1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/vm/StructuredClone.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1906 @@
1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
1.5 + * vim: set ts=8 sts=4 et sw=4 tw=99:
1.6 + * This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +/*
1.11 + * This file implements the structured clone algorithm of
1.12 + * http://www.whatwg.org/specs/web-apps/current-work/multipage/common-dom-interfaces.html#safe-passing-of-structured-data
1.13 + *
1.14 + * The implementation differs slightly in that it uses an explicit stack, and
1.15 + * the "memory" maps source objects to sequential integer indexes rather than
1.16 + * directly pointing to destination objects. As a result, the order in which
1.17 + * things are added to the memory must exactly match the order in which they
1.18 + * are placed into 'allObjs', an analogous array of back-referenceable
1.19 + * destination objects constructed while reading.
1.20 + *
1.21 + * For the most part, this is easy: simply add objects to the memory when first
1.22 + * encountering them. But reading in a typed array requires an ArrayBuffer for
1.23 + * construction, so objects cannot just be added to 'allObjs' in the order they
1.24 + * are created. If they were, ArrayBuffers would come before typed arrays when
1.25 + * in fact the typed array was added to 'memory' first.
1.26 + *
1.27 + * So during writing, we add objects to the memory when first encountering
1.28 + * them. When reading a typed array, a placeholder is pushed onto allObjs until
1.29 + * the ArrayBuffer has been read, then it is updated with the actual typed
1.30 + * array object.
1.31 + */
1.32 +
1.33 +#include "js/StructuredClone.h"
1.34 +
1.35 +#include "mozilla/Endian.h"
1.36 +#include "mozilla/FloatingPoint.h"
1.37 +
1.38 +#include <algorithm>
1.39 +
1.40 +#include "jsapi.h"
1.41 +#include "jscntxt.h"
1.42 +#include "jsdate.h"
1.43 +#include "jswrapper.h"
1.44 +
1.45 +#include "vm/SharedArrayObject.h"
1.46 +#include "vm/TypedArrayObject.h"
1.47 +#include "vm/WrapperObject.h"
1.48 +
1.49 +#include "jscntxtinlines.h"
1.50 +#include "jsobjinlines.h"
1.51 +
1.52 +using namespace js;
1.53 +
1.54 +using mozilla::IsNaN;
1.55 +using mozilla::LittleEndian;
1.56 +using mozilla::NativeEndian;
1.57 +using JS::CanonicalizeNaN;
1.58 +
1.59 +enum StructuredDataType {
1.60 + /* Structured data types provided by the engine */
1.61 + SCTAG_FLOAT_MAX = 0xFFF00000,
1.62 + SCTAG_NULL = 0xFFFF0000,
1.63 + SCTAG_UNDEFINED,
1.64 + SCTAG_BOOLEAN,
1.65 + SCTAG_INDEX,
1.66 + SCTAG_STRING,
1.67 + SCTAG_DATE_OBJECT,
1.68 + SCTAG_REGEXP_OBJECT,
1.69 + SCTAG_ARRAY_OBJECT,
1.70 + SCTAG_OBJECT_OBJECT,
1.71 + SCTAG_ARRAY_BUFFER_OBJECT,
1.72 + SCTAG_BOOLEAN_OBJECT,
1.73 + SCTAG_STRING_OBJECT,
1.74 + SCTAG_NUMBER_OBJECT,
1.75 + SCTAG_BACK_REFERENCE_OBJECT,
1.76 + SCTAG_DO_NOT_USE_1, // Required for backwards compatibility
1.77 + SCTAG_DO_NOT_USE_2, // Required for backwards compatibility
1.78 + SCTAG_TYPED_ARRAY_OBJECT,
1.79 + SCTAG_TYPED_ARRAY_V1_MIN = 0xFFFF0100,
1.80 + SCTAG_TYPED_ARRAY_V1_INT8 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_INT8,
1.81 + SCTAG_TYPED_ARRAY_V1_UINT8 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_UINT8,
1.82 + SCTAG_TYPED_ARRAY_V1_INT16 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_INT16,
1.83 + SCTAG_TYPED_ARRAY_V1_UINT16 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_UINT16,
1.84 + SCTAG_TYPED_ARRAY_V1_INT32 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_INT32,
1.85 + SCTAG_TYPED_ARRAY_V1_UINT32 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_UINT32,
1.86 + SCTAG_TYPED_ARRAY_V1_FLOAT32 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_FLOAT32,
1.87 + SCTAG_TYPED_ARRAY_V1_FLOAT64 = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_FLOAT64,
1.88 + SCTAG_TYPED_ARRAY_V1_UINT8_CLAMPED = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_UINT8_CLAMPED,
1.89 + SCTAG_TYPED_ARRAY_V1_MAX = SCTAG_TYPED_ARRAY_V1_MIN + ScalarTypeDescr::TYPE_MAX - 1,
1.90 +
1.91 + /*
1.92 + * Define a separate range of numbers for Transferable-only tags, since
1.93 + * they are not used for persistent clone buffers and therefore do not
1.94 + * require bumping JS_STRUCTURED_CLONE_VERSION.
