXDRBufferObject>());
+ MOZ_ASSERT(xdrObj->hasBuffer());
+
+ CompileOptions options(cx);
+ UniqueChars fileNameBytes;
+ Rooted<JS::Value> privateValue(cx);
+ Rooted<JSString*> elementAttributeName(cx);
+ if (args.length() == 2) {
+ if (!args[1].isObject()) {
+ JS_ReportErrorASCII(cx,
+ "evalStencilXDR: The 2nd argument must be an object");
+ return false;
+ }
+
+ RootedObject opts(cx, &args[1].toObject());
+
+ if (!js::ParseCompileOptions(cx, options, opts, &fileNameBytes)) {
+ return false;
+ }
+ if (!js::ParseDebugMetadata(cx, opts, &privateValue,
+ &elementAttributeName)) {
+ return false;
+ }
+ }
+
+ /* Prepare the CompilationStencil for decoding. */
+ AutoReportFrontendContext fc(cx);
+ frontend::CompilationStencil stencil(nullptr);
+
+ /* Deserialize the stencil from XDR. */
+ JS::TranscodeRange xdrRange(xdrObj->buffer(), xdrObj->bufferLength());
+ bool succeeded = false;
+ if (!stencil.deserializeStencils(&fc, options, xdrRange, &succeeded)) {
+ return false;
+ }
+ if (!succeeded) {
+ fc.clearAutoReport();
+ JS_ReportErrorASCII(cx, "Decoding failure");
+ return false;
+ }
+
+ if (stencil.isModule()) {
+ fc.clearAutoReport();
+ JS_ReportErrorASCII(cx,
+ "evalStencilXDR: Module stencil cannot be evaluated. "
+ "Use instantiateModuleStencilXDR instead");
+ return false;
+ }
+
+ bool useDebugMetadata = !privateValue.isUndefined() || elementAttributeName;
+
+ JS::InstantiateOptions instantiateOptions(options);
+ if (useDebugMetadata) {
+ instantiateOptions.hideScriptFromDebugger = true;
+ }
+ RootedScript script(
+ cx, JS::InstantiateGlobalStencil(cx, instantiateOptions, &stencil));
+ if (!script) {
+ return false;
+ }
+
+ if (useDebugMetadata) {
+ instantiateOptions.hideScriptFromDebugger = false;
+ if (!JS::UpdateDebugMetadata(cx, script, instantiateOptions, privateValue,
+ elementAttributeName, nullptr, nullptr)) {
+ return false;
+ }
+ }
+
+ RootedValue retVal(cx);
+ if (!JS_ExecuteScript(cx, script, &retVal)) {
+ return false;
+ }
+
+ args.rval().set(retVal);
+ return true;
+}
+
+static bool GetExceptionInfo(JSContext* cx, uint32_t argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (!args.requireAtLeast(cx, "getExceptionInfo", 1)) {
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
+ JS_ReportErrorASCII(cx, "getExceptionInfo: expected function argument");
+ return false;
+ }
+
+ RootedValue rval(cx);
+ if (JS_CallFunctionValue(cx, nullptr, args[0], JS::HandleValueArray::empty(),
+ &rval)) {
+ // Function didn't throw.
+ args.rval().setNull();
+ return true;
+ }
+
+ // We currently don't support interrupts or forced returns.
+ if (!cx->isExceptionPending()) {
+ JS_ReportErrorASCII(cx, "getExceptionInfo: unsupported exception status");
+ return false;
+ }
+
+ RootedValue excVal(cx);
+ Rooted<SavedFrame*> stack(cx);
+ if (!GetAndClearExceptionAndStack(cx, &excVal, &stack)) {
+ return false;
+ }
+
+ RootedValue stackVal(cx);
+ if (stack) {
+ RootedString stackString(cx);
+ if (!BuildStackString(cx, cx->realm()->principals(), stack, &stackString)) {
+ return false;
+ }
+ stackVal.setString(stackString);
+ } else {
+ stackVal.setNull();
+ }
+
+ RootedObject obj(cx, NewPlainObject(cx));
+ if (!obj) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, obj, "exception", excVal, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, obj, "stack", stackVal, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+class AllocationMarkerObject : public NativeObject {
+ public:
+ static const JSClass class_;
+};
+
+const JSClass AllocationMarkerObject::class_ = {"AllocationMarker"};
+
+static bool AllocationMarker(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ bool allocateInsideNursery = true;
+ if (args.length() > 0 && args[0].isObject()) {
+ RootedObject options(cx, &args[0].toObject());
+
+ RootedValue nurseryVal(cx);
+ if (!JS_GetProperty(cx, options, "nursery", &nurseryVal)) {
+ return false;
+ }
+ allocateInsideNursery = ToBoolean(nurseryVal);
+ }
+
+ JSObject* obj =
+ allocateInsideNursery
+ ? NewObjectWithGivenProto<AllocationMarkerObject>(cx, nullptr)
+ : NewTenuredObjectWithGivenProto<AllocationMarkerObject>(cx, nullptr);
+ if (!obj) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+namespace gcCallback {
+
+struct MajorGC {
+ int32_t depth;
+ int32_t phases;
+};
+
+static void majorGC(JSContext* cx, JSGCStatus status, JS::GCReason reason,
+ void* data) {
+ auto info = static_cast<MajorGC*>(data);
+ if (!(info->phases & (1 << status))) {
+ return;
+ }
+
+ if (info->depth > 0) {
+ info->depth--;
+ JS::PrepareForFullGC(cx);
+ JS::NonIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API);
+ info->depth++;
+ }
+}
+
+struct MinorGC {
+ int32_t phases;
+ bool active;
+};
+
+static void minorGC(JSContext* cx, JSGCStatus status, JS::GCReason reason,
+ void* data) {
+ auto info = static_cast<MinorGC*>(data);
+ if (!(info->phases & (1 << status))) {
+ return;
+ }
+
+ if (info->active) {
+ info->active = false;
+ if (cx->zone() && !cx->zone()->isAtomsZone()) {
+ cx->runtime()->gc.evictNursery(JS::GCReason::DEBUG_GC);
+ }
+ info->active = true;
+ }
+}
+
+// Process global, should really be runtime-local.
+static MajorGC majorGCInfo;
+static MinorGC minorGCInfo;
+
+static void enterNullRealm(JSContext* cx, JSGCStatus status,
+ JS::GCReason reason, void* data) {
+ JSAutoNullableRealm enterRealm(cx, nullptr);
+}
+
+} /* namespace gcCallback */
+
+static bool SetGCCallback(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1) {
+ JS_ReportErrorASCII(cx, "Wrong number of arguments");
+ return false;
+ }
+
+ RootedObject opts(cx, ToObject(cx, args[0]));
+ if (!opts) {
+ return false;
+ }
+
+ RootedValue v(cx);
+ if (!JS_GetProperty(cx, opts, "action", &v)) {
+ return false;
+ }
+
+ JSString* str = JS::ToString(cx, v);
+ if (!str) {
+ return false;
+ }
+ Rooted<JSLinearString*> action(cx, str->ensureLinear(cx));
+ if (!action) {
+ return false;
+ }
+
+ int32_t phases = 0;
+ if (StringEqualsLiteral(action, "minorGC") ||
+ StringEqualsLiteral(action, "majorGC")) {
+ if (!JS_GetProperty(cx, opts, "phases", &v)) {
+ return false;
+ }
+ if (v.isUndefined()) {
+ phases = (1 << JSGC_END);
+ } else {
+ JSString* str = JS::ToString(cx, v);
+ if (!str) {
+ return false;
+ }
+ JSLinearString* phasesStr = str->ensureLinear(cx);
+ if (!phasesStr) {
+ return false;
+ }
+
+ if (StringEqualsLiteral(phasesStr, "begin")) {
+ phases = (1 << JSGC_BEGIN);
+ } else if (StringEqualsLiteral(phasesStr, "end")) {
+ phases = (1 << JSGC_END);
+ } else if (StringEqualsLiteral(phasesStr, "both")) {
+ phases = (1 << JSGC_BEGIN) | (1 << JSGC_END);
+ } else {
+ JS_ReportErrorASCII(cx, "Invalid callback phase");
+ return false;
+ }
+ }
+ }
+
+ if (StringEqualsLiteral(action, "minorGC")) {
+ gcCallback::minorGCInfo.phases = phases;
+ gcCallback::minorGCInfo.active = true;
+ JS_SetGCCallback(cx, gcCallback::minorGC, &gcCallback::minorGCInfo);
+ } else if (StringEqualsLiteral(action, "majorGC")) {
+ if (!JS_GetProperty(cx, opts, "depth", &v)) {
+ return false;
+ }
+ int32_t depth = 1;
+ if (!v.isUndefined()) {
+ if (!ToInt32(cx, v, &depth)) {
+ return false;
+ }
+ }
+ if (depth < 0) {
+ JS_ReportErrorASCII(cx, "Nesting depth cannot be negative");
+ return false;
+ }
+ if (depth + gcstats::MAX_PHASE_NESTING >
+ gcstats::Statistics::MAX_SUSPENDED_PHASES) {
+ JS_ReportErrorASCII(cx, "Nesting depth too large, would overflow");
+ return false;
+ }
+
+ gcCallback::majorGCInfo.phases = phases;
+ gcCallback::majorGCInfo.depth = depth;
+ JS_SetGCCallback(cx, gcCallback::majorGC, &gcCallback::majorGCInfo);
+ } else if (StringEqualsLiteral(action, "enterNullRealm")) {
+ JS_SetGCCallback(cx, gcCallback::enterNullRealm, nullptr);
+ } else {
+ JS_ReportErrorASCII(cx, "Unknown GC callback action");
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+#ifdef DEBUG
+static bool EnqueueMark(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ gc::GCRuntime* gc = &cx->runtime()->gc;
+
+ if (args.get(0).isString()) {
+ RootedString val(cx, args[0].toString());
+ if (!val->ensureLinear(cx)) {
+ return false;
+ }
+ if (!gc->appendTestMarkQueue(StringValue(val))) {
+ JS_ReportOutOfMemory(cx);
+ return false;
+ }
+ } else if (args.get(0).isObject()) {
+ if (!gc->appendTestMarkQueue(args[0])) {
+ JS_ReportOutOfMemory(cx);
+ return false;
+ }
+ } else {
+ JS_ReportErrorASCII(cx, "Argument must be a string or object");
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetMarkQueue(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ const auto& queue = cx->runtime()->gc.getTestMarkQueue();
+
+ RootedObject result(cx, JS::NewArrayObject(cx, queue.length()));
+ if (!result) {
+ return false;
+ }
+ for (size_t i = 0; i < queue.length(); i++) {
+ RootedValue val(cx, queue[i]);
+ if (!JS_WrapValue(cx, &val)) {
+ return false;
+ }
+ if (!JS_SetElement(cx, result, i, val)) {
+ return false;
+ }
+ }
+
+ args.rval().setObject(*result);
+ return true;
+}
+
+static bool ClearMarkQueue(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ cx->runtime()->gc.clearTestMarkQueue();
+ args.rval().setUndefined();
+ return true;
+}
+#endif // DEBUG
+
+static bool NurseryStringsEnabled(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ args.rval().setBoolean(cx->zone()->allocNurseryStrings());
+ return true;
+}
+
+static bool IsNurseryAllocated(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.get(0).isGCThing()) {
+ JS_ReportErrorASCII(
+ cx, "The function takes one argument, which must be a GC thing");
+ return false;
+ }
+
+ args.rval().setBoolean(IsInsideNursery(args[0].toGCThing()));
+ return true;
+}
+
+static bool GetLcovInfo(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() > 1) {
+ JS_ReportErrorASCII(cx, "Wrong number of arguments");
+ return false;
+ }
+
+ if (!coverage::IsLCovEnabled()) {
+ JS_ReportErrorASCII(cx, "Coverage not enabled for process.");
+ return false;
+ }
+
+ RootedObject global(cx);
+ if (args.hasDefined(0)) {
+ global = ToObject(cx, args[0]);
+ if (!global) {
+ JS_ReportErrorASCII(cx, "Permission denied to access global");
+ return false;
+ }
+ global = CheckedUnwrapDynamic(global, cx, /* stopAtWindowProxy = */ false);
+ if (!global) {
+ ReportAccessDenied(cx);
+ return false;
+ }
+ if (!global->is<GlobalObject>()) {
+ JS_ReportErrorASCII(cx, "Argument must be a global object");
+ return false;
+ }
+ } else {
+ global = JS::CurrentGlobalOrNull(cx);
+ }
+
+ size_t length = 0;
+ UniqueChars content;
+ {
+ AutoRealm ar(cx, global);
+ content = js::GetCodeCoverageSummary(cx, &length);
+ }
+
+ if (!content) {
+ return false;
+ }
+
+ JSString* str =
+ JS_NewStringCopyUTF8N(cx, JS::UTF8Chars(content.get(), length));
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+ return true;
+}
+
+#ifdef DEBUG
+static bool SetRNGState(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "SetRNGState", 2)) {
+ return false;
+ }
+
+ double d0;
+ if (!ToNumber(cx, args[0], &d0)) {
+ return false;
+ }
+
+ double d1;
+ if (!ToNumber(cx, args[1], &d1)) {
+ return false;
+ }
+
+ uint64_t seed0 = static_cast<uint64_t>(d0);
+ uint64_t seed1 = static_cast<uint64_t>(d1);
+
+ if (seed0 == 0 && seed1 == 0) {
+ JS_ReportErrorASCII(cx, "RNG requires non-zero seed");
+ return false;
+ }
+
+ cx->realm()->getOrCreateRandomNumberGenerator().setState(seed0, seed1);
+
+ args.rval().setUndefined();
+ return true;
+}
+#endif
+
+static bool GetTimeZone(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (args.length() != 0) {
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+#ifndef __wasi__
+ auto getTimeZone = [](std::time_t* now) -> const char* {
+ std::tm local{};
+# if defined(_WIN32)
+ _tzset();
+ if (localtime_s(&local, now) == 0) {
+ return _tzname[local.tm_isdst > 0];
+ }
+# else
+ tzset();
+# if defined(HAVE_LOCALTIME_R)
+ if (localtime_r(now, &local)) {
+# else
+ std::tm* localtm = std::localtime(now);
+ if (localtm) {
+ *local = *localtm;
+# endif /* HAVE_LOCALTIME_R */
+
+# if defined(HAVE_TM_ZONE_TM_GMTOFF)
+ return local.tm_zone;
+# else
+ return tzname[local.tm_isdst > 0];
+# endif /* HAVE_TM_ZONE_TM_GMTOFF */
+ }
+# endif /* _WIN32 */
+ return nullptr;
+ };
+
+ std::time_t now = std::time(nullptr);
+ if (now != static_cast<std::time_t>(-1)) {
+ if (const char* tz = getTimeZone(&now)) {
+ return ReturnStringCopy(cx, args, tz);
+ }
+ }
+#endif /* __wasi__ */
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool SetTimeZone(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (args.length() != 1) {
