1/*
2 * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
3 * Copyright (C) 2002-2018 Apple Inc. All rights reserved.
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Library General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Library General Public License for more details.
14 *
15 * You should have received a copy of the GNU Library General Public License
16 * along with this library; see the file COPYING.LIB. If not, write to
17 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18 * Boston, MA 02110-1301, USA.
19 *
20 */
21
22#pragma once
23
24#include "CallFrame.h"
25#include "ExceptionHelpers.h"
26#include "JSBigInt.h"
27#include "JSCJSValueInlines.h"
28#include <wtf/Variant.h>
29
30namespace JSC {
31
32#define InvalidPrototypeChain (std::numeric_limits<size_t>::max())
33
34NEVER_INLINE JSValue jsAddSlowCase(CallFrame*, JSValue, JSValue);
35JSValue jsTypeStringForValue(CallFrame*, JSValue);
36JSValue jsTypeStringForValue(VM&, JSGlobalObject*, JSValue);
37bool jsIsObjectTypeOrNull(CallFrame*, JSValue);
38size_t normalizePrototypeChain(CallFrame*, JSCell*, bool& sawPolyProto);
39
40ALWAYS_INLINE JSString* jsString(ExecState* exec, const String& u1, JSString* s2)
41{
42 VM& vm = exec->vm();
43 auto scope = DECLARE_THROW_SCOPE(vm);
44
45 unsigned length1 = u1.length();
46 if (!length1)
47 return s2;
48 unsigned length2 = s2->length();
49 if (!length2)
50 return jsString(&vm, u1);
51 static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
52 if (sumOverflows<int32_t>(length1, length2)) {
53 throwOutOfMemoryError(exec, scope);
54 return nullptr;
55 }
56
57 // (1) Cost of making JSString : sizeof(JSString) (for new string) + sizeof(StringImpl header) + length1 + length2
58 // (2) Cost of making JSRopeString: sizeof(JSString) (for u1) + sizeof(JSRopeString)
59 // We do not account u1 cost in (2) since u1 may be shared StringImpl, and it may not introduce additional cost.
60 // We conservatively consider the cost of u1. Currently, we are not considering about is8Bit() case because 16-bit
61 // strings are relatively rare. But we can do that if we need to consider it.
62 if (s2->isRope() || (StringImpl::headerSize<LChar>() + length1 + length2) >= sizeof(JSRopeString))
63 return JSRopeString::create(vm, jsString(&vm, u1), s2);
64
65 ASSERT(!s2->isRope());
66 const String& u2 = s2->value(exec);
67 scope.assertNoException();
68 String newString = tryMakeString(u1, u2);
69 if (!newString) {
70 throwOutOfMemoryError(exec, scope);
71 return nullptr;
72 }
73 return JSString::create(vm, newString.releaseImpl().releaseNonNull());
74}
75
76ALWAYS_INLINE JSString* jsString(ExecState* exec, JSString* s1, const String& u2)
77{
78 VM& vm = exec->vm();
79 auto scope = DECLARE_THROW_SCOPE(vm);
80
81 unsigned length1 = s1->length();
82 if (!length1)
83 return jsString(&vm, u2);
84 unsigned length2 = u2.length();
85 if (!length2)
86 return s1;
87 static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
88 if (sumOverflows<int32_t>(length1, length2)) {
89 throwOutOfMemoryError(exec, scope);
90 return nullptr;
91 }
92
93 // (1) Cost of making JSString : sizeof(JSString) (for new string) + sizeof(StringImpl header) + length1 + length2
94 // (2) Cost of making JSRopeString: sizeof(JSString) (for u2) + sizeof(JSRopeString)
95 if (s1->isRope() || (StringImpl::headerSize<LChar>() + length1 + length2) >= sizeof(JSRopeString))
96 return JSRopeString::create(vm, s1, jsString(&vm, u2));
97
98 ASSERT(!s1->isRope());
99 const String& u1 = s1->value(exec);
100 scope.assertNoException();
101 String newString = tryMakeString(u1, u2);
102 if (!newString) {
103 throwOutOfMemoryError(exec, scope);
104 return nullptr;
105 }
106 return JSString::create(vm, newString.releaseImpl().releaseNonNull());
107}
108
109ALWAYS_INLINE JSString* jsString(ExecState* exec, JSString* s1, JSString* s2)
110{
111 VM& vm = exec->vm();
112 auto scope = DECLARE_THROW_SCOPE(vm);
113
114 unsigned length1 = s1->length();
115 if (!length1)
116 return s2;
117 unsigned length2 = s2->length();
118 if (!length2)
119 return s1;
120 static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