1.95 + */
1.96 + SCTAG_TRANSFER_MAP_HEADER = 0xFFFF0200,
1.97 + SCTAG_TRANSFER_MAP_PENDING_ENTRY,
1.98 + SCTAG_TRANSFER_MAP_ARRAY_BUFFER,
1.99 + SCTAG_TRANSFER_MAP_SHARED_BUFFER,
1.100 + SCTAG_TRANSFER_MAP_END_OF_BUILTIN_TYPES,
1.101 +
1.102 + SCTAG_END_OF_BUILTIN_TYPES
1.103 +};
1.104 +
1.105 +/*
1.106 + * Format of transfer map:
1.107 + * <SCTAG_TRANSFER_MAP_HEADER, TransferableMapHeader(UNREAD|TRANSFERRED)>
1.108 + * numTransferables (64 bits)
1.109 + * array of:
1.110 + * <SCTAG_TRANSFER_MAP_*, TransferableOwnership>
1.111 + * pointer (64 bits)
1.112 + * extraData (64 bits), eg byte length for ArrayBuffers
1.113 + */
1.114 +
1.115 +// Data associated with an SCTAG_TRANSFER_MAP_HEADER that tells whether the
1.116 +// contents have been read out yet or not.
1.117 +enum TransferableMapHeader {
1.118 + SCTAG_TM_UNREAD = 0,
1.119 + SCTAG_TM_TRANSFERRED
1.120 +};
1.121 +
1.122 +static inline uint64_t
1.123 +PairToUInt64(uint32_t tag, uint32_t data)
1.124 +{
1.125 + return uint64_t(data) | (uint64_t(tag) << 32);
1.126 +}
1.127 +
1.128 +namespace js {
1.129 +
1.130 +struct SCOutput {
1.131 + public:
1.132 + explicit SCOutput(JSContext *cx);
1.133 +
1.134 + JSContext *context() const { return cx; }
1.135 +
1.136 + bool write(uint64_t u);
1.137 + bool writePair(uint32_t tag, uint32_t data);
1.138 + bool writeDouble(double d);
1.139 + bool writeBytes(const void *p, size_t nbytes);
1.140 + bool writeChars(const jschar *p, size_t nchars);
1.141 + bool writePtr(const void *);
1.142 +
1.143 + template <class T>
1.144 + bool writeArray(const T *p, size_t nbytes);
1.145 +
1.146 + bool extractBuffer(uint64_t **datap, size_t *sizep);
1.147 +
1.148 + uint64_t count() const { return buf.length(); }
1.149 + uint64_t *rawBuffer() { return buf.begin(); }
1.150 +
1.151 + private:
1.152 + JSContext *cx;
1.153 + Vector<uint64_t> buf;
1.154 +};
1.155 +
1.156 +class SCInput {
1.157 + public:
1.158 + SCInput(JSContext *cx, uint64_t *data, size_t nbytes);
1.159 +
1.160 + JSContext *context() const { return cx; }
1.161 +
1.162 + static void getPtr(const uint64_t *buffer, void **ptr);
1.163 + static void getPair(const uint64_t *buffer, uint32_t *tagp, uint32_t *datap);
1.164 +
1.165 + bool read(uint64_t *p);
1.166 + bool readNativeEndian(uint64_t *p);
1.167 + bool readPair(uint32_t *tagp, uint32_t *datap);
1.168 + bool readDouble(double *p);
1.169 + bool readBytes(void *p, size_t nbytes);
1.170 + bool readChars(jschar *p, size_t nchars);
1.171 + bool readPtr(void **);
1.172 +
1.173 + bool get(uint64_t *p);
1.174 + bool getPair(uint32_t *tagp, uint32_t *datap);
1.175 +
1.176 + uint64_t *tell() const { return point; }
1.177 + uint64_t *end() const { return bufEnd; }
1.178 +
1.179 + template <class T>
1.180 + bool readArray(T *p, size_t nelems);
1.181 +
1.182 + bool reportTruncated() {
1.183 + JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
1.184 + JSMSG_SC_BAD_SERIALIZED_DATA, "truncated");
1.185 + return false;
1.186 + }
1.187 +
1.188 + private:
1.189 + void staticAssertions() {
1.190 + JS_STATIC_ASSERT(sizeof(jschar) == 2);
1.191 + JS_STATIC_ASSERT(sizeof(uint32_t) == 4);
1.192 + JS_STATIC_ASSERT(sizeof(double) == 8);