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ if (!args[0].isString() && !args[0].isUndefined()) {
+ ReportUsageErrorASCII(cx, callee,
+ "First argument should be a string or undefined");
+ return false;
+ }
+
+#ifndef __wasi__
+ auto setTimeZone = [](const char* value) {
+# if defined(_WIN32)
+ return _putenv_s("TZ", value) == 0;
+# else
+ return setenv("TZ", value, true) == 0;
+# endif /* _WIN32 */
+ };
+
+ auto unsetTimeZone = []() {
+# if defined(_WIN32)
+ return _putenv_s("TZ", "") == 0;
+# else
+ return unsetenv("TZ") == 0;
+# endif /* _WIN32 */
+ };
+
+ if (args[0].isString() && !args[0].toString()->empty()) {
+ Rooted<JSLinearString*> str(cx, args[0].toString()->ensureLinear(cx));
+ if (!str) {
+ return false;
+ }
+
+ if (!StringIsAscii(str)) {
+ ReportUsageErrorASCII(cx, callee,
+ "First argument contains non-ASCII characters");
+ return false;
+ }
+
+ UniqueChars timeZone = JS_EncodeStringToASCII(cx, str);
+ if (!timeZone) {
+ return false;
+ }
+
+ if (!setTimeZone(timeZone.get())) {
+ JS_ReportErrorASCII(cx, "Failed to set 'TZ' environment variable");
+ return false;
+ }
+ } else {
+ if (!unsetTimeZone()) {
+ JS_ReportErrorASCII(cx, "Failed to unset 'TZ' environment variable");
+ return false;
+ }
+ }
+
+# if defined(_WIN32)
+ _tzset();
+# else
+ tzset();
+# endif /* _WIN32 */
+
+ JS::ResetTimeZone();
+
+#endif /* __wasi__ */
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetCoreCount(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (args.length() != 0) {
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ args.rval().setInt32(GetCPUCount());
+ return true;
+}
+
+static bool GetDefaultLocale(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (args.length() != 0) {
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ UniqueChars locale = JS_GetDefaultLocale(cx);
+ if (!locale) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_DEFAULT_LOCALE_ERROR);
+ return false;
+ }
+
+ return ReturnStringCopy(cx, args, locale.get());
+}
+
+static bool SetDefaultLocale(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (args.length() != 1) {
+ ReportUsageErrorASCII(cx, callee, "Wrong number of arguments");
+ return false;
+ }
+
+ if (!args[0].isString() && !args[0].isUndefined()) {
+ ReportUsageErrorASCII(cx, callee,
+ "First argument should be a string or undefined");
+ return false;
+ }
+
+ if (args[0].isString() && !args[0].toString()->empty()) {
+ Rooted<JSLinearString*> str(cx, args[0].toString()->ensureLinear(cx));
+ if (!str) {
+ return false;
+ }
+
+ if (!StringIsAscii(str)) {
+ ReportUsageErrorASCII(cx, callee,
+ "First argument contains non-ASCII characters");
+ return false;
+ }
+
+ UniqueChars locale = JS_EncodeStringToASCII(cx, str);
+ if (!locale) {
+ return false;
+ }
+
+ bool containsOnlyValidBCP47Characters =
+ mozilla::IsAsciiAlpha(locale[0]) &&
+ std::all_of(locale.get(), locale.get() + str->length(), [](auto c) {
+ return mozilla::IsAsciiAlphanumeric(c) || c == '-';
+ });
+
+ if (!containsOnlyValidBCP47Characters) {
+ ReportUsageErrorASCII(cx, callee,
+ "First argument should be a BCP47 language tag");
+ return false;
+ }
+
+ if (!JS_SetDefaultLocale(cx->runtime(), locale.get())) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+ } else {
+ JS_ResetDefaultLocale(cx->runtime());
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+#ifdef AFLFUZZ
+static bool AflLoop(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ uint32_t max_cnt;
+ if (!ToUint32(cx, args.get(0), &max_cnt)) {
+ return false;
+ }
+
+ args.rval().setBoolean(!!__AFL_LOOP(max_cnt));
+ return true;
+}
+#endif
+
+static bool MonotonicNow(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ double now;
+
+// The std::chrono symbols are too new to be present in STL on all platforms we
+// care about, so use raw POSIX clock APIs when it might be necessary.
+#if defined(XP_UNIX) && !defined(XP_DARWIN)
+ auto ComputeNow = [](const timespec& ts) {
+ return ts.tv_sec * 1000 + ts.tv_nsec / 1000000;
+ };
+
+ timespec ts;
+ if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
+ // Use a monotonic clock if available.
+ now = ComputeNow(ts);
+ } else {
+ // Use a realtime clock as fallback.
+ if (clock_gettime(CLOCK_REALTIME, &ts) != 0) {
+ // Fail if no clock is available.
+ JS_ReportErrorASCII(cx, "can't retrieve system clock");
+ return false;
+ }
+
+ now = ComputeNow(ts);
+
+ // Manually enforce atomicity on a non-monotonic clock.
+ {
+ static mozilla::Atomic<bool, mozilla::ReleaseAcquire> spinLock;
+ while (!spinLock.compareExchange(false, true)) {
+ continue;
+ }
+
+ static double lastNow = -FLT_MAX;
+ now = lastNow = std::max(now, lastNow);
+
+ spinLock = false;
+ }
+ }
+#else
+ using std::chrono::duration_cast;
+ using std::chrono::milliseconds;
+ using std::chrono::steady_clock;
+ now = duration_cast<milliseconds>(steady_clock::now().time_since_epoch())
+ .count();
+#endif // XP_UNIX && !XP_DARWIN
+
+ args.rval().setNumber(now);
+ return true;
+}
+
+static bool TimeSinceCreation(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ double when =
+ (mozilla::TimeStamp::Now() - mozilla::TimeStamp::ProcessCreation())
+ .ToMilliseconds();
+ args.rval().setNumber(when);
+ return true;
+}
+
+static bool GetInnerMostEnvironmentObject(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ FrameIter iter(cx);
+ if (iter.done()) {
+ args.rval().setNull();
+ return true;
+ }
+
+ args.rval().setObjectOrNull(iter.environmentChain(cx));
+ return true;
+}
+
+static bool GetEnclosingEnvironmentObject(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "getEnclosingEnvironmentObject", 1)) {
+ return false;
+ }
+
+ if (!args[0].isObject()) {
+ args.rval().setUndefined();
+ return true;
+ }
+
+ JSObject* envObj = &args[0].toObject();
+
+ if (envObj->is<EnvironmentObject>()) {
+ EnvironmentObject* env = &envObj->as<EnvironmentObject>();
+ args.rval().setObject(env->enclosingEnvironment());
+ return true;
+ }
+
+ if (envObj->is<DebugEnvironmentProxy>()) {
+ DebugEnvironmentProxy* envProxy = &envObj->as<DebugEnvironmentProxy>();
+ args.rval().setObject(envProxy->enclosingEnvironment());
+ return true;
+ }
+
+ args.rval().setNull();
+ return true;
+}
+
+static bool GetEnvironmentObjectType(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "getEnvironmentObjectType", 1)) {
+ return false;
+ }
+
+ if (!args[0].isObject()) {
+ args.rval().setUndefined();
+ return true;
+ }
+
+ JSObject* envObj = &args[0].toObject();
+
+ if (envObj->is<EnvironmentObject>()) {
+ EnvironmentObject* env = &envObj->as<EnvironmentObject>();
+ JSString* str = JS_NewStringCopyZ(cx, env->typeString());
+ args.rval().setString(str);
+ return true;
+ }
+ if (envObj->is<DebugEnvironmentProxy>()) {
+ DebugEnvironmentProxy* envProxy = &envObj->as<DebugEnvironmentProxy>();
+ EnvironmentObject* env = &envProxy->environment();
+ char buf[256] = {'\0'};
+ SprintfLiteral(buf, "[DebugProxy] %s", env->typeString());
+ JSString* str = JS_NewStringCopyZ(cx, buf);
+ args.rval().setString(str);
+ return true;
+ }
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GetErrorNotes(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "getErrorNotes", 1)) {
+ return false;
+ }
+
+ if (!args[0].isObject() || !args[0].toObject().is<ErrorObject>()) {
+ args.rval().setNull();
+ return true;
+ }
+
+ JSErrorReport* report = args[0].toObject().as<ErrorObject>().getErrorReport();
+ if (!report) {
+ args.rval().setNull();
+ return true;
+ }
+
+ RootedObject notesArray(cx, CreateErrorNotesArray(cx, report));
+ if (!notesArray) {
+ return false;
+ }
+
+ args.rval().setObject(*notesArray);
+ return true;
+}
+
+static bool IsConstructor(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (args.length() < 1) {
+ args.rval().setBoolean(false);
+ } else {
+ args.rval().setBoolean(IsConstructor(args[0]));
+ }
+ return true;
+}
+
+static bool SetTimeResolution(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (!args.requireAtLeast(cx, "setTimeResolution", 2)) {
+ return false;
+ }
+
+ if (!args[0].isInt32()) {
+ ReportUsageErrorASCII(cx, callee, "First argument must be an Int32.");
+ return false;
+ }
+ int32_t resolution = args[0].toInt32();
+
+ if (!args[1].isBoolean()) {
+ ReportUsageErrorASCII(cx, callee, "Second argument must be a Boolean");
+ return false;
+ }
+ bool jitter = args[1].toBoolean();
+
+ JS::SetTimeResolutionUsec(resolution, jitter);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool ScriptedCallerGlobal(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ RootedObject obj(cx, JS::GetScriptedCallerGlobal(cx));
+ if (!obj) {
+ args.rval().setNull();
+ return true;
+ }
+
+ obj = ToWindowProxyIfWindow(obj);
+
+ if (!cx->compartment()->wrap(cx, &obj)) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool ObjectGlobal(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (!args.get(0).isObject()) {
+ ReportUsageErrorASCII(cx, callee, "Argument must be an object");
+ return false;
+ }
+
+ RootedObject obj(cx, &args[0].toObject());
+ if (IsCrossCompartmentWrapper(obj)) {
+ args.rval().setNull();
+ return true;
+ }
+
+ obj = ToWindowProxyIfWindow(&obj->nonCCWGlobal());
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool IsSameCompartment(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (!args.get(0).isObject() || !args.get(1).isObject()) {
+ ReportUsageErrorASCII(cx, callee, "Both arguments must be objects");
+ return false;
+ }
+
+ RootedObject obj1(cx, UncheckedUnwrap(&args[0].toObject()));
+ RootedObject obj2(cx, UncheckedUnwrap(&args[1].toObject()));
+
+ args.rval().setBoolean(obj1->compartment() == obj2->compartment());
+ return true;
+}
+
+static bool FirstGlobalInCompartment(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (!args.get(0).isObject()) {
+ ReportUsageErrorASCII(cx, callee, "Argument must be an object");
+ return false;
+ }
+
+ RootedObject obj(cx, UncheckedUnwrap(&args[0].toObject()));
+ obj = ToWindowProxyIfWindow(GetFirstGlobalInCompartment(obj->compartment()));
+
+ if (!cx->compartment()->wrap(cx, &obj)) {
+ return false;
+ }
+
+ args.rval().setObject(*obj);
+ return true;
+}
+
+static bool AssertCorrectRealm(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ MOZ_RELEASE_ASSERT(cx->realm() == args.callee().as<JSFunction>().realm());
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool GlobalLexicals(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ Rooted<GlobalLexicalEnvironmentObject*> globalLexical(
+ cx, &cx->global()->lexicalEnvironment());
+
+ RootedIdVector props(cx);
+ if (!GetPropertyKeys(cx, globalLexical, JSITER_HIDDEN, &props)) {
+ return false;
+ }
+
+ RootedObject res(cx, JS_NewPlainObject(cx));
+ if (!res) {
+ return false;
+ }
+
+ RootedValue val(cx);
+ for (size_t i = 0; i < props.length(); i++) {
+ HandleId id = props[i];
+ if (!JS_GetPropertyById(cx, globalLexical, id, &val)) {
+ return false;
+ }
+ if (val.isMagic(JS_UNINITIALIZED_LEXICAL)) {
+ continue;
+ }
+ if (!JS_DefinePropertyById(cx, res, id, val, JSPROP_ENUMERATE)) {
+ return false;
+ }
+ }
+
+ args.rval().setObject(*res);
+ return true;
+}
+
+static bool EncodeAsUtf8InBuffer(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "encodeAsUtf8InBuffer", 2)) {
+ return false;
+ }
+
+ RootedObject callee(cx, &args.callee());
+
+ if (!args[0].isString()) {
+ ReportUsageErrorASCII(cx, callee, "First argument must be a String");
+ return false;
+ }
+
+ // Create the amounts array early so that the raw pointer into Uint8Array
+ // data has as short a lifetime as possible
+ Rooted<ArrayObject*> array(cx, NewDenseFullyAllocatedArray(cx, 2));
+ if (!array) {
+ return false;
+ }
+ array->ensureDenseInitializedLength(0, 2);
+
+ JSObject* obj = args[1].isObject() ? &args[1].toObject() : nullptr;
+ Rooted<JS::Uint8Array> view(cx, JS::Uint8Array::unwrap(obj));
+ if (!view) {
+ ReportUsageErrorASCII(cx, callee, "Second argument must be a Uint8Array");
+ return false;
+ }
+
+ size_t length;
+ bool isSharedMemory = false;
+ uint8_t* data = nullptr;
+ {
+ // The hazard analysis does not track the data pointer, so it can neither
+ // tell that `data` is dead if ReportUsageErrorASCII is called, nor that
+ // its live range ends at the call to AsWritableChars(). Construct a
+ // temporary scope to hide from the analysis. This should really be replaced
+ // with a safer mechanism.