121 if (sumOverflows<int32_t>(length1, length2)) {
122 throwOutOfMemoryError(exec, scope);
123 return nullptr;
124 }
125
126 return JSRopeString::create(vm, s1, s2);
127}
128
129ALWAYS_INLINE JSString* jsString(ExecState* exec, JSString* s1, JSString* s2, JSString* s3)
130{
131 VM& vm = exec->vm();
132 auto scope = DECLARE_THROW_SCOPE(vm);
133
134 unsigned length1 = s1->length();
135 if (!length1)
136 RELEASE_AND_RETURN(scope, jsString(exec, s2, s3));
137
138 unsigned length2 = s2->length();
139 if (!length2)
140 RELEASE_AND_RETURN(scope, jsString(exec, s1, s3));
141
142 unsigned length3 = s3->length();
143 if (!length3)
144 RELEASE_AND_RETURN(scope, jsString(exec, s1, s2));
145
146 static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
147 if (sumOverflows<int32_t>(length1, length2, length3)) {
148 throwOutOfMemoryError(exec, scope);
149 return nullptr;
150 }
151
152 return JSRopeString::create(vm, s1, s2, s3);
153}
154
155ALWAYS_INLINE JSString* jsString(ExecState* exec, const String& u1, const String& u2)
156{
157 VM& vm = exec->vm();
158 auto scope = DECLARE_THROW_SCOPE(vm);
159
160 unsigned length1 = u1.length();
161 if (!length1)
162 return jsString(&vm, u2);
163 unsigned length2 = u2.length();
164 if (!length2)
165 return jsString(&vm, u1);
166 static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
167 if (sumOverflows<int32_t>(length1, length2)) {
168 throwOutOfMemoryError(exec, scope);
169 return nullptr;
170 }
171
172 // (1) Cost of making JSString : sizeof(JSString) (for new string) + sizeof(StringImpl header) + length1 + length2
173 // (2) Cost of making JSRopeString: sizeof(JSString) (for u1) + sizeof(JSString) (for u2) + sizeof(JSRopeString)
174 if ((StringImpl::headerSize<LChar>() + length1 + length2) >= (sizeof(JSRopeString) + sizeof(JSString)))
175 return JSRopeString::create(vm, jsString(&vm, u1), jsString(&vm, u2));
176
177 String newString = tryMakeString(u1, u2);
178 if (!newString) {
179 throwOutOfMemoryError(exec, scope);
180 return nullptr;
181 }
182 return JSString::create(vm, newString.releaseImpl().releaseNonNull());
183}
184
185ALWAYS_INLINE JSString* jsString(ExecState* exec, const String& u1, const String& u2, const String& u3)
186{
187 VM* vm = &exec->vm();
188 auto scope = DECLARE_THROW_SCOPE(*vm);
189
190 unsigned length1 = u1.length();
191 unsigned length2 = u2.length();
192 unsigned length3 = u3.length();
193 ASSERT(length1 <= JSString::MaxLength);
194 ASSERT(length2 <= JSString::MaxLength);
195 ASSERT(length3 <= JSString::MaxLength);
196
197 if (!length1)
198 RELEASE_AND_RETURN(scope, jsString(exec, u2, u3));
199
200 if (!length2)
201 RELEASE_AND_RETURN(scope, jsString(exec, u1, u3));
202
203 if (!length3)
204 RELEASE_AND_RETURN(scope, jsString(exec, u1, u2));
205
206 static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
207 if (sumOverflows<int32_t>(length1, length2, length3)) {
208 throwOutOfMemoryError(exec, scope);
209 return nullptr;
210 }
211
212 // (1) Cost of making JSString : sizeof(JSString) (for new string) + sizeof(StringImpl header) + length1 + length2 + length3
213 // (2) Cost of making JSRopeString: sizeof(JSString) (for u1) + sizeof(JSString) (for u2) + sizeof(JSString) (for u3) + sizeof(JSRopeString)
214 if ((StringImpl::headerSize<LChar>() + length1 + length2 + length3) >= (sizeof(JSRopeString) + sizeof(JSString) * 2))
215 return JSRopeString::create(*vm, jsString(vm, u1), jsString(vm, u2), jsString(vm, u3));
216
217 String newString = tryMakeString(u1, u2, u3);
218 if (!newString) {
219 throwOutOfMemoryError(exec, scope);
220 return nullptr;
221 }
222 return JSString::create(*vm, newString.releaseImpl().releaseNonNull());
223}
224
225ALWAYS_INLINE JSValue jsStringFromRegisterArray(ExecState* exec, Register* strings, unsigned count)
226{
227 VM* vm = &exec->vm();
228 auto scope = DECLARE_THROW_SCOPE(*vm);
229 JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(*vm);
230
231 for (unsigned i = 0; i < count; ++i) {
232 JSValue v = strings[-static_cast<int>(i)].jsValue();
233 JSString* string = v.toString(exec);
234 RETURN_IF_EXCEPTION(scope, { });
