It is possible to have a JSContext with no global object and no frames on the
stack, yet still be within a request. In that case, xpc_UnmarkGrayContext will
trigger an exception "nothing active on context" when it attempts to access the
inner object of the cx's NULL global.
A common source of potential black -> gray edges is JSAPI calls made on objects with gray globals or contexts holding gray globals. (The call could potentially update a black object with a pointer to that global.) This patch mostly traps places where contexts are used, and unmarks their globals. It also includes some more global unmarking.
--HG--
extra : rebase_source : 835c1d6b4a7f7a11571412075ae8847475079edd
In the new setup, all per-interface DOM binding files are exported into
mozilla/dom. General files not specific to an interface are also exported into
mozilla/dom.
In terms of namespaces, most things now live in mozilla::dom. Each interface
Foo that has generated code has a mozilla::dom::FooBinding namespace for said
generated code (and possibly a mozilla::bindings::FooBinding_workers if there's
separate codegen for workers).
IDL enums are a bit weird: since the name of the enum and the names of its
entries all end up in the same namespace, we still generate a C++ namespace
with the name of the IDL enum type with "Values" appended to it, with a
::valuelist inside for the actual C++ enum. We then typedef
EnumFooValues::valuelist to EnumFoo. That makes it a bit more difficult to
refer to the values, but means that values from different enums don't collide
with each other.
The enums with the proto and constructor IDs in them now live under the
mozilla::dom::prototypes and mozilla::dom::constructors namespaces respectively.
Again, this lets us deal sanely with the whole "enum value names are flattened
into the namespace the enum is in" deal.
The main benefit of this setup (and the reason "Binding" got appended to the
per-interface namespaces) is that this way "using mozilla::dom" should Just
Work for consumers and still allow C++ code to sanely use the IDL interface
names for concrete classes, which is fairly desirable.
--HG--
rename : dom/bindings/Utils.cpp => dom/bindings/BindingUtils.cpp
rename : dom/bindings/Utils.h => dom/bindings/BindingUtils.h
Pass two objects when creating a DOM interface object, the global used to cache
the DOM interface objects and a receiver object on which the named property is
that points to the DOM interface object.
--HG--
extra : rebase_source : b462393e7376fdb68f3b279ccd08b3ab25ac154a
For ease of reviewing, note that there are only 2 changes to the big switch statement:
1 - return ThrowAndFail(...) -> return false.
2 - eMsgBytes -> messageBytes
A common source of potential black -> gray edges is JSAPI calls made on objects with gray globals or contexts holding gray globals. (The call could potentially update a black object with a pointer to that global.) This patch mostly traps places where contexts are used, and unmarks their globals. It also includes some more global unmarking.
--HG--
extra : rebase_source : 1286bdbc4c337956242c292e0fa385629ee8850b
This part replaces the JSContext *cx argument in most GC-related API
with JSRuntime *rt. When possible, the patch removes the code to obtain
a temporary cx just to run the GC.
The patch also removes JS_DestroyContextMaybeGC. That function is not
used in FF code base and its implementation is broken. It requires that
the context has an entered compartment when it is destroyed, which in
turns implies a missing leave compartment call.
This part removes the usage of JSContext* during the finalization and
when sweeping the compartments. That required to change quite a few
methods in type inference, jit and debugger implementation to take a
FreeOp rather than JSContext pointer. In turn that also often required
to replace cx->compartment usage with extracting the compartment from
the passed objects or pass the compartment explicitly. On the plus side
it allowed to remove fallible compartment enter code in methods that
could be called during finalization.
This part changes the signatures for various finalization API to take
not JSContext* but rather either JSFreeOp structure or its
library-private counterpart FreeOp. These structures wrap parameters
that are passed to the finalizers removing most of explicit dependencies
on JSContext in the finalization code.
The patch shrinks the API presented in jsxdrapi.h down to 4 functions to
encode/decode scripts and interpreted functions to/from the memory. The
newly introduced implementation header vm/Xdr.h replaces the former
JSXDRState with the template class XDRState parametrized by the enum
type with two constants, XDR_ENCODE and XDR_DECODE. This way a compiler
can fully eliminate the former runtime checks for the decoding/encoding
mode. As a drawback this required to explicitly instantiate the xdr
implementation as I do not want to put all the xdr code to header files.
The memory-only XDR allows to avoid coping filename and to-be-atomized
chars to a temporary buffer as the code can just access the buffer
directly. Another change is that new XDRScript takes as a parameter its
parent script. This allowed to avoid keeping filename in XDRState and
simplify the filename management.