+ JS::AutoCheckCannotGC nogc(cx);
+ if (!view.isDetached()) {
+ data = view.get().getLengthAndData(&length, &isSharedMemory, nogc);
+ }
+ }
+
+ if (isSharedMemory || // exclude views of SharedArrayBuffers
+ !data) { // exclude views of detached ArrayBuffers
+ ReportUsageErrorASCII(
+ cx, callee,
+ "Second argument must be an unshared, non-detached Uint8Array");
+ return false;
+ }
+
+ Maybe<std::tuple<size_t, size_t>> amounts =
+ JS_EncodeStringToUTF8BufferPartial(cx, args[0].toString(),
+ AsWritableChars(Span(data, length)));
+ if (!amounts) {
+ ReportOutOfMemory(cx);
+ return false;
+ }
+
+ auto [unitsRead, bytesWritten] = *amounts;
+
+ array->initDenseElement(0, Int32Value(AssertedCast<int32_t>(unitsRead)));
+ array->initDenseElement(1, Int32Value(AssertedCast<int32_t>(bytesWritten)));
+
+ args.rval().setObject(*array);
+ return true;
+}
+
+JSScript* js::TestingFunctionArgumentToScript(
+ JSContext* cx, HandleValue v, JSFunction** funp /* = nullptr */) {
+ if (v.isString()) {
+ // To convert a string to a script, compile it. Parse it as an ES6 Program.
+ Rooted<JSString*> str(cx, v.toString());
+ AutoStableStringChars linearChars(cx);
+ if (!linearChars.initTwoByte(cx, str)) {
+ return nullptr;
+ }
+ SourceText<char16_t> source;
+ if (!source.initMaybeBorrowed(cx, linearChars)) {
+ return nullptr;
+ }
+
+ CompileOptions options(cx);
+ return JS::Compile(cx, options, source);
+ }
+
+ RootedFunction fun(cx, JS_ValueToFunction(cx, v));
+ if (!fun) {
+ return nullptr;
+ }
+
+ if (!fun->isInterpreted()) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_TESTING_SCRIPTS_ONLY);
+ return nullptr;
+ }
+
+ JSScript* script = JSFunction::getOrCreateScript(cx, fun);
+ if (!script) {
+ return nullptr;
+ }
+
+ if (funp) {
+ *funp = fun;
+ }
+
+ return script;
+}
+
+static bool BaselineCompile(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ RootedScript script(cx);
+ if (args.length() == 0) {
+ NonBuiltinScriptFrameIter iter(cx);
+ if (iter.done()) {
+ ReportUsageErrorASCII(cx, callee,
+ "no script argument and no script caller");
+ return false;
+ }
+ script = iter.script();
+ } else {
+ script = TestingFunctionArgumentToScript(cx, args[0]);
+ if (!script) {
+ return false;
+ }
+ }
+
+ bool forceDebug = false;
+ if (args.length() > 1) {
+ if (args.length() > 2) {
+ ReportUsageErrorASCII(cx, callee, "too many arguments");
+ return false;
+ }
+ if (!args[1].isBoolean() && !args[1].isUndefined()) {
+ ReportUsageErrorASCII(
+ cx, callee, "forceDebugInstrumentation argument should be boolean");
+ return false;
+ }
+ forceDebug = ToBoolean(args[1]);
+ }
+
+ const char* returnedStr = nullptr;
+ do {
+ // In order to check for differential behaviour, baselineCompile should have
+ // the same output whether --no-baseline is used or not.
+ if (js::SupportDifferentialTesting()) {
+ returnedStr = "skipped (differential testing)";
+ break;
+ }
+
+ AutoRealm ar(cx, script);
+ if (script->hasBaselineScript()) {
+ if (forceDebug && !script->baselineScript()->hasDebugInstrumentation()) {
+ // There isn't an easy way to do this for a script that might be on
+ // stack right now. See
+ // js::jit::RecompileOnStackBaselineScriptsForDebugMode.
+ ReportUsageErrorASCII(
+ cx, callee, "unsupported case: recompiling script for debug mode");
+ return false;
+ }
+
+ args.rval().setUndefined();
+ return true;
+ }
+
+ if (!jit::IsBaselineJitEnabled(cx)) {
+ returnedStr = "baseline disabled";
+ break;
+ }
+ if (!script->canBaselineCompile()) {
+ returnedStr = "can't compile";
+ break;
+ }
+ if (!cx->realm()->ensureJitRealmExists(cx)) {
+ return false;
+ }
+
+ jit::MethodStatus status = jit::BaselineCompile(cx, script, forceDebug);
+ switch (status) {
+ case jit::Method_Error:
+ return false;
+ case jit::Method_CantCompile:
+ returnedStr = "can't compile";
+ break;
+ case jit::Method_Skipped:
+ returnedStr = "skipped";
+ break;
+ case jit::Method_Compiled:
+ args.rval().setUndefined();
+ }
+ } while (false);
+
+ if (returnedStr) {
+ return ReturnStringCopy(cx, args, returnedStr);
+ }
+
+ return true;
+}
+
+static bool ClearKeptObjects(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ JS::ClearKeptObjects(cx);
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool NumberToDouble(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "numberToDouble", 1)) {
+ return false;
+ }
+
+ if (!args[0].isNumber()) {
+ RootedObject callee(cx, &args.callee());
+ ReportUsageErrorASCII(cx, callee, "argument must be a number");
+ return false;
+ }
+
+ args.rval().setDouble(args[0].toNumber());
+ return true;
+}
+
+static bool GetICUOptions(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ RootedObject info(cx, JS_NewPlainObject(cx));
+ if (!info) {
+ return false;
+ }
+
+#ifdef JS_HAS_INTL_API
+ RootedString str(cx);
+
+ str = NewStringCopy<CanGC>(cx, mozilla::intl::ICU4CLibrary::GetVersion());
+ if (!str || !JS_DefineProperty(cx, info, "version", str, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ str = NewStringCopy<CanGC>(cx, mozilla::intl::String::GetUnicodeVersion());
+ if (!str || !JS_DefineProperty(cx, info, "unicode", str, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ str = NewStringCopyZ<CanGC>(cx, mozilla::intl::Locale::GetDefaultLocale());
+ if (!str || !JS_DefineProperty(cx, info, "locale", str, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ auto tzdataVersion = mozilla::intl::TimeZone::GetTZDataVersion();
+ if (tzdataVersion.isErr()) {
+ intl::ReportInternalError(cx, tzdataVersion.unwrapErr());
+ return false;
+ }
+
+ str = NewStringCopy<CanGC>(cx, tzdataVersion.unwrap());
+ if (!str || !JS_DefineProperty(cx, info, "tzdata", str, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ intl::FormatBuffer<char16_t, intl::INITIAL_CHAR_BUFFER_SIZE> buf(cx);
+
+ if (auto ok = DateTimeInfo::timeZoneId(DateTimeInfo::ShouldRFP::No, buf);
+ ok.isErr()) {
+ intl::ReportInternalError(cx, ok.unwrapErr());
+ return false;
+ }
+
+ str = buf.toString(cx);
+ if (!str || !JS_DefineProperty(cx, info, "timezone", str, JSPROP_ENUMERATE)) {
+ return false;
+ }
+
+ if (auto ok = mozilla::intl::TimeZone::GetHostTimeZone(buf); ok.isErr()) {
+ intl::ReportInternalError(cx, ok.unwrapErr());
+ return false;
+ }
+
+ str = buf.toString(cx);
+ if (!str ||
+ !JS_DefineProperty(cx, info, "host-timezone", str, JSPROP_ENUMERATE)) {
+ return false;
+ }
+#endif
+
+ args.rval().setObject(*info);
+ return true;
+}
+
+static bool GetAvailableLocalesOf(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (!args.requireAtLeast(cx, "getAvailableLocalesOf", 1)) {
+ return false;
+ }
+
+ HandleValue arg = args[0];
+ if (!arg.isString()) {
+ ReportUsageErrorASCII(cx, callee, "First argument must be a string");
+ return false;
+ }
+
+ ArrayObject* result;
+#ifdef JS_HAS_INTL_API
+ using SupportedLocaleKind = js::intl::SharedIntlData::SupportedLocaleKind;
+
+ SupportedLocaleKind kind;
+ {
+ JSLinearString* typeStr = arg.toString()->ensureLinear(cx);
+ if (!typeStr) {
+ return false;
+ }
+
+ if (StringEqualsLiteral(typeStr, "Collator")) {
+ kind = SupportedLocaleKind::Collator;
+ } else if (StringEqualsLiteral(typeStr, "DateTimeFormat")) {
+ kind = SupportedLocaleKind::DateTimeFormat;
+ } else if (StringEqualsLiteral(typeStr, "DisplayNames")) {
+ kind = SupportedLocaleKind::DisplayNames;
+ } else if (StringEqualsLiteral(typeStr, "ListFormat")) {
+ kind = SupportedLocaleKind::ListFormat;
+ } else if (StringEqualsLiteral(typeStr, "NumberFormat")) {
+ kind = SupportedLocaleKind::NumberFormat;
+ } else if (StringEqualsLiteral(typeStr, "PluralRules")) {
+ kind = SupportedLocaleKind::PluralRules;
+ } else if (StringEqualsLiteral(typeStr, "RelativeTimeFormat")) {
+ kind = SupportedLocaleKind::RelativeTimeFormat;
+ } else {
+ ReportUsageErrorASCII(cx, callee, "Unsupported Intl constructor name");
+ return false;
+ }
+ }
+
+ intl::SharedIntlData& sharedIntlData = cx->runtime()->sharedIntlData.ref();
+ result = sharedIntlData.availableLocalesOf(cx, kind);
+#else
+ result = NewDenseEmptyArray(cx);
+#endif
+ if (!result) {
+ return false;
+ }
+
+ args.rval().setObject(*result);
+ return true;
+}
+
+static bool IsSmallFunction(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ RootedObject callee(cx, &args.callee());
+
+ if (!args.requireAtLeast(cx, "IsSmallFunction", 1)) {
+ return false;
+ }
+
+ HandleValue arg = args[0];
+ if (!arg.isObject() || !arg.toObject().is<JSFunction>()) {
+ ReportUsageErrorASCII(cx, callee, "First argument must be a function");
+ return false;
+ }
+
+ RootedFunction fun(cx, &args[0].toObject().as<JSFunction>());
+ if (!fun->isInterpreted()) {
+ ReportUsageErrorASCII(cx, callee,
+ "First argument must be an interpreted function");
+ return false;
+ }
+
+ JSScript* script = JSFunction::getOrCreateScript(cx, fun);
+ if (!script) {
+ return false;
+ }
+
+ args.rval().setBoolean(jit::JitOptions.isSmallFunction(script));
+ return true;
+}
+
+static bool PCCountProfiling_Start(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ JS::StartPCCountProfiling(cx);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool PCCountProfiling_Stop(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ JS::StopPCCountProfiling(cx);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool PCCountProfiling_Purge(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ JS::PurgePCCounts(cx);
+
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool PCCountProfiling_ScriptCount(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ size_t length = JS::GetPCCountScriptCount(cx);
+
+ args.rval().setNumber(double(length));
+ return true;
+}
+
+static bool PCCountProfiling_ScriptSummary(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "summary", 1)) {
+ return false;
+ }
+
+ uint32_t index;
+ if (!JS::ToUint32(cx, args[0], &index)) {
+ return false;
+ }
+
+ JSString* str = JS::GetPCCountScriptSummary(cx, index);
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+ return true;
+}
+
+static bool PCCountProfiling_ScriptContents(JSContext* cx, unsigned argc,
+ Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.requireAtLeast(cx, "contents", 1)) {
+ return false;
+ }
+
+ uint32_t index;
+ if (!JS::ToUint32(cx, args[0], &index)) {
+ return false;
+ }
+
+ JSString* str = JS::GetPCCountScriptContents(cx, index);
+ if (!str) {
+ return false;
+ }
+
+ args.rval().setString(str);
+ return true;
+}
+
+static bool NukeCCW(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ if (args.length() != 1 || !args[0].isObject() ||
+ !IsCrossCompartmentWrapper(&args[0].toObject())) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_INVALID_ARGS,
+ "nukeCCW");
+ return false;
+ }
+
+ NukeCrossCompartmentWrapper(cx, &args[0].toObject());
+ args.rval().setUndefined();
+ return true;
+}
+
+static bool FdLibM_Pow(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+
+ double x;
+ if (!JS::ToNumber(cx, args.get(0), &x)) {
+ return false;
+ }
+
+ double y;
+ if (!JS::ToNumber(cx, args.get(1), &y)) {
+ return false;
+ }
+
+ // Because C99 and ECMA specify different behavior for pow(), we need to wrap
+ // the fdlibm call to make it ECMA compliant.
