| /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- |
| * vim: set ts=8 sts=4 et sw=4 tw=99: |
| * This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| #ifndef jswrapper_h |
| #define jswrapper_h |
| |
| #include "mozilla/Attributes.h" |
| |
| #include "jsapi.h" |
| #include "jsproxy.h" |
| |
| namespace js { |
| |
| class DummyFrameGuard; |
| |
| /* |
| * A wrapper is a proxy with a target object to which it generally forwards |
| * operations, but may restrict access to certain operations or instrument |
| * the trap operations in various ways. A wrapper is distinct from a Direct Proxy |
| * Handler in the sense that it can be "unwrapped" in C++, exposing the underlying |
| * object (Direct Proxy Handlers have an underlying target object, but don't |
| * expect to expose this object via any kind of unwrapping operation). Callers |
| * should be careful to avoid unwrapping security wrappers in the wrong context. |
| */ |
| class JS_FRIEND_API(Wrapper) : public DirectProxyHandler |
| { |
| unsigned mFlags; |
| bool mSafeToUnwrap; |
| |
| public: |
| using BaseProxyHandler::Action; |
| |
| enum Flags { |
| CROSS_COMPARTMENT = 1 << 0, |
| LAST_USED_FLAG = CROSS_COMPARTMENT |
| }; |
| |
| /* |
| * Wrappers can explicitly specify that they are unsafe to unwrap from a |
| * security perspective (as is the case for SecurityWrappers). If a wrapper |
| * is not safe to unwrap, operations requiring full access to the underlying |
| * object (via CheckedUnwrap) will throw. Otherwise, they will succeed. |
| */ |
| void setSafeToUnwrap(bool safe) { mSafeToUnwrap = safe; } |
| bool isSafeToUnwrap() { return mSafeToUnwrap; } |
| |
| static JSObject *New(JSContext *cx, JSObject *obj, JSObject *proto, |
| JSObject *parent, Wrapper *handler); |
| |
| static JSObject *Renew(JSContext *cx, JSObject *existing, JSObject *obj, Wrapper *handler); |
| |
| static Wrapper *wrapperHandler(JSObject *wrapper); |
| |
| static JSObject *wrappedObject(JSObject *wrapper); |
| |
| unsigned flags() const { |
| return mFlags; |
| } |
| |
| explicit Wrapper(unsigned flags, bool hasPrototype = false); |
| |
| virtual ~Wrapper(); |
| |
| static Wrapper singleton; |
| static Wrapper singletonWithPrototype; |
| |
| static void *getWrapperFamily(); |
| }; |
| |
| /* Base class for all cross compartment wrapper handlers. */ |
| class JS_FRIEND_API(CrossCompartmentWrapper) : public Wrapper |
| { |
| public: |
| CrossCompartmentWrapper(unsigned flags, bool hasPrototype = false); |
| |
| virtual ~CrossCompartmentWrapper(); |
| |
| virtual bool finalizeInBackground(Value priv) MOZ_OVERRIDE; |
| |
| /* ES5 Harmony fundamental wrapper traps. */ |
| virtual bool preventExtensions(JSContext *cx, HandleObject wrapper) MOZ_OVERRIDE; |
| virtual bool getPropertyDescriptor(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; |
| virtual bool getOwnPropertyDescriptor(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; |
| virtual bool defineProperty(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc) MOZ_OVERRIDE; |
| virtual bool getOwnPropertyNames(JSContext *cx, HandleObject wrapper, |
| AutoIdVector &props) MOZ_OVERRIDE; |
| virtual bool delete_(JSContext *cx, HandleObject wrapper, HandleId id, bool *bp) MOZ_OVERRIDE; |
| virtual bool enumerate(JSContext *cx, HandleObject wrapper, AutoIdVector &props) MOZ_OVERRIDE; |
| |
| /* ES5 Harmony derived wrapper traps. */ |
| virtual bool has(JSContext *cx, HandleObject wrapper, HandleId id, bool *bp) MOZ_OVERRIDE; |
| virtual bool hasOwn(JSContext *cx, HandleObject wrapper, HandleId id, bool *bp) MOZ_OVERRIDE; |
| virtual bool get(JSContext *cx, HandleObject wrapper, HandleObject receiver, |
| HandleId id, MutableHandleValue vp) MOZ_OVERRIDE; |
| virtual bool set(JSContext *cx, HandleObject wrapper, HandleObject receiver, |
| HandleId id, bool strict, MutableHandleValue vp) MOZ_OVERRIDE; |
| virtual bool keys(JSContext *cx, HandleObject wrapper, AutoIdVector &props) MOZ_OVERRIDE; |
| virtual bool iterate(JSContext *cx, HandleObject wrapper, unsigned flags, |
| MutableHandleValue vp) MOZ_OVERRIDE; |
| |
| /* Spidermonkey extensions. */ |
| virtual bool isExtensible(JSObject *proxy) MOZ_OVERRIDE; |
