| // Copyright 2016 the V8 project authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "src/builtins/builtins-utils.h" |
| #include "src/builtins/builtins.h" |
| #include "src/code-factory.h" |
| #include "src/code-stub-assembler.h" |
| #include "src/compiler.h" |
| #include "src/conversions.h" |
| #include "src/counters.h" |
| #include "src/lookup.h" |
| #include "src/objects-inl.h" |
| #include "src/string-builder.h" |
| |
| namespace v8 { |
| namespace internal { |
| |
| namespace { |
| |
| // ES6 section 19.2.1.1.1 CreateDynamicFunction |
| MaybeHandle<Object> CreateDynamicFunction(Isolate* isolate, |
| BuiltinArguments args, |
| const char* token) { |
| // Compute number of arguments, ignoring the receiver. |
| DCHECK_LE(1, args.length()); |
| int const argc = args.length() - 1; |
| |
| Handle<JSFunction> target = args.target(); |
| Handle<JSObject> target_global_proxy(target->global_proxy(), isolate); |
| |
| if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) { |
| isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined); |
| return isolate->factory()->undefined_value(); |
| } |
| |
| // Build the source string. |
| Handle<String> source; |
| int parameters_end_pos = kNoSourcePosition; |
| { |
| IncrementalStringBuilder builder(isolate); |
| builder.AppendCharacter('('); |
| builder.AppendCString(token); |
| if (FLAG_harmony_function_tostring) { |
| builder.AppendCString(" anonymous("); |
| } else { |
| builder.AppendCharacter('('); |
| } |
| bool parenthesis_in_arg_string = false; |
| if (argc > 1) { |
| for (int i = 1; i < argc; ++i) { |
| if (i > 1) builder.AppendCharacter(','); |
| Handle<String> param; |
| ASSIGN_RETURN_ON_EXCEPTION( |
| isolate, param, Object::ToString(isolate, args.at(i)), Object); |
| param = String::Flatten(param); |
| builder.AppendString(param); |
| if (!FLAG_harmony_function_tostring) { |
| // If the formal parameters string include ) - an illegal |
| // character - it may make the combined function expression |
| // compile. We avoid this problem by checking for this early on. |
| DisallowHeapAllocation no_gc; // Ensure vectors stay valid. |
| String::FlatContent param_content = param->GetFlatContent(); |
| for (int i = 0, length = param->length(); i < length; ++i) { |
| if (param_content.Get(i) == ')') { |
| parenthesis_in_arg_string = true; |
| break; |
| } |
| } |
| } |
| } |
| if (!FLAG_harmony_function_tostring) { |
| // If the formal parameters include an unbalanced block comment, the |
| // function must be rejected. Since JavaScript does not allow nested |
| // comments we can include a trailing block comment to catch this. |
| builder.AppendCString("\n/*``*/"); |
| } |
| } |
| if (FLAG_harmony_function_tostring) { |
| builder.AppendCharacter('\n'); |
| parameters_end_pos = builder.Length(); |
| } |
| builder.AppendCString(") {\n"); |
| if (argc > 0) { |
| Handle<String> body; |
| ASSIGN_RETURN_ON_EXCEPTION( |
| isolate, body, Object::ToString(isolate, args.at(argc)), Object); |
| builder.AppendString(body); |
| } |
| builder.AppendCString("\n})"); |
| ASSIGN_RETURN_ON_EXCEPTION(isolate, source, builder.Finish(), Object); |
| |
| // The SyntaxError must be thrown after all the (observable) ToString |
| // conversions are done. |
| if (parenthesis_in_arg_string) { |
| THROW_NEW_ERROR(isolate, |
| NewSyntaxError(MessageTemplate::kParenthesisInArgString), |
| Object); |
| } |
| } |
| |
| // Compile the string in the constructor and not a helper so that errors to |
| // come from here. |
| Handle<JSFunction> function; |
| { |
| ASSIGN_RETURN_ON_EXCEPTION( |
| isolate, function, |
| Compiler::GetFunctionFromString( |
| handle(target->native_context(), isolate), source, |
| ONLY_SINGLE_FUNCTION_LITERAL, parameters_end_pos), |
| Object); |
| Handle<Object> result; |
| ASSIGN_RETURN_ON_EXCEPTION( |
| isolate, result, |
| Execution::Call(isolate, function, target_global_proxy, 0, nullptr), |
| Object); |
| function = Handle<JSFunction>::cast(result); |
| function->shared()->set_name_should_print_as_anonymous(true); |
