Bug 1223916 - Prohibit direct method calls at the parser level in self-hosted code. (r=till)

2015-11-13 18:26:00 -08:00 · 2015-11-13 18:26:00 -08:00 · bd779ec071
--- a/js/src/builtin/Array.js
+++ b/js/src/builtin/Array.js
@ -774,7 +774,7 @@ function ArrayFrom(items, mapfn=undefined, thisArg=undefined) {
        // See <https://bugs.ecmascript.org/show_bug.cgi?id=2883>.
        while (true) {
            // Steps 6.g.i-iii.
-            var next = iterator.next();
+            var next = callFunction(iterator.next, iterator);
            if (!IsObject(next))
                ThrowTypeError(JSMSG_NEXT_RETURNED_PRIMITIVE);
--- a/js/src/builtin/Intl.js
+++ b/js/src/builtin/Intl.js
@ -443,9 +443,9 @@ function CanonicalizeLanguageTag(locale) {
        while (i < subtags.length && subtags[i].length > 1)
            i++;
        var extension = callFunction(std_Array_join, callFunction(std_Array_slice, subtags, extensionStart, i), "-");
-        extensions.push(extension);
+        callFunction(std_Array_push, extensions, extension);
    }
-    extensions.sort();
+    callFunction(std_Array_sort, extensions);
    // Private use sequences are left as is. "x-private"
    var privateUse = "";
@ -455,7 +455,7 @@ function CanonicalizeLanguageTag(locale) {
    // Put everything back together.
    var canonical = normal;
    if (extensions.length > 0)
-        canonical += "-" + extensions.join("-");
+        canonical += "-" + callFunction(std_Array_join, extensions, "-");
    if (privateUse.length > 0) {
        // Be careful of a Language-Tag that is entirely privateuse.
        if (canonical.length > 0)
@ -578,11 +578,14 @@ function DefaultLocale() {
    // (perhaps via fallback).  Otherwise use the last-ditch locale.
    var candidate = DefaultLocaleIgnoringAvailableLocales();
    var locale;
-    if (BestAvailableLocaleIgnoringDefault(collatorInternalProperties.availableLocales(),
+    if (BestAvailableLocaleIgnoringDefault(callFunction(collatorInternalProperties.availableLocales,
                                                        collatorInternalProperties),
                                           candidate) &&
-        BestAvailableLocaleIgnoringDefault(numberFormatInternalProperties.availableLocales(),
+        BestAvailableLocaleIgnoringDefault(callFunction(numberFormatInternalProperties.availableLocales,
                                                        numberFormatInternalProperties),
                                           candidate) &&
-        BestAvailableLocaleIgnoringDefault(dateTimeFormatInternalProperties.availableLocales(),
+        BestAvailableLocaleIgnoringDefault(callFunction(dateTimeFormatInternalProperties.availableLocales,
                                                        dateTimeFormalInternalProperties),
                                           candidate))
    {
        locale = candidate;
@ -675,8 +678,8 @@ function CanonicalizeLocaleList(locales) {
            if (!IsStructurallyValidLanguageTag(tag))
                ThrowRangeError(JSMSG_INVALID_LANGUAGE_TAG, tag);
            tag = CanonicalizeLanguageTag(tag);
-            if (seen.indexOf(tag) === -1)
+            if (callFunction(std_Array_indexOf, seen, tag) === -1)
-                seen.push(tag);
+                callFunction(std_Array_push, seen, tag);
        }
        k++;
    }
@ -968,14 +971,14 @@ function LookupSupportedLocales(availableLocales, requestedLocales) {
        // Step 4.c-d.
        var availableLocale = BestAvailableLocale(availableLocales, noExtensionsLocale);
        if (availableLocale !== undefined)
-            subset.push(locale);
+            callFunction(std_Array_push, subset, locale);
        // Step 4.e.
        k++;
    }
    // Steps 5-6.
-    return subset.slice(0);
+    return callFunction(std_Array_slice, subset, 0);
 }
@ -1317,7 +1320,7 @@ function resolveCollatorInternals(lazyCollatorData)
    var relevantExtensionKeys = Collator.relevantExtensionKeys;
    // Step 15.
-    var r = ResolveLocale(Collator.availableLocales(),
+    var r = ResolveLocale(callFunction(Collator.availableLocales, Collator),
                          lazyCollatorData.requestedLocales,
                          lazyCollatorData.opt,
                          relevantExtensionKeys,
@ -1507,7 +1510,8 @@ function InitializeCollator(collator, locales, options) {
 function Intl_Collator_supportedLocalesOf(locales /*, options*/) {
    var options = arguments.length > 1 ? arguments[1] : undefined;
-    var availableLocales = collatorInternalProperties.availableLocales();
+    var availableLocales = callFunction(collatorInternalProperties.availableLocales,
                                        collatorInternalProperties);
    var requestedLocales = CanonicalizeLocaleList(locales);
    return SupportedLocales(availableLocales, requestedLocales, options);
 }
@ -1675,7 +1679,7 @@ function resolveNumberFormatInternals(lazyNumberFormatData) {
    var localeData = NumberFormat.localeData;
    // Step 11.