235 if (!ropeBuilder.append(string))
236 return throwOutOfMemoryError(exec, scope);
237 }
238
239 return ropeBuilder.release();
240}
241
242ALWAYS_INLINE JSValue jsStringFromArguments(ExecState* exec, JSValue thisValue)
243{
244 VM* vm = &exec->vm();
245 auto scope = DECLARE_THROW_SCOPE(*vm);
246 JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(*vm);
247 JSString* str = thisValue.toString(exec);
248 RETURN_IF_EXCEPTION(scope, { });
249 ropeBuilder.append(str);
250
251 for (unsigned i = 0; i < exec->argumentCount(); ++i) {
252 JSValue v = exec->argument(i);
253 JSString* str = v.toString(exec);
254 RETURN_IF_EXCEPTION(scope, { });
255 if (UNLIKELY(!ropeBuilder.append(str)))
256 return throwOutOfMemoryError(exec, scope);
257 }
258
259 return ropeBuilder.release();
260}
261
262ALWAYS_INLINE bool bigIntCompareResult(JSBigInt::ComparisonResult comparisonResult, JSBigInt::ComparisonMode comparisonMode)
263{
264 if (comparisonMode == JSBigInt::ComparisonMode::LessThan)
265 return comparisonResult == JSBigInt::ComparisonResult::LessThan;
266
267 ASSERT(comparisonMode == JSBigInt::ComparisonMode::LessThanOrEqual);
268 return comparisonResult == JSBigInt::ComparisonResult::LessThan || comparisonResult == JSBigInt::ComparisonResult::Equal;
269}
270
271ALWAYS_INLINE bool bigIntCompare(CallFrame* callFrame, JSValue v1, JSValue v2, JSBigInt::ComparisonMode comparisonMode)
272{
273 ASSERT(v1.isBigInt() || v2.isBigInt());
274 ASSERT(v1.isPrimitive() && v2.isPrimitive());
275
276 VM& vm = callFrame->vm();
277 auto scope = DECLARE_THROW_SCOPE(vm);
278
279 if (v1.isBigInt() && v2.isBigInt())
280 return bigIntCompareResult(JSBigInt::compare(asBigInt(v1), asBigInt(v2)), comparisonMode);
281
282 if (v1.isBigInt()) {
283 JSValue primValue = v2;
284 if (primValue.isString()) {
285 JSBigInt* bigIntValue = JSBigInt::stringToBigInt(callFrame, asString(primValue)->value(callFrame));
286 RETURN_IF_EXCEPTION(scope, false);
287 if (!bigIntValue)
288 return false;
289
290 return bigIntCompareResult(JSBigInt::compare(asBigInt(v1), bigIntValue), comparisonMode);
291 }
292
293 if (primValue.isBigInt())
294 return bigIntCompareResult(JSBigInt::compare(asBigInt(v1), asBigInt(primValue)), comparisonMode);
295
296 double numberValue = primValue.toNumber(callFrame);
297 RETURN_IF_EXCEPTION(scope, false);
298 return bigIntCompareResult(JSBigInt::compareToDouble(asBigInt(v1), numberValue), comparisonMode);
299 }
300
301 JSValue primValue = v1;
302 if (primValue.isString()) {
303 JSBigInt* bigIntValue = JSBigInt::stringToBigInt(callFrame, asString(primValue)->value(callFrame));
304 RETURN_IF_EXCEPTION(scope, false);
305 if (!bigIntValue)
306 return false;
307
308 return bigIntCompareResult(JSBigInt::compare(bigIntValue, asBigInt(v2)), comparisonMode);
309 }
310
311 if (primValue.isBigInt())
312 return bigIntCompareResult(JSBigInt::compare(asBigInt(primValue), asBigInt(v2)), comparisonMode);
313
314 double numberValue = primValue.toNumber(callFrame);
315 RETURN_IF_EXCEPTION(scope, false);
316
317 // Here we check inverted because BigInt is the v2
318 JSBigInt::ComparisonResult comparisonResult = JSBigInt::compareToDouble(asBigInt(v2), numberValue);
319 if (comparisonMode == JSBigInt::ComparisonMode::LessThan)
320 return comparisonResult == JSBigInt::ComparisonResult::GreaterThan;
321
322 return comparisonResult == JSBigInt::ComparisonResult::GreaterThan || comparisonResult == JSBigInt::ComparisonResult::Equal;
323}
324
325ALWAYS_INLINE bool toPrimitiveNumeric(CallFrame* callFrame, JSValue v, JSValue& p, double& n)
326{
327 VM& vm = callFrame->vm();
328 auto scope = DECLARE_THROW_SCOPE(vm);
329
330 p = v.toPrimitive(callFrame, PreferNumber);
331 RETURN_IF_EXCEPTION(scope, false);
332 if (p.isBigInt())
333 return true;
334
335 n = p.toNumber(callFrame);
336 RETURN_IF_EXCEPTION(scope, false);
337 return !p.isString();
338}
339
340// See ES5 11.8.1/11.8.2/11.8.5 for definition of leftFirst, this value ensures correct
341// evaluation ordering for argument conversions for '<' and '>'. For '<' pass the value
342// true, for leftFirst, for '>' pass the value false (and reverse operand order).