| } |
| |
| // If new.target is equal to target then the function created |
| // is already correctly setup and nothing else should be done |
| // here. But if new.target is not equal to target then we are |
| // have a Function builtin subclassing case and therefore the |
| // function has wrong initial map. To fix that we create a new |
| // function object with correct initial map. |
| Handle<Object> unchecked_new_target = args.new_target(); |
| if (!unchecked_new_target->IsUndefined(isolate) && |
| !unchecked_new_target.is_identical_to(target)) { |
| Handle<JSReceiver> new_target = |
| Handle<JSReceiver>::cast(unchecked_new_target); |
| Handle<Map> initial_map; |
| ASSIGN_RETURN_ON_EXCEPTION( |
| isolate, initial_map, |
| JSFunction::GetDerivedMap(isolate, target, new_target), Object); |
| |
| Handle<SharedFunctionInfo> shared_info(function->shared(), isolate); |
| Handle<Map> map = Map::AsLanguageMode( |
| initial_map, shared_info->language_mode(), shared_info->kind()); |
| |
| Handle<Context> context(function->context(), isolate); |
| function = isolate->factory()->NewFunctionFromSharedFunctionInfo( |
| map, shared_info, context, NOT_TENURED); |
| } |
| return function; |
| } |
| |
| } // namespace |
| |
| // ES6 section 19.2.1.1 Function ( p1, p2, ... , pn, body ) |
| BUILTIN(FunctionConstructor) { |
| HandleScope scope(isolate); |
| Handle<Object> result; |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| isolate, result, CreateDynamicFunction(isolate, args, "function")); |
| return *result; |
| } |
| |
| // ES6 section 25.2.1.1 GeneratorFunction (p1, p2, ... , pn, body) |
| BUILTIN(GeneratorFunctionConstructor) { |
| HandleScope scope(isolate); |
| RETURN_RESULT_OR_FAILURE(isolate, |
| CreateDynamicFunction(isolate, args, "function*")); |
| } |
| |
| BUILTIN(AsyncFunctionConstructor) { |
| HandleScope scope(isolate); |
| Handle<Object> maybe_func; |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| isolate, maybe_func, |
| CreateDynamicFunction(isolate, args, "async function")); |
| if (!maybe_func->IsJSFunction()) return *maybe_func; |
| |
| // Do not lazily compute eval position for AsyncFunction, as they may not be |
| // determined after the function is resumed. |
| Handle<JSFunction> func = Handle<JSFunction>::cast(maybe_func); |
| Handle<Script> script = handle(Script::cast(func->shared()->script())); |
| int position = script->GetEvalPosition(); |
| USE(position); |
| |
| return *func; |
| } |
| |
| namespace { |
| |
| Object* DoFunctionBind(Isolate* isolate, BuiltinArguments args) { |
| HandleScope scope(isolate); |
| DCHECK_LE(1, args.length()); |
| if (!args.receiver()->IsCallable()) { |
| THROW_NEW_ERROR_RETURN_FAILURE( |
| isolate, NewTypeError(MessageTemplate::kFunctionBind)); |
| } |
| |
| // Allocate the bound function with the given {this_arg} and {args}. |
| Handle<JSReceiver> target = args.at<JSReceiver>(0); |
| Handle<Object> this_arg = isolate->factory()->undefined_value(); |
| ScopedVector<Handle<Object>> argv(std::max(0, args.length() - 2)); |
| if (args.length() > 1) { |
| this_arg = args.at(1); |
| for (int i = 2; i < args.length(); ++i) { |
| argv[i - 2] = args.at(i); |
| } |
| } |
| Handle<JSBoundFunction> function; |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| isolate, function, |
| isolate->factory()->NewJSBoundFunction(target, this_arg, argv)); |
| |
| LookupIterator length_lookup(target, isolate->factory()->length_string(), |
| target, LookupIterator::OWN); |
| // Setup the "length" property based on the "length" of the {target}. |
| // If the targets length is the default JSFunction accessor, we can keep the |
| // accessor that's installed by default on the JSBoundFunction. It lazily |
| // computes the value from the underlying internal length. |
| if (!target->IsJSFunction() || |
| length_lookup.state() != LookupIterator::ACCESSOR || |
| !length_lookup.GetAccessors()->IsAccessorInfo()) { |
| Handle<Object> length(Smi::kZero, isolate); |