-    var r = ResolveLocale(NumberFormat.availableLocales(),
+    var r = ResolveLocale(callFunction(NumberFormat.availableLocales, NumberFormat),
                          lazyNumberFormatData.requestedLocales,
                          lazyNumberFormatData.opt,
                          NumberFormat.relevantExtensionKeys,
@ -1959,7 +1963,8 @@ function CurrencyDigits(currency) {
 function Intl_NumberFormat_supportedLocalesOf(locales /*, options*/) {
    var options = arguments.length > 1 ? arguments[1] : undefined;
-    var availableLocales = numberFormatInternalProperties.availableLocales();
+    var availableLocales = callFunction(numberFormatInternalProperties.availableLocales,
                                        numberFormatInternalProperties);
    var requestedLocales = CanonicalizeLocaleList(locales);
    return SupportedLocales(availableLocales, requestedLocales, options);
 }
@ -2118,7 +2123,7 @@ function resolveDateTimeFormatInternals(lazyDateTimeFormatData) {
    var localeData = DateTimeFormat.localeData;
    // Step 10.
-    var r = ResolveLocale(DateTimeFormat.availableLocales(),
+    var r = ResolveLocale(callFunction(DateTimeFormat.availableLocales, DateTimeFormat),
                          lazyDateTimeFormatData.requestedLocales,
                          lazyDateTimeFormatData.localeOpt,
                          DateTimeFormat.relevantExtensionKeys,
@ -2659,7 +2664,8 @@ function BestFitFormatMatcher(options, formats) {
 function Intl_DateTimeFormat_supportedLocalesOf(locales /*, options*/) {
    var options = arguments.length > 1 ? arguments[1] : undefined;
-    var availableLocales = dateTimeFormatInternalProperties.availableLocales();
+    var availableLocales = callFunction(dateTimeFormatInternalProperties.availableLocales,
                                        dateTimeFormatInternalProperties);
    var requestedLocales = CanonicalizeLocaleList(locales);
    return SupportedLocales(availableLocales, requestedLocales, options);
 }
--- a/js/src/builtin/Iterator.js
+++ b/js/src/builtin/Iterator.js
@ -11,7 +11,7 @@ var LegacyIteratorWrapperMap = new std_WeakMap();
 function LegacyIteratorNext(arg) {
    var iter = callFunction(std_WeakMap_get, LegacyIteratorWrapperMap, this);
    try {
-        return { value: iter.next(arg), done: false };
+        return { value: callFunction(iter.next, iter, arg), done: false };
    } catch (e) {
        if (e instanceof std_StopIteration)
            return { value: undefined, done: true };
@ -22,7 +22,7 @@ function LegacyIteratorNext(arg) {
 function LegacyIteratorThrow(exn) {
    var iter = callFunction(std_WeakMap_get, LegacyIteratorWrapperMap, this);
    try {
-        return { value: iter.throw(exn), done: false };
+        return { value: callFunction(iter.throw, iter, exn), done: false };
    } catch (e) {
        if (e instanceof std_StopIteration)
            return { value: undefined, done: true };
--- a/js/src/builtin/Module.js
+++ b/js/src/builtin/Module.js
@ -43,7 +43,8 @@ function ModuleGetExportedNames(exportStarSet = [])
    for (let i = 0; i < starExportEntries.length; i++) {
        let e = starExportEntries[i];
        let requestedModule = HostResolveImportedModule(module, e.moduleRequest);
-        let starNames = requestedModule.getExportedNames(exportStarSet);
+        let starNames = callFunction(requestedModule.getExportedNames, requestedModule,
                                     exportStarSet);
        for (let j = 0; j < starNames.length; j++) {
            let n = starNames[j];
            if (n !== "default" && !(n in exportedNames))
@ -89,9 +90,8 @@ function ModuleResolveExport(exportName, resolveSet = [], exportStarSet = [])
        let e = indirectExportEntries[i];
        if (exportName === e.exportName) {
            let importedModule = HostResolveImportedModule(module, e.moduleRequest);
-            let indirectResolution = importedModule.resolveExport(e.importName,
+            let indirectResolution = callFunction(importedModule.resolveExport, importedModule,
-                                                                  resolveSet,
+                                                  e.importName, resolveSet, exportStarSet);
                                                                  exportStarSet);
            if (indirectResolution !== null)
                return indirectResolution;
        }
@ -118,7 +118,8 @@ function ModuleResolveExport(exportName, resolveSet = [], exportStarSet = [])
    for (let i = 0; i < starExportEntries.length; i++) {