+ if (!std::isfinite(y) && (x == 1.0 || x == -1.0)) {
+ args.rval().setNaN();
+ } else {
+ args.rval().setDouble(fdlibm::pow(x, y));
+ }
+ return true;
+}
+
+// clang-format off
+static const JSFunctionSpecWithHelp TestingFunctions[] = {
+ JS_FN_HELP("gc", ::GC, 0, 0,
+"gc([obj] | 'zone' [, ('shrinking' | 'last-ditch') ])",
+" Run the garbage collector.\n"
+" The first parameter describes which zones to collect: if an object is\n"
+" given, GC only its zone. If 'zone' is given, GC any zones that were\n"
+" scheduled via schedulegc.\n"
+" The second parameter is optional and may be 'shrinking' to perform a\n"
+" shrinking GC or 'last-ditch' for a shrinking, last-ditch GC."),
+
+ JS_FN_HELP("minorgc", ::MinorGC, 0, 0,
+"minorgc([aboutToOverflow])",
+" Run a minor collector on the Nursery. When aboutToOverflow is true, marks\n"
+" the store buffer as about-to-overflow before collecting."),
+
+ JS_FN_HELP("maybegc", ::MaybeGC, 0, 0,
+"maybegc()",
+" Hint to the engine that now is an ok time to run the garbage collector.\n"),
+
+ JS_FN_HELP("gcparam", GCParameter, 2, 0,
+"gcparam(name [, value])",
+" Wrapper for JS_[GS]etGCParameter. The name is one of:" GC_PARAMETER_ARGS_LIST),
+
+ JS_FN_HELP("hasDisassembler", HasDisassembler, 0, 0,
+"hasDisassembler()",
+" Return true if a disassembler is present (for disnative and wasmDis)."),
+
+ JS_FN_HELP("disnative", DisassembleNative, 2, 0,
+"disnative(fun,[path])",
+" Disassemble a function into its native code. Optionally write the native code bytes to a file on disk.\n"),
+
+ JS_FN_HELP("relazifyFunctions", RelazifyFunctions, 0, 0,
+"relazifyFunctions(...)",
+" Perform a GC and allow relazification of functions. Accepts the same\n"
+" arguments as gc()."),
+
+ JS_FN_HELP("getBuildConfiguration", GetBuildConfiguration, 0, 0,
+"getBuildConfiguration()",
+" Return an object describing some of the configuration options SpiderMonkey\n"
+" was built with."),
+
+ JS_FN_HELP("getRealmConfiguration", GetRealmConfiguration, 0, 0,
+"getRealmConfiguration()",
+" Return an object describing some of the runtime options SpiderMonkey\n"
+" is running with."),
+
+ JS_FN_HELP("isLcovEnabled", ::IsLCovEnabled, 0, 0,
+"isLcovEnabled()",
+" Return true if JS LCov support is enabled."),
+
+ JS_FN_HELP("trialInline", TrialInline, 0, 0,
+"trialInline()",
+" Perform trial-inlining for the caller's frame if it's a BaselineFrame."),
+
+ JS_FN_HELP("hasChild", HasChild, 0, 0,
+"hasChild(parent, child)",
+" Return true if |child| is a child of |parent|, as determined by a call to\n"
+" TraceChildren"),
+
+ JS_FN_HELP("setSavedStacksRNGState", SetSavedStacksRNGState, 1, 0,
+"setSavedStacksRNGState(seed)",
+" Set this compartment's SavedStacks' RNG state.\n"),
+
+ JS_FN_HELP("getSavedFrameCount", GetSavedFrameCount, 0, 0,
+"getSavedFrameCount()",
+" Return the number of SavedFrame instances stored in this compartment's\n"
+" SavedStacks cache."),
+
+ JS_FN_HELP("clearSavedFrames", ClearSavedFrames, 0, 0,
+"clearSavedFrames()",
+" Empty the current compartment's cache of SavedFrame objects, so that\n"
+" subsequent stack captures allocate fresh objects to represent frames.\n"
+" Clear the current stack's LiveSavedFrameCaches."),
+
+ JS_FN_HELP("saveStack", SaveStack, 0, 0,
+"saveStack([maxDepth [, compartment]])",
+" Capture a stack. If 'maxDepth' is given, capture at most 'maxDepth' number\n"
+" of frames. If 'compartment' is given, allocate the js::SavedFrame instances\n"
+" with the given object's compartment."),
+
+ JS_FN_HELP("captureFirstSubsumedFrame", CaptureFirstSubsumedFrame, 1, 0,
+"saveStack(object [, shouldIgnoreSelfHosted = true]])",
+" Capture a stack back to the first frame whose principals are subsumed by the\n"
+" object's compartment's principals. If 'shouldIgnoreSelfHosted' is given,\n"
+" control whether self-hosted frames are considered when checking principals."),
+
+ JS_FN_HELP("callFunctionFromNativeFrame", CallFunctionFromNativeFrame, 1, 0,
+"callFunctionFromNativeFrame(function)",
+" Call 'function' with a (C++-)native frame on stack.\n"
+" Required for testing that SaveStack properly handles native frames."),
+
+ JS_FN_HELP("callFunctionWithAsyncStack", CallFunctionWithAsyncStack, 0, 0,
+"callFunctionWithAsyncStack(function, stack, asyncCause)",
+" Call 'function', using the provided stack as the async stack responsible\n"
+" for the call, and propagate its return value or the exception it throws.\n"
+" The function is called with no arguments, and 'this' is 'undefined'. The\n"
+" specified |asyncCause| is attached to the provided stack frame."),
+
+ JS_FN_HELP("enableTrackAllocations", EnableTrackAllocations, 0, 0,
+"enableTrackAllocations()",
+" Start capturing the JS stack at every allocation. Note that this sets an\n"
+" object metadata callback that will override any other object metadata\n"
+" callback that may be set."),
+
+ JS_FN_HELP("disableTrackAllocations", DisableTrackAllocations, 0, 0,
+"disableTrackAllocations()",
+" Stop capturing the JS stack at every allocation."),
+
+ JS_FN_HELP("setTestFilenameValidationCallback", SetTestFilenameValidationCallback, 0, 0,
+"setTestFilenameValidationCallback()",
+" Set the filename validation callback to a callback that accepts only\n"
+" filenames starting with 'safe' or (only in system realms) 'system'."),
+
+ JS_FN_HELP("newObjectWithAddPropertyHook", NewObjectWithAddPropertyHook, 0, 0,
+"newObjectWithAddPropertyHook()",
+" Returns a new object with an addProperty JSClass hook. This hook\n"
+" increments the value of the _propertiesAdded data property on the object\n"
+" when a new property is added."),
+
+ JS_FN_HELP("newObjectWithCallHook", NewObjectWithCallHook, 0, 0,
+"newObjectWithCallHook()",
+" Returns a new object with call/construct JSClass hooks. These hooks return\n"
+" a new object that contains the Values supplied by the caller."),
+
+ JS_FN_HELP("newObjectWithManyReservedSlots", NewObjectWithManyReservedSlots, 0, 0,
+"newObjectWithManyReservedSlots()",
+" Returns a new object with many reserved slots. The slots are initialized to int32\n"
+" values. checkObjectWithManyReservedSlots can be used to check the slots still\n"
+" hold these values."),
+
+ JS_FN_HELP("checkObjectWithManyReservedSlots", CheckObjectWithManyReservedSlots, 1, 0,
+"checkObjectWithManyReservedSlots(obj)",
+" Checks the reserved slots set by newObjectWithManyReservedSlots still hold the expected\n"
+" values."),
+
+ JS_FN_HELP("getWatchtowerLog", GetWatchtowerLog, 0, 0,
+"getWatchtowerLog()",
+" Returns the Watchtower log recording object changes for objects for which\n"
+" addWatchtowerTarget was called. The internal log is cleared. The return\n"
+" value is an array of plain objects with the following properties:\n"
+" - kind: a string describing the kind of mutation, for example \"add-prop\"\n"
+" - object: the object being mutated\n"
+" - extra: an extra value, for example the name of the property being added"),
+
+ JS_FN_HELP("addWatchtowerTarget", AddWatchtowerTarget, 1, 0,
+"addWatchtowerTarget(object)",
+" Invoke the watchtower callback for changes to this object."),
+
+ JS_FN_HELP("newString", NewString, 2, 0,
+"newString(str[, options])",
+" Copies str's chars and returns a new string. Valid options:\n"
+" \n"
+" - tenured: allocate directly into the tenured heap.\n"
+" \n"
+" - twoByte: create a \"two byte\" string, not a latin1 string, regardless of the\n"
+" input string's characters. Latin1 will be used by default if possible\n"
+" (again regardless of the input string.)\n"
+" \n"
+" - external: create an external string. External strings are always twoByte and\n"
+" tenured.\n"
+" \n"
+" - maybeExternal: create an external string, unless the data fits within an\n"
+" inline string. Inline strings may be nursery-allocated."),
+
+ JS_FN_HELP("ensureLinearString", EnsureLinearString, 1, 0,
+"ensureLinearString(str)",
+" Ensures str is a linear (non-rope) string and returns it."),
+
+ JS_FN_HELP("representativeStringArray", RepresentativeStringArray, 0, 0,
+"representativeStringArray()",
+" Returns an array of strings that represent the various internal string\n"
+" types and character encodings."),
+
+#if defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
+
+ JS_FN_HELP("oomThreadTypes", OOMThreadTypes, 0, 0,
+"oomThreadTypes()",
+" Get the number of thread types that can be used as an argument for\n"
+" oomAfterAllocations() and oomAtAllocation()."),
+
+ JS_FN_HELP("oomAfterAllocations", OOMAfterAllocations, 2, 0,
+"oomAfterAllocations(count [,threadType])",
+" After 'count' js_malloc memory allocations, fail every following allocation\n"
+" (return nullptr). The optional thread type limits the effect to the\n"
+" specified type of helper thread."),
+
+ JS_FN_HELP("oomAtAllocation", OOMAtAllocation, 2, 0,
+"oomAtAllocation(count [,threadType])",
+" After 'count' js_malloc memory allocations, fail the next allocation\n"
+" (return nullptr). The optional thread type limits the effect to the\n"
+" specified type of helper thread."),
+
+ JS_FN_HELP("resetOOMFailure", ResetOOMFailure, 0, 0,
+"resetOOMFailure()",
+" Remove the allocation failure scheduled by either oomAfterAllocations() or\n"
+" oomAtAllocation() and return whether any allocation had been caused to fail."),
+
+ JS_FN_HELP("oomTest", OOMTest, 0, 0,
+"oomTest(function, [expectExceptionOnFailure = true | options])",
+" Test that the passed function behaves correctly under OOM conditions by\n"
+" repeatedly executing it and simulating allocation failure at successive\n"
+" allocations until the function completes without seeing a failure.\n"
+" By default this tests that an exception is raised if execution fails, but\n"
+" this can be disabled by passing false as the optional second parameter.\n"
+" This is also disabled when --fuzzing-safe is specified.\n"
+" Alternatively an object can be passed to set the following options:\n"
+" expectExceptionOnFailure: bool - as described above.\n"
+" keepFailing: bool - continue to fail after first simulated failure.\n"
+"\n"
+" WARNING: By design, oomTest assumes the test-function follows the same\n"
+" code path each time it is called, right up to the point where OOM occurs.\n"
+" If on iteration 70 it finishes and caches a unit of work that saves 65\n"
+" allocations the next time we run, then the subsequent 65 allocation\n"
+" points will go untested.\n"
+"\n"
+" Things in this category include lazy parsing and baseline compilation,\n"
+" so it is very easy to accidentally write an oomTest that only tests one\n"
+" or the other of those, and not the functionality you meant to test!\n"
+" To avoid lazy parsing, call the test function once first before passing\n"
+" it to oomTest. The jits can be disabled via the test harness.\n"),
+
+ JS_FN_HELP("stackTest", StackTest, 0, 0,
+"stackTest(function, [expectExceptionOnFailure = true])",
+" This function behaves exactly like oomTest with the difference that\n"
+" instead of simulating regular OOM conditions, it simulates the engine\n"
+" running out of stack space (failing recursion check).\n"
+"\n"
+" See the WARNING in help('oomTest').\n"),
+
+ JS_FN_HELP("interruptTest", InterruptTest, 0, 0,
+"interruptTest(function)",
+" This function simulates interrupts similar to how oomTest simulates OOM conditions."