| Maybe<PropertyAttributes> attributes = |
| JSReceiver::GetPropertyAttributes(&length_lookup); |
| if (!attributes.IsJust()) return isolate->heap()->exception(); |
| if (attributes.FromJust() != ABSENT) { |
| Handle<Object> target_length; |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, target_length, |
| Object::GetProperty(&length_lookup)); |
| if (target_length->IsNumber()) { |
| length = isolate->factory()->NewNumber(std::max( |
| 0.0, DoubleToInteger(target_length->Number()) - argv.length())); |
| } |
| } |
| LookupIterator it(function, isolate->factory()->length_string(), function); |
| DCHECK_EQ(LookupIterator::ACCESSOR, it.state()); |
| RETURN_FAILURE_ON_EXCEPTION(isolate, |
| JSObject::DefineOwnPropertyIgnoreAttributes( |
| &it, length, it.property_attributes())); |
| } |
| |
| // Setup the "name" property based on the "name" of the {target}. |
| // If the targets name is the default JSFunction accessor, we can keep the |
| // accessor that's installed by default on the JSBoundFunction. It lazily |
| // computes the value from the underlying internal name. |
| LookupIterator name_lookup(target, isolate->factory()->name_string(), target, |
| LookupIterator::OWN); |
| if (!target->IsJSFunction() || |
| name_lookup.state() != LookupIterator::ACCESSOR || |
| !name_lookup.GetAccessors()->IsAccessorInfo()) { |
| Handle<Object> target_name; |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, target_name, |
| Object::GetProperty(&name_lookup)); |
| Handle<String> name; |
| if (target_name->IsString()) { |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| isolate, name, |
| Name::ToFunctionName(Handle<String>::cast(target_name))); |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| isolate, name, isolate->factory()->NewConsString( |
| isolate->factory()->bound__string(), name)); |
| } else { |
| name = isolate->factory()->bound__string(); |
| } |
| LookupIterator it(function, isolate->factory()->name_string()); |
| DCHECK_EQ(LookupIterator::ACCESSOR, it.state()); |
| RETURN_FAILURE_ON_EXCEPTION(isolate, |
| JSObject::DefineOwnPropertyIgnoreAttributes( |
| &it, name, it.property_attributes())); |
| } |
| return *function; |
| } |
| |
| } // namespace |
| |
| // ES6 section 19.2.3.2 Function.prototype.bind ( thisArg, ...args ) |
| BUILTIN(FunctionPrototypeBind) { return DoFunctionBind(isolate, args); } |
| |
| void Builtins::Generate_FastFunctionPrototypeBind( |
| compiler::CodeAssemblerState* state) { |
| using compiler::Node; |
| typedef CodeStubAssembler::Label Label; |
| typedef CodeStubAssembler::Variable Variable; |
| |
| CodeStubAssembler assembler(state); |
| Label slow(&assembler); |
| |
| Node* argc = assembler.Parameter(BuiltinDescriptor::kArgumentsCount); |
| Node* context = assembler.Parameter(BuiltinDescriptor::kContext); |
| Node* new_target = assembler.Parameter(BuiltinDescriptor::kNewTarget); |
| |
| CodeStubArguments args(&assembler, assembler.ChangeInt32ToIntPtr(argc)); |
| |
| // Check that receiver has instance type of JS_FUNCTION_TYPE |
| Node* receiver = args.GetReceiver(); |
| assembler.GotoIf(assembler.TaggedIsSmi(receiver), &slow); |
| |
| Node* receiver_map = assembler.LoadMap(receiver); |
| Node* instance_type = assembler.LoadMapInstanceType(receiver_map); |
| assembler.GotoIf( |
| assembler.Word32NotEqual(instance_type, |
| assembler.Int32Constant(JS_FUNCTION_TYPE)), |
| &slow); |
| |
| // Disallow binding of slow-mode functions. We need to figure out whether the |
| // length and name property are in the original state. |
| assembler.Comment("Disallow binding of slow-mode functions"); |
| assembler.GotoIf(assembler.IsDictionaryMap(receiver_map), &slow); |
| |
| // Check whether the length and name properties are still present as |
| // AccessorInfo objects. In that case, their value can be recomputed even if |
| // the actual value on the object changes. |
| assembler.Comment("Check descriptor array length"); |
| Node* descriptors = assembler.LoadMapDescriptors(receiver_map); |