Another change is the removal of JS_HAS_HDR. As CloneScript uses XDR to
copy a script, JS_HAS_XDR cannot be disabled.
--HG--
rename : js/src/jsxdrapi.cpp => js/src/vm/Xdr.cpp
extra : rebase_source : f8f1536a86b7c3fe7296a16b6677bd21664af98a
The patch shrinks the API presented in jsxdrapi.h down to 4 functions to
encode/decode scripts and interpreted functions to/from the memory. The
newly introduced implementation header vm/Xdr.h replaces the former
JSXDRState with the template class XDRState parametrized by the enum
type with two constants, XDR_ENCODE and XDR_DECODE. This way a compiler
can fully eliminate the former runtime checks for the decoding/encoding
mode. As a drawback this required to explicitly instantiate the xdr
implementation as I do not want to put all the xdr code to header files.
The memory-only XDR allows to avoid coping filename and to-be-atomized
chars to a temporary buffer as the code can just access the buffer
directly. Another change is that new XDRScript takes as a parameter its
parent script. This allowed to avoid keeping filename in XDRState and
simplify the filename management.
Another change is the removal of JS_HAS_HDR. As CloneScript uses XDR to
copy a script, JS_HAS_XDR cannot be disabled.
--HG--
rename : js/src/jsxdrapi.cpp => js/src/vm/Xdr.cpp
The patch shrinks the API presented in jsxdrapi.h down to 4 functions to
encode/decode scripts and interpreted functions to/from the memory. The
newly introduced implementation header vm/Xdr.h replaces the former
JSXDRState with the template class XDRState parametrized by the enum
type with two constants, XDR_ENCODE and XDR_DECODE. This way a compiler
can fully eliminate the former runtime checks for the decoding/encoding
mode. As a drawback this required to explicitly instantiate the xdr
implementation as I do not want to put all the xdr code to header files.
The memory-only XDR allows to avoid coping filename and to-be-atomized
chars to a temporary buffer as the code can just access the buffer
directly. Another change is that new XDRScript takes as a parameter its
parent script. This allowed to avoid keeping filename in XDRState and
simplify the filename management.
Another change is the removal of JS_HAS_HDR. As CloneScript uses XDR to
copy a script, JS_HAS_XDR cannot be disabled.
--HG--
rename : js/src/jsxdrapi.cpp => js/src/vm/Xdr.cpp
The current situation seems incorrect, especially given the behavior of CrossOriginWrapper and XrayProxy. Currently it doesn't matter, but it probably will in the future.
This isn't an issue right now, since it can't ever happen outside of sandboxes, which content can't use. But if it could, it could get a pure CrossCompartmentWrapper to a Location object, which is bad.
I'm adding asserts about when we do and don't have a Location object behind the wrapper, and this case was hitting them. What we do here doesn't so much matter given how this stuff all works. On the one hand, statically using a restrictive policy is slightly more defense-in-depth. On the other hand, if this stuff is broken we're screwed in much more serious ways than content reading chrome locations, and using a consistent wrapper scheme allows us to make stronger asserts and assumptions.
I opted for stronger assumptions and more understandable security code. If Blake feels strongly though, I could go the other way and sprinkle '|| isChrome(obj)' throughout the asserts though.
Currently to serialize principals stored in JSScript we have a rather complex
schema. First there is the transcode callback that the embedding must provide
to transcode principals using XDR API. Second we use rather complex glue code
to implement that callback in terms of writing/reading nsIObjectOutputStream/
nsIObjectInputStream. This glue code is duplicated in 3 places. All this can
be avoided if we simply delegate transcoding of principals to the caller. In
addition, at least in the case of the cached startup scripts we do not even
need to transcode the principals as the the cached scripts always have the
system principal so we can skip all the transcode complexity there.
The patch implemnts this idea. In particular, the code in JS engine
responsible for transcoding of principals is replaced by the single API
function JS_XDRSetPrincipals that the embedding can use to set principals for
decoded scripts and functions. Then the startup cache uses this to set the
principals for the decoded script to the system principals. The other two
places in nsJSContext::Serialize and XBL_SerializeFunction that need to
serialize principals together with a function or script now uses common
utilities in nsXPConnect so the serialization complexity resides in the single
place.
Currently the GC finalizes on the background thread only objects with null
JSClass::finalize. However, this implies that any object that uses
JS_FinalizeStub for the finalizer would be prevented from the background
finalization.
To fix this the patch removes JS_FinalizeStub replacing it with NULL in all
cases when the class has no custom finalizer. For style consistency the patch
also removed the usage of JSCLASS_NO_OPTIONAL_MEMBERS in the static
declarations as the compiler fills the missing fields with null in any cases.