+"\n"
+" See the WARNING in help('oomTest').\n"),
+
+#endif // defined(DEBUG) || defined(JS_OOM_BREAKPOINT)
+
+ JS_FN_HELP("newRope", NewRope, 3, 0,
+"newRope(left, right[, options])",
+" Creates a rope with the given left/right strings.\n"
+" Available options:\n"
+" nursery: bool - force the string to be created in/out of the nursery, if possible.\n"),
+
+ JS_FN_HELP("isRope", IsRope, 1, 0,
+"isRope(str)",
+" Returns true if the parameter is a rope"),
+
+ JS_FN_HELP("settlePromiseNow", SettlePromiseNow, 1, 0,
+"settlePromiseNow(promise)",
+" 'Settle' a 'promise' immediately. This just marks the promise as resolved\n"
+" with a value of `undefined` and causes the firing of any onPromiseSettled\n"
+" hooks set on Debugger instances that are observing the given promise's\n"
+" global as a debuggee."),
+ JS_FN_HELP("getWaitForAllPromise", GetWaitForAllPromise, 1, 0,
+"getWaitForAllPromise(densePromisesArray)",
+" Calls the 'GetWaitForAllPromise' JSAPI function and returns the result\n"
+" Promise."),
+JS_FN_HELP("resolvePromise", ResolvePromise, 2, 0,
+"resolvePromise(promise, resolution)",
+" Resolve a Promise by calling the JSAPI function JS::ResolvePromise."),
+JS_FN_HELP("rejectPromise", RejectPromise, 2, 0,
+"rejectPromise(promise, reason)",
+" Reject a Promise by calling the JSAPI function JS::RejectPromise."),
+
+ JS_FN_HELP("makeFinalizeObserver", MakeFinalizeObserver, 0, 0,
+"makeFinalizeObserver()",
+" Get a special object whose finalization increases the counter returned\n"
+" by the finalizeCount function."),
+
+ JS_FN_HELP("finalizeCount", FinalizeCount, 0, 0,
+"finalizeCount()",
+" Return the current value of the finalization counter that is incremented\n"
+" each time an object returned by the makeFinalizeObserver is finalized."),
+
+ JS_FN_HELP("resetFinalizeCount", ResetFinalizeCount, 0, 0,
+"resetFinalizeCount()",
+" Reset the value returned by finalizeCount()."),
+
+ JS_FN_HELP("gcPreserveCode", GCPreserveCode, 0, 0,
+"gcPreserveCode()",
+" Preserve JIT code during garbage collections."),
+
+#ifdef JS_GC_ZEAL
+ JS_FN_HELP("gczeal", GCZeal, 2, 0,
+"gczeal(mode, [frequency])",
+gc::ZealModeHelpText),
+
+ JS_FN_HELP("unsetgczeal", UnsetGCZeal, 2, 0,
+"unsetgczeal(mode)",
+" Turn off a single zeal mode set with gczeal() and don't finish any ongoing\n"
+" collection that may be happening."),
+
+ JS_FN_HELP("schedulegc", ScheduleGC, 1, 0,
+"schedulegc([num])",
+" If num is given, schedule a GC after num allocations.\n"
+" Returns the number of allocations before the next trigger."),
+
+ JS_FN_HELP("selectforgc", SelectForGC, 0, 0,
+"selectforgc(obj1, obj2, ...)",
+" Schedule the given objects to be marked in the next GC slice."),
+
+ JS_FN_HELP("verifyprebarriers", VerifyPreBarriers, 0, 0,
+"verifyprebarriers()",
+" Start or end a run of the pre-write barrier verifier."),
+
+ JS_FN_HELP("verifypostbarriers", VerifyPostBarriers, 0, 0,
+"verifypostbarriers()",
+" Does nothing (the post-write barrier verifier has been remove)."),
+
+ JS_FN_HELP("currentgc", CurrentGC, 0, 0,
+"currentgc()",
+" Report various information about the currently running incremental GC,\n"
+" if one is running."),
+
+ JS_FN_HELP("deterministicgc", DeterministicGC, 1, 0,
+"deterministicgc(true|false)",
+" If true, only allow determinstic GCs to run."),
+
+ JS_FN_HELP("dumpGCArenaInfo", DumpGCArenaInfo, 0, 0,
+"dumpGCArenaInfo()",
+" Prints information about the different GC things and how they are arranged\n"
+" in arenas.\n"),
+
+ JS_FN_HELP("setMarkStackLimit", SetMarkStackLimit, 1, 0,
+"markStackLimit(limit)",
+" Sets a limit on the number of words used for the mark stack. Used to test OOM"
+" handling during marking.\n"),
+
+#endif
+
+ JS_FN_HELP("gcstate", GCState, 0, 0,
+"gcstate([obj])",
+" Report the global GC state, or the GC state for the zone containing |obj|."),
+
+ JS_FN_HELP("schedulezone", ScheduleZoneForGC, 1, 0,
+"schedulezone([obj | string])",
+" If obj is given, schedule a GC of obj's zone.\n"
+" If string is given, schedule a GC of the string's zone if possible."),
+
+ JS_FN_HELP("startgc", StartGC, 1, 0,
+"startgc([n [, 'shrinking']])",
+" Start an incremental GC and run a slice that processes about n objects.\n"
+" If 'shrinking' is passesd as the optional second argument, perform a\n"
+" shrinking GC rather than a normal GC. If no zones have been selected with\n"
+" schedulezone(), a full GC will be performed."),
+
+ JS_FN_HELP("finishgc", FinishGC, 0, 0,
+"finishgc()",
+" Finish an in-progress incremental GC, if none is running then do nothing."),
+
+ JS_FN_HELP("gcslice", GCSlice, 1, 0,
+"gcslice([n [, options]])",
+" Start or continue an an incremental GC, running a slice that processes\n"
+" about n objects. Takes an optional options object, which may contain the\n"
+" following properties:\n"
+" dontStart: do not start a new incremental GC if one is not already\n"
+" running"),
+
+ JS_FN_HELP("abortgc", AbortGC, 1, 0,
+"abortgc()",
+" Abort the current incremental GC."),
+
+ JS_FN_HELP("setMallocMaxDirtyPageModifier", SetMallocMaxDirtyPageModifier, 1, 0,
+"setMallocMaxDirtyPageModifier(value)",
+" Change the maximum size of jemalloc's page cache. The value should be between\n"
+" -5 and 16 (inclusive). See moz_set_max_dirty_page_modifier.\n"),
+
+ JS_FN_HELP("fullcompartmentchecks", FullCompartmentChecks, 1, 0,
+"fullcompartmentchecks(true|false)",
+" If true, check for compartment mismatches before every GC."),
+
+ JS_FN_HELP("nondeterministicGetWeakMapKeys", NondeterministicGetWeakMapKeys, 1, 0,
+"nondeterministicGetWeakMapKeys(weakmap)",
+" Return an array of the keys in the given WeakMap."),
+
+ JS_FN_HELP("internalConst", InternalConst, 1, 0,
+"internalConst(name)",
+" Query an internal constant for the engine. See InternalConst source for\n"
+" the list of constant names."),
+
+ JS_FN_HELP("isProxy", IsProxy, 1, 0,
+"isProxy(obj)",
+" If true, obj is a proxy of some sort"),
+
+ JS_FN_HELP("dumpHeap", DumpHeap, 1, 0,
+"dumpHeap([filename])",
+" Dump reachable and unreachable objects to the named file, or to stdout. Objects\n"
+" in the nursery are ignored, so if you wish to include them, consider calling\n"
+" minorgc() first."),
+
+ JS_FN_HELP("terminate", Terminate, 0, 0,
+"terminate()",
+" Terminate JavaScript execution, as if we had run out of\n"
+" memory or been terminated by the slow script dialog."),
+
+ JS_FN_HELP("readGeckoProfilingStack", ReadGeckoProfilingStack, 0, 0,
+"readGeckoProfilingStack()",
+" Reads the JIT/Wasm stack using ProfilingFrameIterator. Skips non-JIT/Wasm frames."),
+
+ JS_FN_HELP("readGeckoInterpProfilingStack", ReadGeckoInterpProfilingStack, 0, 0,
+"readGeckoInterpProfilingStack()",
+" Reads the C++ interpreter profiling stack. Skips JIT/Wasm frames."),
+
+ JS_FN_HELP("enableOsiPointRegisterChecks", EnableOsiPointRegisterChecks, 0, 0,
+"enableOsiPointRegisterChecks()",
+" Emit extra code to verify live regs at the start of a VM call are not\n"
+" modified before its OsiPoint."),
+
+ JS_FN_HELP("displayName", DisplayName, 1, 0,
+"displayName(fn)",
+" Gets the display name for a function, which can possibly be a guessed or\n"
+" inferred name based on where the function was defined. This can be\n"
+" different from the 'name' property on the function."),
+
+ JS_FN_HELP("isAsmJSCompilationAvailable", IsAsmJSCompilationAvailable, 0, 0,
+"isAsmJSCompilationAvailable",
+" Returns whether asm.js compilation is currently available or whether it is disabled\n"
+" (e.g., by the debugger)."),
+
+ JS_FN_HELP("getJitCompilerOptions", GetJitCompilerOptions, 0, 0,
+"getJitCompilerOptions()",
+" Return an object describing some of the JIT compiler options.\n"),
+
+ JS_FN_HELP("isAsmJSModule", IsAsmJSModule, 1, 0,
+"isAsmJSModule(fn)",
+" Returns whether the given value is a function containing \"use asm\" that has been\n"
+" validated according to the asm.js spec."),
+
+ JS_FN_HELP("isAsmJSFunction", IsAsmJSFunction, 1, 0,
+"isAsmJSFunction(fn)",
+" Returns whether the given value is a nested function in an asm.js module that has been\n"
+" both compile- and link-time validated."),
+
+ JS_FN_HELP("isAvxPresent", IsAvxPresent, 0, 0,
+"isAvxPresent([minVersion])",
+" Returns whether AVX is present and enabled. If minVersion specified,\n"
+" use 1 - to check if AVX is enabled (default), 2 - if AVX2 is enabled."),
+
+ JS_FN_HELP("wasmIsSupported", WasmIsSupported, 0, 0,
+"wasmIsSupported()",
+" Returns a boolean indicating whether WebAssembly is supported on the current device."),
+
+ JS_FN_HELP("wasmIsSupportedByHardware", WasmIsSupportedByHardware, 0, 0,
+"wasmIsSupportedByHardware()",
+" Returns a boolean indicating whether WebAssembly is supported on the current hardware (regardless of whether we've enabled support)."),
+
+ JS_FN_HELP("wasmDebuggingEnabled", WasmDebuggingEnabled, 0, 0,
+"wasmDebuggingEnabled()",
+" Returns a boolean indicating whether WebAssembly debugging is supported on the current device;\n"
+" returns false also if WebAssembly is not supported"),
+
+ JS_FN_HELP("wasmStreamingEnabled", WasmStreamingEnabled, 0, 0,
+"wasmStreamingEnabled()",
+" Returns a boolean indicating whether WebAssembly caching is supported by the runtime."),
+
+ JS_FN_HELP("wasmCachingEnabled", WasmCachingEnabled, 0, 0,
+"wasmCachingEnabled()",
+" Returns a boolean indicating whether WebAssembly caching is supported by the runtime."),
+
+ JS_FN_HELP("wasmHugeMemorySupported", WasmHugeMemorySupported, 0, 0,
+"wasmHugeMemorySupported()",
+" Returns a boolean indicating whether WebAssembly supports using a large"
+" virtual memory reservation in order to elide bounds checks on this platform."),
+
+ JS_FN_HELP("wasmMaxMemoryPages", WasmMaxMemoryPages, 1, 0,
+"wasmMaxMemoryPages(indexType)",
+" Returns an int with the maximum number of pages that can be allocated to a memory."