| Node* descriptors_length = assembler.LoadFixedArrayBaseLength(descriptors); |
| assembler.GotoIf(assembler.SmiLessThanOrEqual(descriptors_length, |
| assembler.SmiConstant(1)), |
| &slow); |
| |
| // Check whether the length and name properties are still present as |
| // AccessorInfo objects. In that case, their value can be recomputed even if |
| // the actual value on the object changes. |
| assembler.Comment("Check name and length properties"); |
| const int length_index = JSFunction::kLengthDescriptorIndex; |
| Node* maybe_length = assembler.LoadFixedArrayElement( |
| descriptors, DescriptorArray::ToKeyIndex(length_index)); |
| assembler.GotoIf( |
| assembler.WordNotEqual(maybe_length, |
| assembler.LoadRoot(Heap::klength_stringRootIndex)), |
| &slow); |
| |
| Node* maybe_length_accessor = assembler.LoadFixedArrayElement( |
| descriptors, DescriptorArray::ToValueIndex(length_index)); |
| assembler.GotoIf(assembler.TaggedIsSmi(maybe_length_accessor), &slow); |
| Node* length_value_map = assembler.LoadMap(maybe_length_accessor); |
| assembler.GotoIfNot(assembler.IsAccessorInfoMap(length_value_map), &slow); |
| |
| const int name_index = JSFunction::kNameDescriptorIndex; |
| Node* maybe_name = assembler.LoadFixedArrayElement( |
| descriptors, DescriptorArray::ToKeyIndex(name_index)); |
| assembler.GotoIf( |
| assembler.WordNotEqual(maybe_name, |
| assembler.LoadRoot(Heap::kname_stringRootIndex)), |
| &slow); |
| |
| Node* maybe_name_accessor = assembler.LoadFixedArrayElement( |
| descriptors, DescriptorArray::ToValueIndex(name_index)); |
| assembler.GotoIf(assembler.TaggedIsSmi(maybe_name_accessor), &slow); |
| Node* name_value_map = assembler.LoadMap(maybe_name_accessor); |
| assembler.GotoIfNot(assembler.IsAccessorInfoMap(name_value_map), &slow); |
| |
| // Choose the right bound function map based on whether the target is |
| // constructable. |
| assembler.Comment("Choose the right bound function map"); |
| Variable bound_function_map(&assembler, MachineRepresentation::kTagged); |
| Label with_constructor(&assembler); |
| CodeStubAssembler::VariableList vars({&bound_function_map}, assembler.zone()); |
| Node* native_context = assembler.LoadNativeContext(context); |
| |
| Label map_done(&assembler, vars); |
| Node* bit_field = assembler.LoadMapBitField(receiver_map); |
| int mask = static_cast<int>(1 << Map::kIsConstructor); |
| assembler.GotoIf(assembler.IsSetWord32(bit_field, mask), &with_constructor); |
| |
| bound_function_map.Bind(assembler.LoadContextElement( |
| native_context, Context::BOUND_FUNCTION_WITHOUT_CONSTRUCTOR_MAP_INDEX)); |
| assembler.Goto(&map_done); |
| |
| assembler.Bind(&with_constructor); |
| bound_function_map.Bind(assembler.LoadContextElement( |
| native_context, Context::BOUND_FUNCTION_WITH_CONSTRUCTOR_MAP_INDEX)); |
| assembler.Goto(&map_done); |
| |
| assembler.Bind(&map_done); |
| |
| // Verify that __proto__ matches that of a the target bound function. |
| assembler.Comment("Verify that __proto__ matches target bound function"); |
| Node* prototype = assembler.LoadMapPrototype(receiver_map); |
| Node* expected_prototype = |
| assembler.LoadMapPrototype(bound_function_map.value()); |
| assembler.GotoIf(assembler.WordNotEqual(prototype, expected_prototype), |
| &slow); |
| |
| // Allocate the arguments array. |
| assembler.Comment("Allocate the arguments array"); |
| Variable argument_array(&assembler, MachineRepresentation::kTagged); |
| Label empty_arguments(&assembler); |
| Label arguments_done(&assembler, &argument_array); |
| assembler.GotoIf( |
| assembler.Uint32LessThanOrEqual(argc, assembler.Int32Constant(1)), |
| &empty_arguments); |
| Node* elements_length = assembler.ChangeUint32ToWord( |
| assembler.Int32Sub(argc, assembler.Int32Constant(1))); |
| Node* elements = assembler.AllocateFixedArray(FAST_ELEMENTS, elements_length); |
| Variable index(&assembler, MachineType::PointerRepresentation()); |
| index.Bind(assembler.IntPtrConstant(0)); |
| CodeStubAssembler::VariableList foreach_vars({&index}, assembler.zone()); |
