The Tor Browser: js/src/devtools/rootAnalysis/annotations.js@129ffea94266 (annotated)

js/src/devtools/rootAnalysis/annotations.js@129ffea94266 (annotated)

js/src/devtools/rootAnalysis/annotations.js

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* -*- Mode: Javascript; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 "use strict";
 // Ignore calls made through these function pointers
 var ignoreIndirectCalls = {
     "mallocSizeOf" : true,
     "aMallocSizeOf" : true,
     "_malloc_message" : true,
     "__conv" : true,
     "__convf" : true,
     "prerrortable.c:callback_newtable" : true,
     "mozalloc_oom.cpp:void (* gAbortHandler)(size_t)" : true,
     // I don't know why these are getting truncated
     "nsTraceRefcnt.cpp:void (* leakyLogAddRef)(void*": true,
     "nsTraceRefcnt.cpp:void (* leakyLogAddRef)(void*, int, int)": true,
     "nsTraceRefcnt.cpp:void (* leakyLogRelease)(void*": true,
     "nsTraceRefcnt.cpp:void (* leakyLogRelease)(void*, int, int)": true,
 };
 function indirectCallCannotGC(fullCaller, fullVariable)
 {
     var caller = readable(fullCaller);
     // This is usually a simple variable name, but sometimes a full name gets
     // passed through. And sometimes that name is truncated. Examples:
     //   _ZL13gAbortHandler|mozalloc_oom.cpp:void (* gAbortHandler)(size_t)
     //   _ZL14pMutexUnlockFn|umutex.cpp:void (* pMutexUnlockFn)(const void*
     var name = readable(fullVariable);
     if (name in ignoreIndirectCalls)
         return true;
     if (name == "mapper" && caller == "ptio.c:pt_MapError")
         return true;
     if (name == "params" && caller == "PR_ExplodeTime")
         return true;
     if (name == "op" && /GetWeakmapKeyDelegate/.test(caller))
         return true;
     var CheckCallArgs = "AsmJS.cpp:uint8 CheckCallArgs(FunctionCompiler*, js::frontend::ParseNode*, (uint8)(FunctionCompiler*,js::frontend::ParseNode*,Type)*, FunctionCompiler::Call*)";
     if (name == "checkArg" && caller == CheckCallArgs)
         return true;
     // hook called during script finalization which cannot GC.
     if (/CallDestroyScriptHook/.test(caller))
         return true;
     // template method called during marking and hence cannot GC
     if (name == "op" && caller.indexOf("bool js::WeakMap<Key, Value, HashPolicy>::keyNeedsMark(JSObject*)") != -1)
     {
         return true;
     }
     return false;
 }
 // Ignore calls through functions pointers with these types
 var ignoreClasses = {
     "JSTracer" : true,
     "JSStringFinalizer" : true,
     "SprintfState" : true,
     "SprintfStateStr" : true,
     "JSLocaleCallbacks" : true,
     "JSC::ExecutableAllocator" : true,
     "PRIOMethods": true,
     "XPCOMFunctions" : true, // I'm a little unsure of this one
     "_MD_IOVector" : true,
 };
 // Ignore calls through TYPE.FIELD, where TYPE is the class or struct name containing
 // a function pointer field named FIELD.
 var ignoreCallees = {
     "js::Class.trace" : true,
     "js::Class.finalize" : true,
     "JSRuntime.destroyPrincipals" : true,
     "icu_50::UObject.__deleting_dtor" : true, // destructors in ICU code can't cause GC
     "mozilla::CycleCollectedJSRuntime.DescribeCustomObjects" : true, // During tracing, cannot GC.
     "mozilla::CycleCollectedJSRuntime.NoteCustomGCThingXPCOMChildren" : true, // During tracing, cannot GC.
     "PLDHashTableOps.hashKey" : true,
     "z_stream_s.zfree" : true,
 };
 function fieldCallCannotGC(csu, fullfield)
 {
     if (csu in ignoreClasses)
         return true;
     if (fullfield in ignoreCallees)
         return true;
     return false;
 }
 function ignoreEdgeUse(edge, variable)
 {
     // Functions which should not be treated as using variable.
     if (edge.Kind == "Call") {
         var callee = edge.Exp[0];
         if (callee.Kind == "Var") {
             var name = callee.Variable.Name[0];
             if (/~Anchor/.test(name))
                 return true;
             if (/~DebugOnly/.test(name))
                 return true;
             if (/~ScopedThreadSafeStringInspector/.test(name))
                 return true;
         }
     }
     return false;
 }
 function ignoreEdgeAddressTaken(edge)
 {
     // Functions which may take indirect pointers to unrooted GC things,
     // but will copy them into rooted locations before calling anything
     // that can GC. These parameters should usually be replaced with
     // handles or mutable handles.