+" This is an implementation artifact that does depend on the index type, the hardware,"
+" the operating system, the build configuration, and flags. The result is constant for"
+" a given combination of those; there is no guarantee that that size allocation will"
+" always succeed, only that it can succeed in principle. The indexType is a string,"
+" 'i32' or 'i64'."),
+
+#define WASM_FEATURE(NAME, ...) \
+ JS_FN_HELP("wasm" #NAME "Enabled", Wasm##NAME##Enabled, 0, 0, \
+"wasm" #NAME "Enabled()", \
+" Returns a boolean indicating whether the WebAssembly " #NAME " proposal is enabled."),
+JS_FOR_WASM_FEATURES(WASM_FEATURE, WASM_FEATURE, WASM_FEATURE)
+#undef WASM_FEATURE
+
+ JS_FN_HELP("wasmThreadsEnabled", WasmThreadsEnabled, 0, 0,
+"wasmThreadsEnabled()",
+" Returns a boolean indicating whether the WebAssembly threads proposal is\n"
+" supported on the current device."),
+
+ JS_FN_HELP("wasmSimdEnabled", WasmSimdEnabled, 0, 0,
+"wasmSimdEnabled()",
+" Returns a boolean indicating whether WebAssembly SIMD proposal is\n"
+" supported by the current device."),
+
+#if defined(ENABLE_WASM_SIMD) && defined(DEBUG)
+ JS_FN_HELP("wasmSimdAnalysis", WasmSimdAnalysis, 1, 0,
+"wasmSimdAnalysis(...)",
+" Unstable API for white-box testing.\n"),
+#endif
+
+ JS_FN_HELP("wasmGlobalFromArrayBuffer", WasmGlobalFromArrayBuffer, 2, 0,
+"wasmGlobalFromArrayBuffer(type, arrayBuffer)",
+" Create a WebAssembly.Global object from a provided ArrayBuffer. The type\n"
+" must be POD (i32, i64, f32, f64, v128). The buffer must be the same\n"
+" size as the type in bytes.\n"),
+ JS_FN_HELP("wasmGlobalExtractLane", WasmGlobalExtractLane, 3, 0,
+"wasmGlobalExtractLane(global, laneInterp, laneIndex)",
+" Extract a lane from a WebAssembly.Global object that contains a v128 value\n"
+" and return it as a new WebAssembly.Global object of the appropriate type.\n"
+" The supported laneInterp values are i32x4, i64x2, f32x4, and\n"
+" f64x2.\n"),
+ JS_FN_HELP("wasmGlobalsEqual", WasmGlobalsEqual, 2, 0,
+"wasmGlobalsEqual(globalA, globalB)",
+" Compares two WebAssembly.Global objects for if their types and values are\n"
+" equal. Mutability is not compared. Floating point values are compared for\n"
+" bitwise equality, not IEEE 754 equality.\n"),
+ JS_FN_HELP("wasmGlobalIsNaN", WasmGlobalIsNaN, 2, 0,
+"wasmGlobalIsNaN(global, flavor)",
+" Compares a floating point WebAssembly.Global object for if its value is a\n"
+" specific NaN flavor. Valid flavors are `arithmetic_nan` and `canonical_nan`.\n"),
+ JS_FN_HELP("wasmGlobalToString", WasmGlobalToString, 1, 0,
+"wasmGlobalToString(global)",
+" Returns a debug representation of the contents of a WebAssembly.Global\n"
+" object.\n"),
+ JS_FN_HELP("wasmLosslessInvoke", WasmLosslessInvoke, 1, 0,
+"wasmLosslessInvoke(wasmFunc, args...)",
+" Invokes the provided WebAssembly function using a modified conversion\n"
+" function that allows providing a param as a WebAssembly.Global and\n"
+" returning a result as a WebAssembly.Global.\n"),
+
+ JS_FN_HELP("wasmCompilersPresent", WasmCompilersPresent, 0, 0,
+"wasmCompilersPresent()",
+" Returns a string indicating the present wasm compilers: a comma-separated list\n"
+" of 'baseline', 'ion'. A compiler is present in the executable if it is compiled\n"
+" in and can generate code for the current architecture."),
+
+ JS_FN_HELP("wasmCompileMode", WasmCompileMode, 0, 0,
+"wasmCompileMode()",
+" Returns a string indicating the available wasm compilers: 'baseline', 'ion',\n"
+" 'baseline+ion', or 'none'. A compiler is available if it is present in the\n"
+" executable and not disabled by switches or runtime conditions. At most one\n"
+" baseline and one optimizing compiler can be available."),
+
+ JS_FN_HELP("wasmBaselineDisabledByFeatures", WasmBaselineDisabledByFeatures, 0, 0,
+"wasmBaselineDisabledByFeatures()",
+" If some feature is enabled at compile-time or run-time that prevents baseline\n"
+" from being used then this returns a truthy string describing the features that\n."
+" are disabling it. Otherwise it returns false."),
+
+ JS_FN_HELP("wasmIonDisabledByFeatures", WasmIonDisabledByFeatures, 0, 0,
+"wasmIonDisabledByFeatures()",
+" If some feature is enabled at compile-time or run-time that prevents Ion\n"
+" from being used then this returns a truthy string describing the features that\n."
+" are disabling it. Otherwise it returns false."),
+
+ JS_FN_HELP("wasmExtractCode", WasmExtractCode, 1, 0,
+"wasmExtractCode(module[, tier])",
+" Extracts generated machine code from WebAssembly.Module. The tier is a string,\n"
+" 'stable', 'best', 'baseline', or 'ion'; the default is 'stable'. If the request\n"
+" cannot be satisfied then null is returned. If the request is 'ion' then block\n"
+" until background compilation is complete."),
+
+ JS_FN_HELP("wasmDis", WasmDisassemble, 1, 0,
+"wasmDis(wasmObject[, options])\n",
+" Disassembles generated machine code from an exported WebAssembly function,\n"
+" or from all the functions defined in the module or instance, exported and not.\n"
+" The `options` is an object with the following optional keys:\n"
+" asString: boolean - if true, return a string rather than printing on stderr,\n"
+" the default is false.\n"
+" tier: string - one of 'stable', 'best', 'baseline', or 'ion'; the default is\n"
+" 'stable'.\n"
+" kinds: string - if set, and the wasmObject is a module or instance, a\n"
+" comma-separated list of the following keys, the default is `Function`:\n"
+" Function - functions defined in the module\n"
+" InterpEntry - C++-to-wasm stubs\n"
+" JitEntry - jitted-js-to-wasm stubs\n"
+" ImportInterpExit - wasm-to-C++ stubs\n"
+" ImportJitExit - wasm-to-jitted-JS stubs\n"
+" all - all kinds, including obscure ones\n"),
+
+ JS_FN_HELP("wasmHasTier2CompilationCompleted", WasmHasTier2CompilationCompleted, 1, 0,
+"wasmHasTier2CompilationCompleted(module)",
+" Returns a boolean indicating whether a given module has finished compiled code for tier2. \n"
+"This will return true early if compilation isn't two-tiered. "),
+
+ JS_FN_HELP("wasmLoadedFromCache", WasmLoadedFromCache, 1, 0,
+"wasmLoadedFromCache(module)",
+" Returns a boolean indicating whether a given module was deserialized directly from a\n"
+" cache (as opposed to compiled from bytecode)."),
+
+ JS_FN_HELP("wasmIntrinsicI8VecMul", WasmIntrinsicI8VecMul, 0, 0,
+"wasmIntrinsicI8VecMul()",
+" Returns a module that implements an i8 vector pairwise multiplication intrinsic."),
+
+ JS_FN_HELP("largeArrayBufferSupported", LargeArrayBufferSupported, 0, 0,
+"largeArrayBufferSupported()",
+" Returns true if array buffers larger than 2GB can be allocated."),
+
+ JS_FN_HELP("isLazyFunction", IsLazyFunction, 1, 0,
+"isLazyFunction(fun)",
+" True if fun is a lazy JSFunction."),
+
+ JS_FN_HELP("isRelazifiableFunction", IsRelazifiableFunction, 1, 0,
+"isRelazifiableFunction(fun)",
+" True if fun is a JSFunction with a relazifiable JSScript."),
+
+ JS_FN_HELP("hasSameBytecodeData", HasSameBytecodeData, 2, 0,
+"hasSameBytecodeData(fun1, fun2)",
+" True if fun1 and fun2 share the same copy of bytecode data. This will\n"
+" delazify the function if necessary."),
+
+ JS_FN_HELP("enableShellAllocationMetadataBuilder", EnableShellAllocationMetadataBuilder, 0, 0,
+"enableShellAllocationMetadataBuilder()",
+" Use ShellAllocationMetadataBuilder to supply metadata for all newly created objects."),
+
+ JS_FN_HELP("getAllocationMetadata", GetAllocationMetadata, 1, 0,
+"getAllocationMetadata(obj)",
+" Get the metadata for an object."),
+
+ JS_INLINABLE_FN_HELP("bailout", testingFunc_bailout, 0, 0, TestBailout,
+"bailout()",
+" Force a bailout out of ionmonkey (if running in ionmonkey)."),
+
+ JS_FN_HELP("bailAfter", testingFunc_bailAfter, 1, 0,
+"bailAfter(number)",
+" Start a counter to bail once after passing the given amount of possible bailout positions in\n"
+" ionmonkey.\n"),
+
+ JS_FN_HELP("invalidate", testingFunc_invalidate, 0, 0,
+"invalidate()",
+" Force an immediate invalidation (if running in Warp)."),
+
+ JS_FN_HELP("inJit", testingFunc_inJit, 0, 0,
+"inJit()",
+" Returns true when called within (jit-)compiled code. When jit compilation is disabled this\n"
+" function returns an error string. This function returns false in all other cases.\n"
+" Depending on truthiness, you should continue to wait for compilation to happen or stop execution.\n"),
+
+ JS_FN_HELP("inIon", testingFunc_inIon, 0, 0,
+"inIon()",
+" Returns true when called within ion. When ion is disabled or when compilation is abnormally\n"
+" slow to start, this function returns an error string. Otherwise, this function returns false.\n"
+" This behaviour ensures that a falsy value means that we are not in ion, but expect a\n"
+" compilation to occur in the future. Conversely, a truthy value means that we are either in\n"
+" ion or that there is litle or no chance of ion ever compiling the current script."),
+
+ JS_FN_HELP("assertJitStackInvariants", TestingFunc_assertJitStackInvariants, 0, 0,
+"assertJitStackInvariants()",
+" Iterates the Jit stack and check that stack invariants hold."),
+
+ JS_FN_HELP("setIonCheckGraphCoherency", SetIonCheckGraphCoherency, 1, 0,
+"setIonCheckGraphCoherency(bool)",
+" Set whether Ion should perform graph consistency (DEBUG-only) assertions. These assertions\n"
+" are valuable and should be generally enabled, however they can be very expensive for large\n"
+" (wasm) programs."),
+
+ JS_FN_HELP("serialize", testingFunc_serialize, 1, 0,
+"serialize(data, [transferables, [policy]])",
+" Serialize 'data' using JS_WriteStructuredClone. Returns a structured\n"
+" clone buffer object. 'policy' may be an options hash. Valid keys:\n"
+" 'SharedArrayBuffer' - either 'allow' or 'deny' (the default)\n"
+" to specify whether SharedArrayBuffers may be serialized.\n"
+" 'scope' - SameProcess, DifferentProcess, or\n"
+" DifferentProcessForIndexedDB. Determines how some values will be\n"
+" serialized. Clone buffers may only be deserialized with a compatible\n"
+" scope. NOTE - For DifferentProcess/DifferentProcessForIndexedDB,\n"
+" must also set SharedArrayBuffer:'deny' if data contains any shared memory\n"
+" object."),
+
+ JS_FN_HELP("deserialize", Deserialize, 1, 0,
+"deserialize(clonebuffer[, opts])",
+" Deserialize data generated by serialize. 'opts' may be an options hash.\n"
+" Valid keys:\n"
+" 'SharedArrayBuffer' - either 'allow' or 'deny' (the default)\n"
+" to specify whether SharedArrayBuffers may be serialized.\n"
+" 'scope', which limits the clone buffers that are considered\n"
+" valid. Allowed values: ''SameProcess', 'DifferentProcess',\n"
+" and 'DifferentProcessForIndexedDB'. So for example, a\n"
+" DifferentProcessForIndexedDB clone buffer may be deserialized in any scope, but\n"
+" a SameProcess clone buffer cannot be deserialized in a\n"