| virtual bool call(JSContext *cx, HandleObject wrapper, const CallArgs &args) MOZ_OVERRIDE; |
| virtual bool construct(JSContext *cx, HandleObject wrapper, const CallArgs &args) MOZ_OVERRIDE; |
| virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, |
| CallArgs args) MOZ_OVERRIDE; |
| virtual bool hasInstance(JSContext *cx, HandleObject wrapper, MutableHandleValue v, |
| bool *bp) MOZ_OVERRIDE; |
| virtual const char *className(JSContext *cx, HandleObject proxy) MOZ_OVERRIDE; |
| virtual JSString *fun_toString(JSContext *cx, HandleObject wrapper, |
| unsigned indent) MOZ_OVERRIDE; |
| virtual bool regexp_toShared(JSContext *cx, HandleObject proxy, RegExpGuard *g) MOZ_OVERRIDE; |
| virtual bool defaultValue(JSContext *cx, HandleObject wrapper, JSType hint, |
| MutableHandleValue vp) MOZ_OVERRIDE; |
| virtual bool getPrototypeOf(JSContext *cx, HandleObject proxy, MutableHandleObject protop); |
| |
| static CrossCompartmentWrapper singleton; |
| static CrossCompartmentWrapper singletonWithPrototype; |
| }; |
| |
| /* |
| * Base class for security wrappers. A security wrapper is potentially hiding |
| * all or part of some wrapped object thus SecurityWrapper defaults to denying |
| * access to the wrappee. This is the opposite of Wrapper which tries to be |
| * completely transparent. |
| * |
| * NB: Currently, only a few ProxyHandler operations are overridden to deny |
| * access, relying on derived SecurityWrapper to block access when necessary. |
| */ |
| template <class Base> |
| class JS_FRIEND_API(SecurityWrapper) : public Base |
| { |
| public: |
| SecurityWrapper(unsigned flags); |
| |
| virtual bool isExtensible(JSObject *wrapper) MOZ_OVERRIDE; |
| virtual bool preventExtensions(JSContext *cx, HandleObject wrapper) MOZ_OVERRIDE; |
| virtual bool enter(JSContext *cx, HandleObject wrapper, HandleId id, Wrapper::Action act, |
| bool *bp) MOZ_OVERRIDE; |
| virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, |
| CallArgs args) MOZ_OVERRIDE; |
| virtual bool defaultValue(JSContext *cx, HandleObject wrapper, JSType hint, |
| MutableHandleValue vp) MOZ_OVERRIDE; |
| virtual bool objectClassIs(HandleObject obj, ESClassValue classValue, |
| JSContext *cx) MOZ_OVERRIDE; |
| virtual bool regexp_toShared(JSContext *cx, HandleObject proxy, RegExpGuard *g) MOZ_OVERRIDE; |
| virtual bool defineProperty(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc) MOZ_OVERRIDE; |
| |
| /* |
| * Allow our subclasses to select the superclass behavior they want without |
| * needing to specify an exact superclass. |
| */ |
| typedef Base Permissive; |
| typedef SecurityWrapper<Base> Restrictive; |
| }; |
| |
| typedef SecurityWrapper<Wrapper> SameCompartmentSecurityWrapper; |
| typedef SecurityWrapper<CrossCompartmentWrapper> CrossCompartmentSecurityWrapper; |
| |
| class JS_FRIEND_API(DeadObjectProxy) : public BaseProxyHandler |
| { |
| public: |
| static int sDeadObjectFamily; |
| |
| explicit DeadObjectProxy(); |
| |
| /* ES5 Harmony fundamental wrapper traps. */ |
| virtual bool preventExtensions(JSContext *cx, HandleObject proxy) MOZ_OVERRIDE; |
| virtual bool getPropertyDescriptor(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; |
| virtual bool getOwnPropertyDescriptor(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; |
| virtual bool defineProperty(JSContext *cx, HandleObject wrapper, HandleId id, |
| PropertyDescriptor *desc) MOZ_OVERRIDE; |
| virtual bool getOwnPropertyNames(JSContext *cx, HandleObject wrapper, |
| AutoIdVector &props) MOZ_OVERRIDE; |
| virtual bool delete_(JSContext *cx, HandleObject wrapper, HandleId id, bool *bp) MOZ_OVERRIDE; |
| virtual bool enumerate(JSContext *cx, HandleObject wrapper, AutoIdVector &props) MOZ_OVERRIDE; |
| |
| /* Spidermonkey extensions. */ |
| virtual bool isExtensible(JSObject *proxy) MOZ_OVERRIDE; |
| virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE; |
| virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE; |
| virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, |
| CallArgs args) MOZ_OVERRIDE; |
| virtual bool hasInstance(JSContext *cx, HandleObject proxy, MutableHandleValue v, |
| bool *bp) MOZ_OVERRIDE; |
| virtual bool objectClassIs(HandleObject obj, ESClassValue classValue, |