     if (edge.Kind == "Call") {
         var callee = edge.Exp[0];
         if (callee.Kind == "Var") {
             var name = callee.Variable.Name[0];
             if (/js::Invoke\(/.test(name))
                 return true;
         }
     }
     return false;
 }
 // Ignore calls of these functions (so ignore any stack containing these)
 var ignoreFunctions = {
     "ptio.c:pt_MapError" : true,
     "PR_ExplodeTime" : true,
     "PR_ErrorInstallTable" : true,
     "PR_SetThreadPrivate" : true,
     "JSObject* js::GetWeakmapKeyDelegate(JSObject*)" : true, // FIXME: mark with AutoAssertNoGC instead
     "uint8 NS_IsMainThread()" : true,
     // FIXME!
     "NS_LogInit": true,
     "NS_LogTerm": true,
     "NS_LogAddRef": true,
     "NS_LogRelease": true,
     "NS_LogCtor": true,
     "NS_LogDtor": true,
     "NS_LogCOMPtrAddRef": true,
     "NS_LogCOMPtrRelease": true,
     // FIXME!
     "NS_DebugBreak": true,
     // These are a little overzealous -- these destructors *can* GC if they end
     // up wrapping a pending exception. See bug 898815 for the heavyweight fix.
     "void js::AutoCompartment::~AutoCompartment(int32)" : true,
     "void JSAutoCompartment::~JSAutoCompartment(int32)" : true,
     // Bug 948646 - the only thing AutoJSContext's constructor calls
     // is an Init() routine whose entire body is covered with an
     // AutoAssertNoGC. AutoSafeJSContext is the same thing, just with
     // a different value for the 'aSafe' parameter.
     "void mozilla::AutoJSContext::AutoJSContext(mozilla::detail::GuardObjectNotifier*)" : true,
     "void mozilla::AutoSafeJSContext::~AutoSafeJSContext(int32)" : true,
     // And these are workarounds to avoid even more analysis work,
     // which would sadly still be needed even with bug 898815.
     "void js::AutoCompartment::AutoCompartment(js::ExclusiveContext*, JSCompartment*)": true,
 };
 function ignoreGCFunction(mangled)
 {
     assert(mangled in readableNames);
     var fun = readableNames[mangled][0];
     if (fun in ignoreFunctions)
         return true;
     // Templatized function
     if (fun.indexOf("void nsCOMPtr<T>::Assert_NoQueryNeeded()") >= 0)
         return true;
     // XXX modify refillFreeList<NoGC> to not need data flow analysis to understand it cannot GC.
     if (/refillFreeList/.test(fun) && /\(js::AllowGC\)0u/.test(fun))
         return true;
     return false;
 }
 function isRootedTypeName(name)
 {
     if (name == "mozilla::ErrorResult" ||
         name == "JSErrorResult" ||
         name == "WrappableJSErrorResult" ||
         name == "js::frontend::TokenStream" ||
         name == "js::frontend::TokenStream::Position" ||
         name == "ModuleCompiler")
     {
         return true;
     }
     return false;
 }
 function isRootedPointerTypeName(name)
 {
     if (name.startsWith('struct '))
         name = name.substr(7);
     if (name.startsWith('class '))
         name = name.substr(6);
     if (name.startsWith('const '))
         name = name.substr(6);
     if (name.startsWith('js::ctypes::'))
         name = name.substr(12);
     if (name.startsWith('js::'))
         name = name.substr(4);
     if (name.startsWith('JS::'))
         name = name.substr(4);
     if (name.startsWith('mozilla::dom::'))
         name = name.substr(14);
     if (name.startsWith('MaybeRooted<'))
         return /\(js::AllowGC\)1u>::RootType/.test(name);
     return name.startsWith('Rooted') || name.startsWith('PersistentRooted');
 }
 function isSuppressConstructor(name)
 {
     return name.indexOf("::AutoSuppressGC") != -1
         || name.indexOf("::AutoEnterAnalysis") != -1
         || name.indexOf("::AutoAssertNoGC") != -1
         || name.indexOf("::AutoIgnoreRootingHazards") != -1;
 }
 // nsISupports subclasses' methods may be scriptable (or overridden
 // via binary XPCOM), and so may GC. But some fields just aren't going
 // to get overridden with something that can GC.
 function isOverridableField(initialCSU, csu, field)
 {
     if (csu != 'nsISupports')
         return false;
     if (field == 'GetCurrentJSContext')
         return false;
     if (field == 'IsOnCurrentThread')
         return false;
     if (field == 'GetNativeContext')
         return false;
     if (field == "GetGlobalJSObject")
         return false;
     if (field == "GetIsMainThread")
         return false;
     if (initialCSU == 'nsIXPConnectJSObjectHolder' && field == 'GetJSObject')
         return false;
     return true;
 }