| args.ForEach(foreach_vars, |
| [&assembler, elements, &index](compiler::Node* arg) { |
| assembler.StoreFixedArrayElement(elements, index.value(), arg); |
| assembler.Increment(index); |
| }, |
| assembler.IntPtrConstant(1)); |
| argument_array.Bind(elements); |
| assembler.Goto(&arguments_done); |
| |
| assembler.Bind(&empty_arguments); |
| argument_array.Bind(assembler.EmptyFixedArrayConstant()); |
| assembler.Goto(&arguments_done); |
| |
| assembler.Bind(&arguments_done); |
| |
| // Determine bound receiver. |
| assembler.Comment("Determine bound receiver"); |
| Variable bound_receiver(&assembler, MachineRepresentation::kTagged); |
| Label has_receiver(&assembler); |
| Label receiver_done(&assembler, &bound_receiver); |
| assembler.GotoIf(assembler.Word32NotEqual(argc, assembler.Int32Constant(0)), |
| &has_receiver); |
| bound_receiver.Bind(assembler.UndefinedConstant()); |
| assembler.Goto(&receiver_done); |
| |
| assembler.Bind(&has_receiver); |
| bound_receiver.Bind(args.AtIndex(0)); |
| assembler.Goto(&receiver_done); |
| |
| assembler.Bind(&receiver_done); |
| |
| // Allocate the resulting bound function. |
| assembler.Comment("Allocate the resulting bound function"); |
| Node* bound_function = assembler.Allocate(JSBoundFunction::kSize); |
| assembler.StoreMapNoWriteBarrier(bound_function, bound_function_map.value()); |
| assembler.StoreObjectFieldNoWriteBarrier( |
| bound_function, JSBoundFunction::kBoundTargetFunctionOffset, receiver); |
| assembler.StoreObjectFieldNoWriteBarrier(bound_function, |
| JSBoundFunction::kBoundThisOffset, |
| bound_receiver.value()); |
| assembler.StoreObjectFieldNoWriteBarrier( |
| bound_function, JSBoundFunction::kBoundArgumentsOffset, |
| argument_array.value()); |
| Node* empty_fixed_array = assembler.EmptyFixedArrayConstant(); |
| assembler.StoreObjectFieldNoWriteBarrier( |
| bound_function, JSObject::kPropertiesOffset, empty_fixed_array); |
| assembler.StoreObjectFieldNoWriteBarrier( |
| bound_function, JSObject::kElementsOffset, empty_fixed_array); |
| |
| args.PopAndReturn(bound_function); |
| assembler.Bind(&slow); |
| |
| Node* target = assembler.LoadFromFrame( |
| StandardFrameConstants::kFunctionOffset, MachineType::TaggedPointer()); |
| assembler.TailCallStub( |
| CodeFactory::FunctionPrototypeBind(assembler.isolate()), context, target, |
| new_target, argc); |
| } |
| |
| // TODO(verwaest): This is a temporary helper until the FastFunctionBind stub |
| // can tailcall to the builtin directly. |
| RUNTIME_FUNCTION(Runtime_FunctionBind) { |
| DCHECK_EQ(2, args.length()); |
| Arguments* incoming = reinterpret_cast<Arguments*>(args[0]); |
| // Rewrap the arguments as builtins arguments. |
| int argc = incoming->length() + BuiltinArguments::kNumExtraArgsWithReceiver; |
| BuiltinArguments caller_args(argc, incoming->arguments() + 1); |
| return DoFunctionBind(isolate, caller_args); |
| } |
| |
| // ES6 section 19.2.3.5 Function.prototype.toString ( ) |
| BUILTIN(FunctionPrototypeToString) { |
| HandleScope scope(isolate); |
| Handle<Object> receiver = args.receiver(); |
| if (receiver->IsJSBoundFunction()) { |
| return *JSBoundFunction::ToString(Handle<JSBoundFunction>::cast(receiver)); |
| } else if (receiver->IsJSFunction()) { |
| return *JSFunction::ToString(Handle<JSFunction>::cast(receiver)); |
| } |
| THROW_NEW_ERROR_RETURN_FAILURE( |
| isolate, NewTypeError(MessageTemplate::kNotGeneric, |
| isolate->factory()->NewStringFromAsciiChecked( |
| "Function.prototype.toString"))); |
| } |
| |
| // ES6 section 19.2.3.6 Function.prototype [ @@hasInstance ] ( V ) |
| void Builtins::Generate_FunctionPrototypeHasInstance( |
| compiler::CodeAssemblerState* state) { |
| using compiler::Node; |
| CodeStubAssembler assembler(state); |
| |
| Node* f = assembler.Parameter(0); |
| Node* v = assembler.Parameter(1); |
| Node* context = assembler.Parameter(4); |
| Node* result = assembler.OrdinaryHasInstance(context, f, v); |
| assembler.Return(result); |
| } |
| |
| } // namespace internal |
| } // namespace v8 |