| JSContext *cx) MOZ_OVERRIDE; |
| virtual const char *className(JSContext *cx, HandleObject proxy) MOZ_OVERRIDE; |
| virtual JSString *fun_toString(JSContext *cx, HandleObject proxy, unsigned indent) MOZ_OVERRIDE; |
| virtual bool regexp_toShared(JSContext *cx, HandleObject proxy, RegExpGuard *g) MOZ_OVERRIDE; |
| virtual bool defaultValue(JSContext *cx, HandleObject obj, JSType hint, |
| MutableHandleValue vp) MOZ_OVERRIDE; |
| virtual bool getElementIfPresent(JSContext *cx, HandleObject obj, HandleObject receiver, |
| uint32_t index, MutableHandleValue vp, |
| bool *present) MOZ_OVERRIDE; |
| virtual bool getPrototypeOf(JSContext *cx, HandleObject proxy, |
| MutableHandleObject protop) MOZ_OVERRIDE; |
| |
| static DeadObjectProxy singleton; |
| }; |
| |
| extern JSObject * |
| TransparentObjectWrapper(JSContext *cx, HandleObject existing, HandleObject obj, |
| HandleObject wrappedProto, HandleObject parent, |
| unsigned flags); |
| |
| // Proxy family for wrappers. Public so that IsWrapper() can be fully inlined by |
| // jsfriendapi users. |
| extern JS_FRIEND_DATA(int) sWrapperFamily; |
| |
| inline bool |
| IsWrapper(JSObject *obj) |
| { |
| return IsProxy(obj) && GetProxyHandler(obj)->family() == &sWrapperFamily; |
| } |
| |
| // Given a JSObject, returns that object stripped of wrappers. If |
| // stopAtOuter is true, then this returns the outer window if it was |
| // previously wrapped. Otherwise, this returns the first object for |
| // which JSObject::isWrapper returns false. |
| JS_FRIEND_API(JSObject *) |
| UncheckedUnwrap(JSObject *obj, bool stopAtOuter = true, unsigned *flagsp = NULL); |
| |
| // Given a JSObject, returns that object stripped of wrappers. At each stage, |
| // the security wrapper has the opportunity to veto the unwrap. Since checked |
| // code should never be unwrapping outer window wrappers, we always stop at |
| // outer windows. |
| JS_FRIEND_API(JSObject *) |
| CheckedUnwrap(JSObject *obj, bool stopAtOuter = true); |
| |
| // Unwrap only the outermost security wrapper, with the same semantics as |
| // above. This is the checked version of Wrapper::wrappedObject. |
| JS_FRIEND_API(JSObject *) |
| UnwrapOneChecked(JSObject *obj, bool stopAtOuter = true); |
| |
| JS_FRIEND_API(bool) |
| IsCrossCompartmentWrapper(JSObject *obj); |
| |
| bool |
| IsDeadProxyObject(JSObject *obj); |
| |
| JSObject * |
| NewDeadProxyObject(JSContext *cx, JSObject *parent); |
| |
| void |
| NukeCrossCompartmentWrapper(JSContext *cx, JSObject *wrapper); |
| |
| bool |
| RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget); |
| |
| JS_FRIEND_API(bool) |
| RemapAllWrappersForObject(JSContext *cx, JSObject *oldTarget, |
| JSObject *newTarget); |
| |
| // API to recompute all cross-compartment wrappers whose source and target |
| // match the given filters. |
| JS_FRIEND_API(bool) |
| RecomputeWrappers(JSContext *cx, const CompartmentFilter &sourceFilter, |
| const CompartmentFilter &targetFilter); |
| |
| /* |
| * This auto class should be used around any code, such as brain transplants, |
| * that may touch dead zones. Brain transplants can cause problems |
| * because they operate on all compartments, whether live or dead. A brain |
| * transplant can cause a formerly dead object to be "reanimated" by causing a |
| * read or write barrier to be invoked on it during the transplant. In this way, |
| * a zone becomes a zombie, kept alive by repeatedly consuming |
| * (transplanted) brains. |
| * |
| * To work around this issue, we observe when mark bits are set on objects in |
| * dead zones. If this happens during a brain transplant, we do a full, |
| * non-incremental GC at the end of the brain transplant. This will clean up any |
| * objects that were improperly marked. |
| */ |
| struct JS_FRIEND_API(AutoMaybeTouchDeadZones) |
| { |
| // The version that takes an object just uses it for its runtime. |
| AutoMaybeTouchDeadZones(JSContext *cx); |
| AutoMaybeTouchDeadZones(JSObject *obj); |
| ~AutoMaybeTouchDeadZones(); |
| |
| private: |
| JSRuntime *runtime; |
| unsigned markCount; |
| bool inIncremental; |
| bool manipulatingDeadZones; |
| }; |
| |
| } /* namespace js */ |
| |
| #endif /* jswrapper_h */ |