343template<bool leftFirst>
344ALWAYS_INLINE bool jsLess(CallFrame* callFrame, JSValue v1, JSValue v2)
345{
346 VM& vm = callFrame->vm();
347 auto scope = DECLARE_THROW_SCOPE(vm);
348
349 if (v1.isInt32() && v2.isInt32())
350 return v1.asInt32() < v2.asInt32();
351
352 if (v1.isNumber() && v2.isNumber())
353 return v1.asNumber() < v2.asNumber();
354
355 if (isJSString(v1) && isJSString(v2))
356 return codePointCompareLessThan(asString(v1)->value(callFrame), asString(v2)->value(callFrame));
357
358 double n1;
359 double n2;
360 JSValue p1;
361 JSValue p2;
362 bool wasNotString1;
363 bool wasNotString2;
364 if (leftFirst) {
365 wasNotString1 = toPrimitiveNumeric(callFrame, v1, p1, n1);
366 RETURN_IF_EXCEPTION(scope, false);
367 wasNotString2 = toPrimitiveNumeric(callFrame, v2, p2, n2);
368 } else {
369 wasNotString2 = toPrimitiveNumeric(callFrame, v2, p2, n2);
370 RETURN_IF_EXCEPTION(scope, false);
371 wasNotString1 = toPrimitiveNumeric(callFrame, v1, p1, n1);
372 }
373 RETURN_IF_EXCEPTION(scope, false);
374
375 if (wasNotString1 | wasNotString2) {
376 if (p1.isBigInt() || p2.isBigInt())
377 RELEASE_AND_RETURN(scope, bigIntCompare(callFrame, p1, p2, JSBigInt::ComparisonMode::LessThan));
378
379 return n1 < n2;
380 }
381
382 return codePointCompareLessThan(asString(p1)->value(callFrame), asString(p2)->value(callFrame));
383}
384
385// See ES5 11.8.3/11.8.4/11.8.5 for definition of leftFirst, this value ensures correct
386// evaluation ordering for argument conversions for '<=' and '=>'. For '<=' pass the
387// value true, for leftFirst, for '=>' pass the value false (and reverse operand order).
388template<bool leftFirst>
389ALWAYS_INLINE bool jsLessEq(CallFrame* callFrame, JSValue v1, JSValue v2)
390{
391 VM& vm = callFrame->vm();
392 auto scope = DECLARE_THROW_SCOPE(vm);
393
394 if (v1.isInt32() && v2.isInt32())
395 return v1.asInt32() <= v2.asInt32();
396
397 if (v1.isNumber() && v2.isNumber())
398 return v1.asNumber() <= v2.asNumber();
399
400 if (isJSString(v1) && isJSString(v2))
401 return !codePointCompareLessThan(asString(v2)->value(callFrame), asString(v1)->value(callFrame));
402
403 double n1;
404 double n2;
405 JSValue p1;
406 JSValue p2;
407 bool wasNotString1;
408 bool wasNotString2;
409 if (leftFirst) {
410 wasNotString1 = toPrimitiveNumeric(callFrame, v1, p1, n1);
411 RETURN_IF_EXCEPTION(scope, false);
412 wasNotString2 = toPrimitiveNumeric(callFrame, v2, p2, n2);
413 } else {
414 wasNotString2 = toPrimitiveNumeric(callFrame, v2, p2, n2);
415 RETURN_IF_EXCEPTION(scope, false);
416 wasNotString1 = toPrimitiveNumeric(callFrame, v1, p1, n1);
417 }
418 RETURN_IF_EXCEPTION(scope, false);
419
420 if (wasNotString1 | wasNotString2) {
421 if (p1.isBigInt() || p2.isBigInt())
422 RELEASE_AND_RETURN(scope, bigIntCompare(callFrame, p1, p2, JSBigInt::ComparisonMode::LessThanOrEqual));
423
424 return n1 <= n2;
425 }
426 return !codePointCompareLessThan(asString(p2)->value(callFrame), asString(p1)->value(callFrame));
427}
428
429// Fast-path choices here are based on frequency data from SunSpider:
430// <times> Add case: <t1> <t2>
431// ---------------------------
432// 5626160 Add case: 3 3 (of these, 3637690 are for immediate values)
433// 247412 Add case: 5 5
434// 20900 Add case: 5 6