1.193 + }
1.194 +
1.195 + JSContext *cx;
1.196 + uint64_t *point;
1.197 + uint64_t *bufEnd;
1.198 +};
1.199 +
1.200 +} /* namespace js */
1.201 +
1.202 +struct JSStructuredCloneReader {
1.203 + public:
1.204 + explicit JSStructuredCloneReader(SCInput &in, const JSStructuredCloneCallbacks *cb,
1.205 + void *cbClosure)
1.206 + : in(in), objs(in.context()), allObjs(in.context()),
1.207 + callbacks(cb), closure(cbClosure) { }
1.208 +
1.209 + SCInput &input() { return in; }
1.210 + bool read(Value *vp);
1.211 +
1.212 + private:
1.213 + JSContext *context() { return in.context(); }
1.214 +
1.215 + bool readTransferMap();
1.216 +
1.217 + bool checkDouble(double d);
1.218 + JSString *readString(uint32_t nchars);
1.219 + bool readTypedArray(uint32_t arrayType, uint32_t nelems, Value *vp, bool v1Read = false);
1.220 + bool readArrayBuffer(uint32_t nbytes, Value *vp);
1.221 + bool readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems, Value *vp);
1.222 + bool readId(jsid *idp);
1.223 + bool startRead(Value *vp);
1.224 +
1.225 + SCInput ∈
1.226 +
1.227 + // Stack of objects with properties remaining to be read.
1.228 + AutoValueVector objs;
1.229 +
1.230 + // Stack of all objects read during this deserialization
1.231 + AutoValueVector allObjs;
1.232 +
1.233 + // The user defined callbacks that will be used for cloning.
1.234 + const JSStructuredCloneCallbacks *callbacks;
1.235 +
1.236 + // Any value passed to JS_ReadStructuredClone.
1.237 + void *closure;
1.238 +
1.239 + friend bool JS_ReadTypedArray(JSStructuredCloneReader *r, MutableHandleValue vp);
1.240 +};
1.241 +
1.242 +struct JSStructuredCloneWriter {
1.243 + public:
1.244 + explicit JSStructuredCloneWriter(JSContext *cx,
1.245 + const JSStructuredCloneCallbacks *cb,
1.246 + void *cbClosure,
1.247 + jsval tVal)
1.248 + : out(cx), objs(out.context()),
1.249 + counts(out.context()), ids(out.context()),
1.250 + memory(out.context()), callbacks(cb), closure(cbClosure),
1.251 + transferable(out.context(), tVal), transferableObjects(out.context()) { }
1.252 +
1.253 + ~JSStructuredCloneWriter();
1.254 +
1.255 + bool init() { return memory.init() && parseTransferable() && writeTransferMap(); }
1.256 +
1.257 + bool write(const Value &v);
1.258 +
1.259 + SCOutput &output() { return out; }
1.260 +
1.261 + bool extractBuffer(uint64_t **datap, size_t *sizep) {
1.262 + return out.extractBuffer(datap, sizep);
1.263 + }
1.264 +
1.265 + private:
1.266 + JSContext *context() { return out.context(); }
1.267 +
1.268 + bool writeTransferMap();
1.269 +
1.270 + bool writeString(uint32_t tag, JSString *str);
1.271 + bool writeId(jsid id);
1.272 + bool writeArrayBuffer(HandleObject obj);
1.273 + bool writeTypedArray(HandleObject obj);
1.274 + bool startObject(HandleObject obj, bool *backref);
1.275 + bool startWrite(const Value &v);
1.276 + bool traverseObject(HandleObject obj);
1.277 +
1.278 + bool parseTransferable();
1.279 + bool reportErrorTransferable();
1.280 + bool transferOwnership();
1.281 +
1.282 + inline void checkStack();
1.283 +
1.284 + SCOutput out;
1.285 +
1.286 + // Vector of objects with properties remaining to be written.