        let e = starExportEntries[i];
        let importedModule = HostResolveImportedModule(module, e.moduleRequest);
-        let resolution = importedModule.resolveExport(exportName, resolveSet, exportStarSet);
+        let resolution = callFunction(importedModule.resolveExport, importedModule,
                                      exportName, resolveSet, exportStarSet);
        if (resolution === "ambiguous")
            return resolution;
@ -146,11 +147,11 @@ function GetModuleNamespace(module)
    // Step 3
    if (typeof namespace === "undefined") {
-        let exportedNames = module.getExportedNames();
+        let exportedNames = callFunction(module.getExportedNames, module);
        let unambiguousNames = [];
        for (let i = 0; i < exportedNames.length; i++) {
            let name = exportedNames[i];
-            let resolution = module.resolveExport(name);
+            let resolution = callFunction(module.resolveExport, module, name);
            if (resolution === null)
                ThrowSyntaxError(JSMSG_MISSING_NAMESPACE_EXPORT);
            if (resolution !== "ambiguous")
@ -166,7 +167,7 @@ function GetModuleNamespace(module)
 // 9.4.6.13 ModuleNamespaceCreate(module, exports)
 function ModuleNamespaceCreate(module, exports)
 {
-    exports.sort();
+    callFunction(std_Array_sort, exports);
    let ns = NewModuleNamespace(module, exports);
@ -174,7 +175,7 @@ function ModuleNamespaceCreate(module, exports)
    // access.
    for (let i = 0; i < exports.length; i++) {
        let name = exports[i];
-        let binding = module.resolveExport(name);
+        let binding = callFunction(module.resolveExport, module, name);
        assert(binding !== null && binding !== "ambiguous", "Failed to resolve binding");
        AddModuleNamespaceBinding(ns, name, binding.module, binding.bindingName);
    }
@ -204,14 +205,14 @@ function ModuleDeclarationInstantiation()
    for (let i = 0; i < requestedModules.length; i++) {
        let required = requestedModules[i];
        let requiredModule = HostResolveImportedModule(module, required);
-        requiredModule.declarationInstantiation();
+        callFunction(requiredModule.declarationInstantiation, requiredModule);
    }
    // Step 9
    let indirectExportEntries = module.indirectExportEntries;
    for (let i = 0; i < indirectExportEntries.length; i++) {
        let e = indirectExportEntries[i];
-        let resolution = module.resolveExport(e.exportName);
+        let resolution = callFunction(module.resolveExport, module, e.exportName);
        if (resolution === null)
            ThrowSyntaxError(JSMSG_MISSING_INDIRECT_EXPORT);
        if (resolution === "ambiguous")
@ -227,7 +228,8 @@ function ModuleDeclarationInstantiation()
            let namespace = GetModuleNamespace(importedModule);
            CreateNamespaceBinding(env, imp.localName, namespace);
        } else {
-            let resolution = importedModule.resolveExport(imp.importName);
+            let resolution = callFunction(importedModule.resolveExport, importedModule,
                                          imp.importName);
            if (resolution === null)
                ThrowSyntaxError(JSMSG_MISSING_IMPORT);
            if (resolution === "ambiguous")
@ -261,7 +263,7 @@ function ModuleEvaluation()
    for (let i = 0; i < requestedModules.length; i++) {
        let required = requestedModules[i];
        let requiredModule = HostResolveImportedModule(module, required);
-        requiredModule.evaluation();
+        callFunction(requiredModule.evaluation, requiredModule);
    }
    return EvaluateModule(module);
--- a/js/src/builtin/Object.js
+++ b/js/src/builtin/Object.js
@ -57,7 +57,7 @@ function Object_toLocaleString() {
    var O = this;
    // Step 2.
-    return O.toString();
+    return callFunction(O.toString, O);
 }
 function ObjectDefineSetter(name, setter) {
--- a/js/src/builtin/String.js
+++ b/js/src/builtin/String.js
@ -296,12 +296,12 @@ function String_static_fromCodePoint(codePoints) {
        // Step 5f.
        // Inlined UTF-16 Encoding
        if (nextCP <= 0xFFFF) {
-            elements.push(nextCP);
+            callFunction(std_Array_push, elements, nextCP);
            continue;
        }
-        elements.push((((nextCP - 0x10000) / 0x400) | 0) + 0xD800);
+        callFunction(std_Array_push, elements, (((nextCP - 0x10000) / 0x400) | 0) + 0xD800);
-        elements.push((nextCP - 0x10000) % 0x400 + 0xDC00);
+        callFunction(std_Array_push, elements, (nextCP - 0x10000) % 0x400 + 0xDC00);
    }
    // Step 6.