435// 13962 Add case: 5 3
436// 4000 Add case: 3 5
437
438
439ALWAYS_INLINE JSValue jsAddNonNumber(CallFrame* callFrame, JSValue v1, JSValue v2)
440{
441 VM& vm = callFrame->vm();
442 auto scope = DECLARE_THROW_SCOPE(vm);
443 ASSERT(!v1.isNumber() || !v2.isNumber());
444
445 if (LIKELY(v1.isString() && !v2.isObject())) {
446 if (v2.isString())
447 RELEASE_AND_RETURN(scope, jsString(callFrame, asString(v1), asString(v2)));
448 String s2 = v2.toWTFString(callFrame);
449 RETURN_IF_EXCEPTION(scope, { });
450 RELEASE_AND_RETURN(scope, jsString(callFrame, asString(v1), s2));
451 }
452
453 // All other cases are pretty uncommon
454 RELEASE_AND_RETURN(scope, jsAddSlowCase(callFrame, v1, v2));
455}
456
457ALWAYS_INLINE JSValue jsAdd(CallFrame* callFrame, JSValue v1, JSValue v2)
458{
459 if (v1.isNumber() && v2.isNumber())
460 return jsNumber(v1.asNumber() + v2.asNumber());
461
462 return jsAddNonNumber(callFrame, v1, v2);
463}
464
465ALWAYS_INLINE JSValue jsSub(ExecState* exec, JSValue v1, JSValue v2)
466{
467 VM& vm = exec->vm();
468 auto scope = DECLARE_THROW_SCOPE(vm);
469
470 auto leftNumeric = v1.toNumeric(exec);
471 RETURN_IF_EXCEPTION(scope, { });
472 auto rightNumeric = v2.toNumeric(exec);
473 RETURN_IF_EXCEPTION(scope, { });
474
475 if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
476 if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
477 scope.release();
478 return JSBigInt::sub(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
479 }
480
481 return throwTypeError(exec, scope, "Invalid mix of BigInt and other type in subtraction."_s);
482 }
483
484 return jsNumber(WTF::get<double>(leftNumeric) - WTF::get<double>(rightNumeric));
485}
486
487ALWAYS_INLINE JSValue jsMul(ExecState* state, JSValue v1, JSValue v2)
488{
489 VM& vm = state->vm();
490 auto scope = DECLARE_THROW_SCOPE(vm);
491
492 Variant<JSBigInt*, double> leftNumeric = v1.toNumeric(state);
493 RETURN_IF_EXCEPTION(scope, { });
494 Variant<JSBigInt*, double> rightNumeric = v2.toNumeric(state);
495 RETURN_IF_EXCEPTION(scope, { });
496
497 if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
498 if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
499 scope.release();
500 return JSBigInt::multiply(state, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
501 }
502
503 throwTypeError(state, scope, "Invalid mix of BigInt and other type in multiplication."_s);
504 return { };
505 }
506
507 double leftValue = WTF::get<double>(leftNumeric);
508 double rightValue = WTF::get<double>(rightNumeric);
509 return jsNumber(leftValue * rightValue);
510}
511
512inline bool scribbleFreeCells()
513{
514 return !ASSERT_DISABLED || Options::scribbleFreeCells();
515}
516
517#define SCRIBBLE_WORD static_cast<intptr_t>(0xbadbeef0)
518
519inline bool isScribbledValue(JSValue value)
520{
521 return JSValue::encode(value) == JSValue::encode(bitwise_cast<JSCell*>(SCRIBBLE_WORD));
522}
523
524inline void scribble(void* base, size_t size)
525{
526 for (size_t i = size / sizeof(EncodedJSValue); i--;) {
527 // Use a 16-byte aligned value to ensure that it passes the cell check.
528 static_cast<EncodedJSValue*>(base)[i] = JSValue::encode(bitwise_cast<JSCell*>(SCRIBBLE_WORD));
529 }
530}
531
532} // namespace JSC
533