+" DifferentProcess scope."),
+
+ JS_FN_HELP("detachArrayBuffer", DetachArrayBuffer, 1, 0,
+"detachArrayBuffer(buffer)",
+" Detach the given ArrayBuffer object from its memory, i.e. as if it\n"
+" had been transferred to a WebWorker."),
+
+ JS_FN_HELP("makeSerializable", MakeSerializable, 1, 0,
+"makeSerializable(numeric id, [behavior])",
+" Make a custom serializable, transferable object. It will have a single accessor\n"
+" obj.log that will give a history of all operations on all such objects in the\n"
+" current thread as an array [id, action, id, action, ...] where the id\n"
+" is the number passed into this function, and the action is one of:\n"
+" ? - the canTransfer() hook was called.\n"
+" w - the write() hook was called.\n"
+" W - the writeTransfer() hook was called.\n"
+" R - the readTransfer() hook was called.\n"
+" r - the read() hook was called.\n"
+" F - the freeTransfer() hook was called.\n"
+" The `behavior` parameter can be used to force a failure during processing:\n"
+" 1 - fail during readTransfer() hook\n"
+" 2 - fail during read() hook\n"
+" Set the log to null to clear it."),
+
+ JS_FN_HELP("helperThreadCount", HelperThreadCount, 0, 0,
+"helperThreadCount()",
+" Returns the number of helper threads available for off-thread tasks."),
+
+ JS_FN_HELP("createShapeSnapshot", CreateShapeSnapshot, 1, 0,
+"createShapeSnapshot(obj)",
+" Returns an object containing a shape snapshot for use with\n"
+" checkShapeSnapshot.\n"),
+
+ JS_FN_HELP("checkShapeSnapshot", CheckShapeSnapshot, 2, 0,
+"checkShapeSnapshot(snapshot, [obj])",
+" Check shape invariants based on the given snapshot and optional object.\n"
+" If there's no object argument, the snapshot's object is used.\n"),
+
+ JS_FN_HELP("enableShapeConsistencyChecks", EnableShapeConsistencyChecks, 0, 0,
+"enableShapeConsistencyChecks()",
+" Enable some slow Shape assertions.\n"),
+
+ JS_FN_HELP("reportOutOfMemory", ReportOutOfMemory, 0, 0,
+"reportOutOfMemory()",
+" Report OOM, then clear the exception and return undefined. For crash testing."),
+
+ JS_FN_HELP("throwOutOfMemory", ThrowOutOfMemory, 0, 0,
+"throwOutOfMemory()",
+" Throw out of memory exception, for OOM handling testing."),
+
+ JS_FN_HELP("reportLargeAllocationFailure", ReportLargeAllocationFailure, 0, 0,
+"reportLargeAllocationFailure([bytes])",
+" Call the large allocation failure callback, as though a large malloc call failed,\n"
+" then return undefined. In Gecko, this sends a memory pressure notification, which\n"
+" can free up some memory."),
+
+ JS_FN_HELP("findPath", FindPath, 2, 0,
+"findPath(start, target)",
+" Return an array describing one of the shortest paths of GC heap edges from\n"
+" |start| to |target|, or |undefined| if |target| is unreachable from |start|.\n"
+" Each element of the array is either of the form:\n"
+" { node: <object or string>, edge: <string describing edge from node> }\n"
+" if the node is a JavaScript object or value; or of the form:\n"
+" { type: <string describing node>, edge: <string describing edge> }\n"
+" if the node is some internal thing that is not a proper JavaScript value\n"
+" (like a shape or a scope chain element). The destination of the i'th array\n"
+" element's edge is the node of the i+1'th array element; the destination of\n"
+" the last array element is implicitly |target|.\n"),
+
+#if defined(DEBUG) || defined(JS_JITSPEW)
+ JS_FN_HELP("dumpObject", DumpObject, 1, 0,
+"dumpObject()",
+" Dump an internal representation of an object."),
+#endif
+
+ JS_FN_HELP("sharedMemoryEnabled", SharedMemoryEnabled, 0, 0,
+"sharedMemoryEnabled()",
+" Return true if SharedArrayBuffer and Atomics are enabled"),
+
+ JS_FN_HELP("sharedArrayRawBufferRefcount", SharedArrayRawBufferRefcount, 0, 0,
+"sharedArrayRawBufferRefcount(sab)",
+" Return the reference count of the SharedArrayRawBuffer object held by sab"),
+
+#ifdef NIGHTLY_BUILD
+ JS_FN_HELP("objectAddress", ObjectAddress, 1, 0,
+"objectAddress(obj)",
+" Return the current address of the object. For debugging only--this\n"
+" address may change during a moving GC."),
+
+ JS_FN_HELP("sharedAddress", SharedAddress, 1, 0,
+"sharedAddress(obj)",
+" Return the address of the shared storage of a SharedArrayBuffer."),
+#endif
+
+ JS_FN_HELP("hasInvalidatedTeleporting", HasInvalidatedTeleporting, 1, 0,
+"hasInvalidatedTeleporting(obj)",
+" Return true if the shape teleporting optimization has been disabled for |obj|."),
+
+ JS_FN_HELP("evalReturningScope", EvalReturningScope, 1, 0,
+"evalReturningScope(scriptStr, [global])",
+" Evaluate the script in a new scope and return the scope.\n"
+" If |global| is present, clone the script to |global| before executing."),
+
+ JS_FN_HELP("backtrace", DumpBacktrace, 1, 0,
+"backtrace()",
+" Dump out a brief backtrace."),
+
+ JS_FN_HELP("getBacktrace", GetBacktrace, 1, 0,
+"getBacktrace([options])",
+" Return the current stack as a string. Takes an optional options object,\n"
+" which may contain any or all of the boolean properties:\n"
+" options.args - show arguments to each function\n"
+" options.locals - show local variables in each frame\n"
+" options.thisprops - show the properties of the 'this' object of each frame\n"),
+
+ JS_FN_HELP("byteSize", ByteSize, 1, 0,
+"byteSize(value)",
+" Return the size in bytes occupied by |value|, or |undefined| if value\n"
+" is not allocated in memory.\n"),
+
+ JS_FN_HELP("byteSizeOfScript", ByteSizeOfScript, 1, 0,
+"byteSizeOfScript(f)",
+" Return the size in bytes occupied by the function |f|'s JSScript.\n"),
+
+ JS_FN_HELP("setImmutablePrototype", SetImmutablePrototype, 1, 0,
+"setImmutablePrototype(obj)",
+" Try to make obj's [[Prototype]] immutable, such that subsequent attempts to\n"
+" change it will fail. Return true if obj's [[Prototype]] was successfully made\n"
+" immutable (or if it already was immutable), false otherwise. Throws in case\n"
+" of internal error, or if the operation doesn't even make sense (for example,\n"
+" because the object is a revoked proxy)."),
+
+#ifdef DEBUG
+ JS_FN_HELP("dumpStringRepresentation", DumpStringRepresentation, 1, 0,
+"dumpStringRepresentation(str)",
+" Print a human-readable description of how the string |str| is represented.\n"),
+
+ JS_FN_HELP("stringRepresentation", GetStringRepresentation, 1, 0,
+"stringRepresentation(str)",
+" Return a human-readable description of how the string |str| is represented.\n"),
+
+#endif
+
+ JS_FN_HELP("allocationMarker", AllocationMarker, 0, 0,
+"allocationMarker([options])",
+" Return a freshly allocated object whose [[Class]] name is\n"
+" \"AllocationMarker\". Such objects are allocated only by calls\n"
+" to this function, never implicitly by the system, making them\n"
+" suitable for use in allocation tooling tests. Takes an optional\n"
+" options object which may contain the following properties:\n"
+" * nursery: bool, whether to allocate the object in the nursery\n"),
+
+ JS_FN_HELP("setGCCallback", SetGCCallback, 1, 0,
+"setGCCallback({action:\"...\", options...})",
+" Set the GC callback. action may be:\n"
+" 'minorGC' - run a nursery collection\n"
+" 'majorGC' - run a major collection, nesting up to a given 'depth'\n"),
+
+#ifdef DEBUG
+ JS_FN_HELP("enqueueMark", EnqueueMark, 1, 0,
+"enqueueMark(obj|string)",
+" Add an object to the queue of objects to mark at the beginning every GC. (Note\n"
+" that the objects will actually be marked at the beginning of every slice, but\n"
+" after the first slice they will already be marked so nothing will happen.)\n"
+" \n"
+" Instead of an object, a few magic strings may be used:\n"
+" 'yield' - cause the current marking slice to end, as if the mark budget were\n"
+" exceeded.\n"
+" 'enter-weak-marking-mode' - divide the list into two segments. The items after\n"
+" this string will not be marked until we enter weak marking mode. Note that weak\n"
+" marking mode may be entered zero or multiple times for one GC.\n"
+" 'abort-weak-marking-mode' - same as above, but then abort weak marking to fall back\n"
+" on the old iterative marking code path.\n"
+" 'drain' - fully drain the mark stack before continuing.\n"
+" 'set-color-black' - force everything following in the mark queue to be marked black.\n"
+" 'set-color-gray' - continue with the regular GC until gray marking is possible, then force\n"
+" everything following in the mark queue to be marked gray.\n"
+" 'unset-color' - stop forcing the mark color."),
+
+ JS_FN_HELP("clearMarkQueue", ClearMarkQueue, 0, 0,
+"clearMarkQueue()",
+" Cancel the special marking of all objects enqueue with enqueueMark()."),
+
+ JS_FN_HELP("getMarkQueue", GetMarkQueue, 0, 0,
+"getMarkQueue()",
+" Return the current mark queue set up via enqueueMark calls. Note that all\n"
+" returned values will be wrapped into the current compartment, so this loses\n"
+" some fidelity."),
+#endif // DEBUG
+
+ JS_FN_HELP("nurseryStringsEnabled", NurseryStringsEnabled, 0, 0,
+"nurseryStringsEnabled()",
+" Return whether strings are currently allocated in the nursery for current\n"
+" global\n"),
+
+ JS_FN_HELP("isNurseryAllocated", IsNurseryAllocated, 1, 0,
+"isNurseryAllocated(thing)",
+" Return whether a GC thing is nursery allocated.\n"),
+
+ JS_FN_HELP("getLcovInfo", GetLcovInfo, 1, 0,
+"getLcovInfo(global)",
+" Generate LCOV tracefile for the given compartment. If no global are provided then\n"
+" the current global is used as the default one.\n"),
+
+#ifdef DEBUG
+ JS_FN_HELP("setRNGState", SetRNGState, 2, 0,
+"setRNGState(seed0, seed1)",
+" Set this compartment's RNG state.\n"),
+#endif
+
+#ifdef AFLFUZZ
+ JS_FN_HELP("aflloop", AflLoop, 1, 0,
+"aflloop(max_cnt)",
+" Call the __AFL_LOOP() runtime function (see AFL docs)\n"),
+#endif
+
+ JS_FN_HELP("monotonicNow", MonotonicNow, 0, 0,
+"monotonicNow()",
+" Return a timestamp reflecting the current elapsed system time.\n"
+" This is monotonically increasing.\n"),
+
+ JS_FN_HELP("timeSinceCreation", TimeSinceCreation, 0, 0,
+"TimeSinceCreation()",
+" Returns the time in milliseconds since process creation.\n"
+" This uses a clock compatible with the profiler.\n"),
+
+ JS_FN_HELP("isConstructor", IsConstructor, 1, 0,
+"isConstructor(value)",
+" Returns whether the value is considered IsConstructor.\n"),
+
+ JS_FN_HELP("getTimeZone", GetTimeZone, 0, 0,
+"getTimeZone()",
+" Get the current time zone.\n"),
+
+ JS_FN_HELP("getDefaultLocale", GetDefaultLocale, 0, 0,
+"getDefaultLocale()",
+" Get the current default locale.\n"),
+
+ JS_FN_HELP("getCoreCount", GetCoreCount, 0, 0,
+"getCoreCount()",
+" Get the number of CPU cores from the platform layer. Typically this\n"
+" means the number of hyperthreads on systems where that makes sense.\n"),
+
+ JS_FN_HELP("setTimeResolution", SetTimeResolution, 2, 0,
+"setTimeResolution(resolution, jitter)",