--- a/js/src/builtin/TypedArray.js
+++ b/js/src/builtin/TypedArray.js
@ -216,7 +216,7 @@ function TypedArrayFilter(callbackfn, thisArg = undefined) {
        // Step 13.f.
        if (selected) {
            // Step 13.f.i.
-            kept.push(kValue);
+            callFunction(std_Array_push, kept, kValue);
            // Step 13.f.ii.
            captured++;
        }
@ -1058,14 +1058,14 @@ function TypedArrayFrom(constructor, target, items, mapfn, thisArg) {
        // Steps 10.d-e.
        while (true) {
            // Steps 10.e.i-ii.
-            var next = iterator.next();
+            var next = callFunction(iterator.next, iterator);
            if (!IsObject(next))
                ThrowTypeError(JSMSG_NEXT_RETURNED_PRIMITIVE);
            // Steps 10.e.iii-vi.
            if (next.done)
                break;
-            values.push(next.value);
+            callFunction(std_Array_push, values, next.value);
        }
        // Step 10.f.
--- a/js/src/builtin/Utilities.js
+++ b/js/src/builtin/Utilities.js
@ -53,16 +53,7 @@ var std_Map_iterator_next = MapIteratorNext;
 function List() {
    this.length = 0;
 }
-
+MakeConstructible(List, {__proto__: null});
 {
  let ListProto = std_Object_create(null);
  ListProto.indexOf = std_Array_indexOf;
  ListProto.join = std_Array_join;
  ListProto.push = std_Array_push;
  ListProto.slice = std_Array_slice;
  ListProto.sort = std_Array_sort;
  MakeConstructible(List, ListProto);
 }
 /********** Record specification type **********/
--- a/js/src/frontend/Parser.cpp
+++ b/js/src/frontend/Parser.cpp
@ -8629,6 +8629,11 @@ Parser<ParseHandler>::memberExpr(YieldHandling yieldHandling, TripledotHandling
                return nextMember;
            }
            if (options().selfHostingMode && handler.isPropertyAccess(lhs)) {
                report(ParseError, false, null(), JSMSG_SELFHOSTED_METHOD_CALL);
                return null();
            }
            nextMember = tt == TOK_LP ? handler.newCall() : handler.newTaggedTemplate();
            if (!nextMember)
                return null();
--- a/js/src/js.msg
+++ b/js/src/js.msg
@ -314,6 +314,7 @@ MSG_DEF(JSMSG_RESERVED_ID,             1, JSEXN_SYNTAXERR, "{0} is a reserved id
 MSG_DEF(JSMSG_REST_WITH_DEFAULT,       0, JSEXN_SYNTAXERR, "rest parameter may not have a default")
 MSG_DEF(JSMSG_SELFHOSTED_TOP_LEVEL_LEXICAL, 1, JSEXN_SYNTAXERR, "self-hosted code cannot contain top-level {0} declarations")
 MSG_DEF(JSMSG_SELFHOSTED_UNBOUND_NAME, 0, JSEXN_TYPEERR, "self-hosted code may not contain unbound name lookups")
 MSG_DEF(JSMSG_SELFHOSTED_METHOD_CALL,  0, JSEXN_SYNTAXERR, "self-hosted code may not contain direct method calls")
 MSG_DEF(JSMSG_SEMI_AFTER_FOR_COND,     0, JSEXN_SYNTAXERR, "missing ; after for-loop condition")
 MSG_DEF(JSMSG_SEMI_AFTER_FOR_INIT,     0, JSEXN_SYNTAXERR, "missing ; after for-loop initializer")
 MSG_DEF(JSMSG_SEMI_BEFORE_STMNT,       0, JSEXN_SYNTAXERR, "missing ; before statement")
--- a/js/src/vm/Xdr.h
+++ b/js/src/vm/Xdr.h
@ -29,11 +29,11 @@ namespace js {
 *
 *  https://developer.mozilla.org/en-US/docs/SpiderMonkey/Internals/Bytecode
 */
-static const uint32_t XDR_BYTECODE_VERSION_SUBTRAHEND = 319;
+static const uint32_t XDR_BYTECODE_VERSION_SUBTRAHEND = 320;
 static const uint32_t XDR_BYTECODE_VERSION =
    uint32_t(0xb973c0de - XDR_BYTECODE_VERSION_SUBTRAHEND);
-static_assert(JSErr_Limit == 420,
+static_assert(JSErr_Limit == 421,
              "GREETINGS, POTENTIAL SUBTRAHEND INCREMENTER! If you added or "
              "removed MSG_DEFs from js.msg, you should increment "
              "XDR_BYTECODE_VERSION_SUBTRAHEND and update this assertion's "