1.287 + //
1.288 + // NB: These can span multiple compartments, so the compartment must be
1.289 + // entered before any manipulation is performed.
1.290 + AutoValueVector objs;
1.291 +
1.292 + // counts[i] is the number of properties of objs[i] remaining to be written.
1.293 + // counts.length() == objs.length() and sum(counts) == ids.length().
1.294 + Vector<size_t> counts;
1.295 +
1.296 + // Ids of properties remaining to be written.
1.297 + AutoIdVector ids;
1.298 +
1.299 + // The "memory" list described in the HTML5 internal structured cloning algorithm.
1.300 + // memory is a superset of objs; items are never removed from Memory
1.301 + // until a serialization operation is finished
1.302 + typedef AutoObjectUnsigned32HashMap CloneMemory;
1.303 + CloneMemory memory;
1.304 +
1.305 + // The user defined callbacks that will be used for cloning.
1.306 + const JSStructuredCloneCallbacks *callbacks;
1.307 +
1.308 + // Any value passed to JS_WriteStructuredClone.
1.309 + void *closure;
1.310 +
1.311 + // List of transferable objects
1.312 + RootedValue transferable;
1.313 + AutoObjectVector transferableObjects;
1.314 +
1.315 + friend bool JS_WriteTypedArray(JSStructuredCloneWriter *w, HandleValue v);
1.316 +};
1.317 +
1.318 +JS_FRIEND_API(uint64_t)
1.319 +js_GetSCOffset(JSStructuredCloneWriter* writer)
1.320 +{
1.321 + JS_ASSERT(writer);
1.322 + return writer->output().count() * sizeof(uint64_t);
1.323 +}
1.324 +
1.325 +JS_STATIC_ASSERT(SCTAG_END_OF_BUILTIN_TYPES <= JS_SCTAG_USER_MIN);
1.326 +JS_STATIC_ASSERT(JS_SCTAG_USER_MIN <= JS_SCTAG_USER_MAX);
1.327 +JS_STATIC_ASSERT(ScalarTypeDescr::TYPE_INT8 == 0);
1.328 +
1.329 +static void
1.330 +ReportErrorTransferable(JSContext *cx, const JSStructuredCloneCallbacks *callbacks)
1.331 +{
1.332 + if (callbacks && callbacks->reportError)
1.333 + callbacks->reportError(cx, JS_SCERR_TRANSFERABLE);
1.334 + else
1.335 + JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_SC_NOT_TRANSFERABLE);
1.336 +}
1.337 +
1.338 +bool
1.339 +WriteStructuredClone(JSContext *cx, HandleValue v, uint64_t **bufp, size_t *nbytesp,
1.340 + const JSStructuredCloneCallbacks *cb, void *cbClosure,
1.341 + jsval transferable)
1.342 +{
1.343 + JSStructuredCloneWriter w(cx, cb, cbClosure, transferable);
1.344 + return w.init() && w.write(v) && w.extractBuffer(bufp, nbytesp);
1.345 +}
1.346 +
1.347 +bool
1.348 +ReadStructuredClone(JSContext *cx, uint64_t *data, size_t nbytes, MutableHandleValue vp,
1.349 + const JSStructuredCloneCallbacks *cb, void *cbClosure)
1.350 +{
1.351 + SCInput in(cx, data, nbytes);
1.352 + JSStructuredCloneReader r(in, cb, cbClosure);
1.353 + return r.read(vp.address());
1.354 +}
1.355 +
1.356 +// If the given buffer contains Transferables, free them. Note that custom
1.357 +// Transferables will use the JSStructuredCloneCallbacks::freeTransfer() to
1.358 +// delete their transferables.