+" Enables time clamping and jittering. Specify a time resolution in\n"
+" microseconds and whether or not to jitter\n"),
+
+ JS_FN_HELP("scriptedCallerGlobal", ScriptedCallerGlobal, 0, 0,
+"scriptedCallerGlobal()",
+" Get the caller's global (or null). See JS::GetScriptedCallerGlobal.\n"),
+
+ JS_FN_HELP("objectGlobal", ObjectGlobal, 1, 0,
+"objectGlobal(obj)",
+" Returns the object's global object or null if the object is a wrapper.\n"),
+
+ JS_FN_HELP("isSameCompartment", IsSameCompartment, 2, 0,
+"isSameCompartment(obj1, obj2)",
+" Unwraps obj1 and obj2 and returns whether the unwrapped objects are\n"
+" same-compartment.\n"),
+
+ JS_FN_HELP("firstGlobalInCompartment", FirstGlobalInCompartment, 1, 0,
+"firstGlobalInCompartment(obj)",
+" Returns the first global in obj's compartment.\n"),
+
+ JS_FN_HELP("assertCorrectRealm", AssertCorrectRealm, 0, 0,
+"assertCorrectRealm()",
+" Asserts cx->realm matches callee->realm.\n"),
+
+ JS_FN_HELP("globalLexicals", GlobalLexicals, 0, 0,
+"globalLexicals()",
+" Returns an object containing a copy of all global lexical bindings.\n"
+" Example use: let x = 1; assertEq(globalLexicals().x, 1);\n"),
+
+ JS_FN_HELP("baselineCompile", BaselineCompile, 2, 0,
+"baselineCompile([fun/code], forceDebugInstrumentation=false)",
+" Baseline-compiles the given JS function or script.\n"
+" Without arguments, baseline-compiles the caller's script; but note\n"
+" that extra boilerplate is needed afterwards to cause the VM to start\n"
+" running the jitcode rather than staying in the interpreter:\n"
+" baselineCompile(); for (var i=0; i<1; i++) {} ...\n"
+" The interpreter will enter the new jitcode at the loop header unless\n"
+" baselineCompile returned a string or threw an error.\n"),
+
+ JS_FN_HELP("encodeAsUtf8InBuffer", EncodeAsUtf8InBuffer, 2, 0,
+"encodeAsUtf8InBuffer(str, uint8Array)",
+" Encode as many whole code points from the string str into the provided\n"
+" Uint8Array as will completely fit in it, converting lone surrogates to\n"
+" REPLACEMENT CHARACTER. Return an array [r, w] where |r| is the\n"
+" number of 16-bit units read and |w| is the number of bytes of UTF-8\n"
+" written."),
+
+ JS_FN_HELP("clearKeptObjects", ClearKeptObjects, 0, 0,
+"clearKeptObjects()",
+"Perform the ECMAScript ClearKeptObjects operation, clearing the list of\n"
+"observed WeakRef targets that are kept alive until the next synchronous\n"
+"sequence of ECMAScript execution completes. This is used for testing\n"
+"WeakRefs.\n"),
+
+ JS_FN_HELP("numberToDouble", NumberToDouble, 1, 0,
+"numberToDouble(number)",
+" Return the input number as double-typed number."),
+
+JS_FN_HELP("getICUOptions", GetICUOptions, 0, 0,
+"getICUOptions()",
+" Return an object describing the following ICU options.\n\n"
+" version: a string containing the ICU version number, e.g. '67.1'\n"
+" unicode: a string containing the Unicode version number, e.g. '13.0'\n"
+" locale: the ICU default locale, e.g. 'en_US'\n"
+" tzdata: a string containing the tzdata version number, e.g. '2020a'\n"
+" timezone: the ICU default time zone, e.g. 'America/Los_Angeles'\n"
+" host-timezone: the host time zone, e.g. 'America/Los_Angeles'"),
+
+JS_FN_HELP("getAvailableLocalesOf", GetAvailableLocalesOf, 0, 0,
+"getAvailableLocalesOf(name)",
+" Return an array of all available locales for the given Intl constuctor."),
+
+JS_FN_HELP("isSmallFunction", IsSmallFunction, 1, 0,
+"isSmallFunction(fun)",
+" Returns true if a scripted function is small enough to be inlinable."),
+
+ JS_FN_HELP("compileToStencil", CompileToStencil, 1, 0,
+"compileToStencil(string, [options])",
+" Parses the given string argument as js script, returns the stencil"
+" for it."),
+
+ JS_FN_HELP("evalStencil", EvalStencil, 1, 0,
+"evalStencil(stencil, [options])",
+" Instantiates the given stencil, and evaluates the top-level script it"
+" defines."),
+
+ JS_FN_HELP("compileToStencilXDR", CompileToStencilXDR, 1, 0,
+"compileToStencilXDR(string, [options])",
+" Parses the given string argument as js script, produces the stencil"
+" for it, XDR-encodes the stencil, and returns an object that contains the"
+" XDR buffer."),
+
+ JS_FN_HELP("evalStencilXDR", EvalStencilXDR, 1, 0,
+"evalStencilXDR(stencilXDR, [options])",
+" Reads the given stencil XDR object, and evaluates the top-level script it"
+" defines."),
+
+ JS_FN_HELP("getExceptionInfo", GetExceptionInfo, 1, 0,
+"getExceptionInfo(fun)",
+" Calls the given function and returns information about the exception it"
+" throws. Returns null if the function didn't throw an exception."),
+
+ JS_FN_HELP("nukeCCW", NukeCCW, 1, 0,
+"nukeCCW(wrapper)",
+" Nuke a CrossCompartmentWrapper, which turns it into a DeadProxyObject."),
+
+ JS_FS_HELP_END
+};
+// clang-format on
+
+// clang-format off
+static const JSFunctionSpecWithHelp FuzzingUnsafeTestingFunctions[] = {
+ JS_FN_HELP("getErrorNotes", GetErrorNotes, 1, 0,
+"getErrorNotes(error)",
+" Returns an array of error notes."),
+
+ JS_FN_HELP("setTimeZone", SetTimeZone, 1, 0,
+"setTimeZone(tzname)",
+" Set the 'TZ' environment variable to the given time zone and applies the new time zone.\n"
+" An empty string or undefined resets the time zone to its default value.\n"
+" NOTE: The input string is not validated and will be passed verbatim to setenv()."),
+
+JS_FN_HELP("setDefaultLocale", SetDefaultLocale, 1, 0,
+"setDefaultLocale(locale)",
+" Set the runtime default locale to the given value.\n"
+" An empty string or undefined resets the runtime locale to its default value.\n"
+" NOTE: The input string is not fully validated, it must be a valid BCP-47 language tag."),
+
+JS_FN_HELP("isInStencilCache", IsInStencilCache, 1, 0,
+"isInStencilCache(fun)",
+" True if fun is available in the stencil cache."),
+
+JS_FN_HELP("waitForStencilCache", WaitForStencilCache, 1, 0,
+"waitForStencilCache(fun)",
+" Block main thread execution until the function is made available in the cache."),
+
+JS_FN_HELP("getInnerMostEnvironmentObject", GetInnerMostEnvironmentObject, 0, 0,
+"getInnerMostEnvironmentObject()",
+" Return the inner-most environment object for current execution."),
+
+JS_FN_HELP("getEnclosingEnvironmentObject", GetEnclosingEnvironmentObject, 1, 0,
+"getEnclosingEnvironmentObject(env)",
+" Return the enclosing environment object for given environment object."),
+
+JS_FN_HELP("getEnvironmentObjectType", GetEnvironmentObjectType, 1, 0,
+"getEnvironmentObjectType(env)",
+" Return a string represents the type of given environment object."),
+
+ JS_FN_HELP("shortestPaths", ShortestPaths, 3, 0,
+"shortestPaths(targets, options)",
+" Return an array of arrays of shortest retaining paths. There is an array of\n"
+ " shortest retaining paths for each object in |targets|. Each element in a path\n"
+ " is of the form |{ predecessor, edge }|. |options| may contain:\n"
+ " \n"
+ " maxNumPaths: The maximum number of paths returned in each of those arrays\n"
+ " (default 3).\n"
+ " start: The object to start all paths from. If not given, then\n"
+ " the starting point will be the set of GC roots."),
+
+
+ JS_FS_HELP_END
+};
+// clang-format on
+
+// clang-format off
+static const JSFunctionSpecWithHelp PCCountProfilingTestingFunctions[] = {
+ JS_FN_HELP("start", PCCountProfiling_Start, 0, 0,
+ "start()",
+ " Start PC count profiling."),
+
+ JS_FN_HELP("stop", PCCountProfiling_Stop, 0, 0,
+ "stop()",
+ " Stop PC count profiling."),
+
+ JS_FN_HELP("purge", PCCountProfiling_Purge, 0, 0,
+ "purge()",
+ " Purge the collected PC count profiling data."),
+
+ JS_FN_HELP("count", PCCountProfiling_ScriptCount, 0, 0,
+ "count()",
+ " Return the number of profiled scripts."),
+
+ JS_FN_HELP("summary", PCCountProfiling_ScriptSummary, 1, 0,
+ "summary(index)",
+ " Return the PC count profiling summary for the given script index.\n"
+ " The script index must be in the range [0, pc.count())."),
+
+ JS_FN_HELP("contents", PCCountProfiling_ScriptContents, 1, 0,
+ "contents(index)",
+ " Return the complete profiling contents for the given script index.\n"
+ " The script index must be in the range [0, pc.count())."),
+
+ JS_FS_HELP_END
+};
+// clang-format on
+
+// clang-format off
+static const JSFunctionSpecWithHelp FdLibMTestingFunctions[] = {
+ JS_FN_HELP("pow", FdLibM_Pow, 2, 0,
+ "pow(x, y)",
+ " Return x ** y."),
+
+ JS_FS_HELP_END
+};
+// clang-format on
+
+bool js::InitTestingFunctions() { return disasmBuf.init(); }
+
+bool js::DefineTestingFunctions(JSContext* cx, HandleObject obj,
+ bool fuzzingSafe_, bool disableOOMFunctions_) {
+ fuzzingSafe = fuzzingSafe_;
+ if (EnvVarIsDefined("MOZ_FUZZING_SAFE")) {
+ fuzzingSafe = true;
+ }
+
+ disableOOMFunctions = disableOOMFunctions_;
+
+ if (!fuzzingSafe) {
+ if (!JS_DefineFunctionsWithHelp(cx, obj, FuzzingUnsafeTestingFunctions)) {
+ return false;
+ }
+
+ RootedObject pccount(cx, JS_NewPlainObject(cx));
+ if (!pccount) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, obj, "pccount", pccount, 0)) {
+ return false;
+ }
+
+ if (!JS_DefineFunctionsWithHelp(cx, pccount,
+ PCCountProfilingTestingFunctions)) {
+ return false;
+ }
+ }
+
+ RootedObject fdlibm(cx, JS_NewPlainObject(cx));
+ if (!fdlibm) {
+ return false;
+ }
+
+ if (!JS_DefineProperty(cx, obj, "fdlibm", fdlibm, 0)) {
+ return false;
+ }
+
+ if (!JS_DefineFunctionsWithHelp(cx, fdlibm, FdLibMTestingFunctions)) {
+ return false;
+ }
+
+ return JS_DefineFunctionsWithHelp(cx, obj, TestingFunctions);
+}
+
+#ifdef FUZZING_JS_FUZZILLI
+uint32_t js::FuzzilliHashDouble(double value) {
+ // We shouldn't GC here as this is called directly from IC code.
+ AutoUnsafeCallWithABI unsafe;
+ uint64_t v = mozilla::BitwiseCast<uint64_t>(value);
+ return static_cast<uint32_t>(v) + static_cast<uint32_t>(v >> 32);
+}
+
+uint32_t js::FuzzilliHashBigInt(BigInt* bigInt) {
+ // We shouldn't GC here as this is called directly from IC code.
+ AutoUnsafeCallWithABI unsafe;
+ return bigInt->hash();
+}
+
+void js::FuzzilliHashObject(JSContext* cx, JSObject* obj) {
+ // called from IC and baseline/interpreter
+ uint32_t hash;
+ FuzzilliHashObjectInl(cx, obj, &hash);
+
+ cx->executionHashInputs += 1;
+ cx->executionHash = mozilla::RotateLeft(cx->executionHash + hash, 1);
+}
+
+void js::FuzzilliHashObjectInl(JSContext* cx, JSObject* obj, uint32_t* out) {
+ *out = 0;
+ if (!js::SupportDifferentialTesting()) {
+ return;
+ }
+
+ RootedValue v(cx);
+ v.setObject(*obj);
+
+ JSAutoStructuredCloneBuffer JSCloner(
+ JS::StructuredCloneScope::DifferentProcess, nullptr, nullptr);
+ if (JSCloner.write(cx, v)) {
+ JSStructuredCloneData& data = JSCloner.data();
+ data.ForEachDataChunk([&](const char* aData, size_t aSize) {
+ uint32_t h = mozilla::HashBytes(aData, aSize);
+ h = (h << 1) | 1;
+ *out ^= h;
+ *out *= h;
+ return true;
+ });
+ } else if (JS_IsExceptionPending(cx)) {
+ JS_ClearPendingException(cx);
+ }
+}
+#endif