Bug 1445854 - Part 1: Make GenericCreatePrototype use protoClass_. r=jwalden

Originally, long ago, the builtin prototype object of a class was always an actual instance of that class. For many of the oldest classes, this is still true. Array.isArray(Array.prototype) is true; Function.prototype is callable; and so on. As it turns out, this is a bad idea. Prototypes are a lot like uninitialized objects; thus it was a common bug to have code like if (!obj->is<WidgetObject>()) { // safety check return ThrowTypeError(cx, ...); } obj->as<WidgetObject>().getWidgetPrivateData()->doThings(); // BUG This would crash when obj happened to be Widget.prototype, because that would sneak past the safety check, and then `getWidgetPrivateData()` would typically return null. Extra checks everywhere. The solution is for each builtin class to have a class_ (for instances) and a protoClass_ (for the prototype object) that share a single ClassSpec (for the benefit of the X-ray wrapper machinery). (This problem was a pain for the spec, too. The standard committee has stopped making prototype objects special in this way. The newer ones are just plain objects with no internal slots, and where possible, old stuff like Date.prototype was retroactively changed.) GenericCreatePrototype never got the memo. This patch fixes it. Differential Revision: https://phabricator.services.mozilla.com/D7666 --HG-- extra : moz-landing-system : lando
2018-10-06 12:22:35 +00:00 · 2018-10-06 12:22:35 +00:00 · adc7298478
--- a/js/src/builtin/Stream.cpp
+++ b/js/src/builtin/Stream.cpp
@ -583,7 +583,7 @@ const Class TeeState::class_ = {
 #define CLASS_SPEC(cls, nCtorArgs, nSlots, specFlags, classFlags, classOps) \
 const ClassSpec cls::classSpec_ = { \
    GenericCreateConstructor<cls::constructor, nCtorArgs, gc::AllocKind::FUNCTION>, \
-    GenericCreatePrototype, \
+    GenericCreatePrototype<cls>, \
    nullptr, \
    nullptr, \
    cls##_methods, \
--- a/js/src/jit-test/tests/basic/bug1445854.js
+++ b/js/src/jit-test/tests/basic/bug1445854.js
@ -0,0 +1,4 @@
+load(libdir + "asserts.js");
+if (typeof ReadableStream == "function") {
+    assertThrowsInstanceOf(TypeError, () => ReadableStream.prototype.tee());
+}
--- a/js/src/vm/GlobalObject.h
+++ b/js/src/vm/GlobalObject.h
@ -909,18 +909,17 @@ GenericCreateConstructor(JSContext* cx, JSProtoKey key)
    return GlobalObject::createConstructor(cx, ctor, name, length, kind, jitInfo);
 }

-inline JSObject*
+template<typename T>
+JSObject*
 GenericCreatePrototype(JSContext* cx, JSProtoKey key)
 {
-    MOZ_ASSERT(key != JSProto_Object);
-    const Class* clasp = ProtoKeyToClass(key);
-    MOZ_ASSERT(clasp);
-    JSProtoKey protoKey = InheritanceProtoKeyForStandardClass(key);
-    if (!GlobalObject::ensureConstructor(cx, cx->global(), protoKey)) {
-        return nullptr;
-    }
-    RootedObject parentProto(cx, &cx->global()->getPrototype(protoKey).toObject());
-    return GlobalObject::createBlankPrototypeInheriting(cx, clasp, parentProto);
+    static_assert(!std::is_same<T, PlainObject>::value,
+                  "creating Object.prototype is very special and isn't handled here");
+    MOZ_ASSERT(&T::class_ == ProtoKeyToClass(key),
+               "type mismatch--probably too much copy/paste in your ClassSpec");
+    MOZ_ASSERT(InheritanceProtoKeyForStandardClass(key) == JSProto_Object,
+               "subclasses (of anything but Object) can't use GenericCreatePrototype");
+    return GlobalObject::createBlankPrototype(cx, cx->global(), &T::protoClass_);
 }

 inline JSProtoKey
--- a/js/src/vm/SavedFrame.h
+++ b/js/src/vm/SavedFrame.h
@ -23,6 +23,7 @@ class SavedFrame : public NativeObject {

  public:
    static const Class          class_;
+    static const Class          protoClass_;
    static const JSPropertySpec protoAccessors[];
    static const JSFunctionSpec protoFunctions[];
    static const JSFunctionSpec staticFunctions[];
--- a/js/src/vm/SavedStacks.cpp
+++ b/js/src/vm/SavedStacks.cpp
@ -347,10 +347,6 @@ SavedFrame::HashPolicy::rekey(Key& key, const Key& newKey)
 /* static */ bool
 SavedFrame::finishSavedFrameInit(JSContext* cx, HandleObject ctor, HandleObject proto)
 {
-    // The only object with the SavedFrame::class_ that doesn't have a source
-    // should be the prototype.
-    proto->as<NativeObject>().setReservedSlot(SavedFrame::JSSLOT_SOURCE, NullValue());
-
    return FreezeObject(cx, proto);
 }

@ -370,7 +366,7 @@ static const ClassOps SavedFrameClassOps = {

 const ClassSpec SavedFrame::classSpec_ = {
    GenericCreateConstructor<SavedFrame::construct, 0, gc::AllocKind::FUNCTION>,
-    GenericCreatePrototype,
+    GenericCreatePrototype<SavedFrame>,
    SavedFrame::staticFunctions,
    nullptr,
    SavedFrame::protoFunctions,
@ -390,6 +386,13 @@ const ClassSpec SavedFrame::classSpec_ = {
    &SavedFrame::classSpec_
 };

+const Class SavedFrame::protoClass_ = {
+    js_Object_str,
+    JSCLASS_HAS_CACHED_PROTO(JSProto_SavedFrame),
+    JS_NULL_CLASS_OPS,
+    &SavedFrame::classSpec_
+};
+
 /* static */ const JSFunctionSpec
 SavedFrame::staticFunctions[] = {
    JS_FS_END
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@ -1767,10 +1767,18 @@ TypedArrayObject::staticProperties[] = {
    JS_PS_END
 };

+static JSObject*
+CreateSharedTypedArrayPrototype(JSContext* cx, JSProtoKey key)
+{
+    return GlobalObject::createBlankPrototype(cx,
+                                              cx->global(),
+                                              &TypedArrayObject::sharedTypedArrayPrototypeClass);
+}
+
 static const ClassSpec
 TypedArrayObjectSharedTypedArrayPrototypeClassSpec = {
    GenericCreateConstructor<TypedArrayConstructor, 0, gc::AllocKind::FUNCTION>,
-    GenericCreatePrototype,
+    CreateSharedTypedArrayPrototype,
    TypedArrayObject::staticFunctions,
    TypedArrayObject::staticProperties,
    TypedArrayObject::protoFunctions,
@ -1781,13 +1789,7 @@ TypedArrayObjectSharedTypedArrayPrototypeClassSpec = {

 /* static */ const Class
 TypedArrayObject::sharedTypedArrayPrototypeClass = {
-    // Actually ({}).toString.call(%TypedArray%.prototype) should throw,
-    // because %TypedArray%.prototype lacks the the typed array internal
-    // slots.  (It's not clear this is desirable -- particularly applied to
-    // the actual typed array prototypes, see below -- but it's what ES6
-    // draft 20140824 requires.)  But this is about as much as we can do
-    // until we implement @@toStringTag.
-    "???",
+    "TypedArrayPrototype",
    JSCLASS_HAS_CACHED_PROTO(JSProto_TypedArray),
    JS_NULL_CLASS_OPS,
    &TypedArrayObjectSharedTypedArrayPrototypeClassSpec