1.359 +static void
1.360 +Discard(uint64_t *buffer, size_t nbytes, const JSStructuredCloneCallbacks *cb, void *cbClosure)
1.361 +{
1.362 + JS_ASSERT(nbytes % sizeof(uint64_t) == 0);
1.363 + if (nbytes < sizeof(uint64_t))
1.364 + return; // Empty buffer
1.365 +
1.366 + uint64_t *point = buffer;
1.367 + uint32_t tag, data;
1.368 + SCInput::getPair(point++, &tag, &data);
1.369 + if (tag != SCTAG_TRANSFER_MAP_HEADER)
1.370 + return;
1.371 +
1.372 + if (TransferableMapHeader(data) == SCTAG_TM_TRANSFERRED)
1.373 + return;
1.374 +
1.375 + // freeTransfer should not GC
1.376 + JS::AutoAssertNoGC nogc;
1.377 +
1.378 + uint64_t numTransferables = LittleEndian::readUint64(point++);
1.379 + while (numTransferables--) {
1.380 + uint32_t ownership;
1.381 + SCInput::getPair(point++, &tag, &ownership);
1.382 + JS_ASSERT(tag >= SCTAG_TRANSFER_MAP_PENDING_ENTRY);
1.383 +
1.384 + void *content;
1.385 + SCInput::getPtr(point++, &content);
1.386 +
1.387 + uint64_t extraData = LittleEndian::readUint64(point++);
1.388 +
1.389 + if (ownership < JS::SCTAG_TMO_FIRST_OWNED)
1.390 + continue;
1.391 +
1.392 + if (ownership == JS::SCTAG_TMO_ALLOC_DATA) {
1.393 + js_free(content);
1.394 + } else if (ownership == JS::SCTAG_TMO_MAPPED_DATA) {
1.395 + JS_ReleaseMappedArrayBufferContents(content, extraData);
1.396 + } else if (ownership == JS::SCTAG_TMO_SHARED_BUFFER) {
1.397 + SharedArrayRawBuffer *raw = static_cast<SharedArrayRawBuffer*>(content);
1.398 + if (raw)
1.399 + raw->dropReference();
1.400 + } else if (cb && cb->freeTransfer) {
1.401 + cb->freeTransfer(tag, JS::TransferableOwnership(ownership), content, extraData, cbClosure);
1.402 + } else {
1.403 + MOZ_ASSERT(false, "unknown ownership");
1.404 + }
1.405 + }
1.406 +}
1.407 +
1.408 +static void
1.409 +ClearStructuredClone(uint64_t *data, size_t nbytes,
1.410 + const JSStructuredCloneCallbacks *cb, void *cbClosure)
1.411 +{
1.412 + Discard(data, nbytes, cb, cbClosure);
1.413 + js_free(data);
1.414 +}
1.415 +
1.416 +bool
1.417 +StructuredCloneHasTransferObjects(const uint64_t *data, size_t nbytes, bool *hasTransferable)
1.418 +{
1.419 + *hasTransferable = false;
1.420 +
1.421 + if (data) {
1.422 + uint64_t u = LittleEndian::readUint64(data);
1.423 + uint32_t tag = uint32_t(u >> 32);
1.424 + if (tag == SCTAG_TRANSFER_MAP_HEADER)
1.425 + *hasTransferable = true;
1.426 + }
1.427 +
1.428 + return true;
1.429 +}
1.430 +
1.431 +namespace js {
1.432 +
1.433 +SCInput::SCInput(JSContext *cx, uint64_t *data, size_t nbytes)
1.434 + : cx(cx), point(data), bufEnd(data + nbytes / 8)
1.435 +{
1.436 + // On 32-bit, we sometimes construct an SCInput from an SCOutput buffer,
1.437 + // which is not guaranteed to be 8-byte aligned
1.438 + JS_ASSERT((uintptr_t(data) & (sizeof(int) - 1)) == 0);
1.439 + JS_ASSERT((nbytes & 7) == 0);
1.440 +}
1.441 +
1.442 +bool
1.443 +SCInput::read(uint64_t *p)
1.444 +{
1.445 + if (point == bufEnd) {
1.446 + *p = 0; /* initialize to shut GCC up */
1.447 + return reportTruncated();
1.448 + }
1.449 + *p = LittleEndian::readUint64(point++);
1.450 + return true;
1.451 +}
1.452 +
1.453 +bool
1.454 +SCInput::readNativeEndian(uint64_t *p)
1.455 +{
1.456 + if (point == bufEnd) {
1.457 + *p = 0; /* initialize to shut GCC up */
1.458 + return reportTruncated();
1.459 + }
1.460 + *p = *(point++);
1.461 + return true;
1.462 +}
1.463 +
1.464 +bool
1.465 +SCInput::readPair(uint32_t *tagp, uint32_t *datap)
1.466 +{
1.467 + uint64_t u;
1.468 + bool ok = read(&u);
1.469 + if (ok) {
1.470 + *tagp = uint32_t(u >> 32);
1.471 + *datap = uint32_t(u);
1.472 + }
1.473 + return ok;
1.474 +}
1.475 +
1.476 +bool
1.477 +SCInput::get(uint64_t *p)
1.478 +{
1.479 + if (point == bufEnd)
1.480 + return reportTruncated();
1.481 + *p = LittleEndian::readUint64(point);
1.482 + return true;
1.483 +}
1.484 +
1.485 +bool
1.486 +SCInput::getPair(uint32_t *tagp, uint32_t *datap)
1.487 +{
1.488 + uint64_t u = 0;
1.489 + if (!get(&u))
1.490 + return false;
1.491 +
1.492 + *tagp = uint32_t(u >> 32);
1.493 + *datap = uint32_t(u);
1.494 + return true;
1.495 +}
1.496 +
1.497 +void
1.498 +SCInput::getPair(const uint64_t *p, uint32_t *tagp, uint32_t *datap)
1.499 +{
1.500 + uint64_t u = LittleEndian::readUint64(p);
1.501 + *tagp = uint32_t(u >> 32);
1.502 + *datap = uint32_t(u);
1.503 +}
1.504 +
1.505 +bool
1.506 +SCInput::readDouble(double *p)
1.507 +{
1.508 + union {
1.509 + uint64_t u;
1.510 + double d;
1.511 + } pun;
1.512 + if (!read(&pun.u))
1.513 + return false;
1.514 + *p = CanonicalizeNaN(pun.d);
1.515 + return true;
1.516 +}
1.517 +
1.518 +template <typename T>
1.519 +static void
1.520 +copyAndSwapFromLittleEndian(T *dest, const void *src, size_t nelems)
1.521 +{
1.522 + if (nelems > 0)
1.523 + NativeEndian::copyAndSwapFromLittleEndian(dest, src, nelems);
1.524 +}
1.525 +
1.526 +template <>
1.527 +void
1.528 +copyAndSwapFromLittleEndian(uint8_t *dest, const void *src, size_t nelems)
1.529 +{
1.530 + memcpy(dest, src, nelems);
1.531 +}
1.532 +
1.533 +template <class T>
1.534 +bool
1.535 +SCInput::readArray(T *p, size_t nelems)
1.536 +{
1.537 + JS_STATIC_ASSERT(sizeof(uint64_t) % sizeof(T) == 0);
1.538 +
1.539 + /*
1.540 + * Fail if nelems is so huge as to make JS_HOWMANY overflow or if nwords is
1.541 + * larger than the remaining data.
1.542 + */
1.543 + size_t nwords = JS_HOWMANY(nelems, sizeof(uint64_t) / sizeof(T));
1.544 + if (nelems + sizeof(uint64_t) / sizeof(T) - 1 < nelems || nwords > size_t(bufEnd - point))
1.545 + return reportTruncated();
1.546 +
1.547 + copyAndSwapFromLittleEndian(p, point, nelems);
1.548 + point += nwords;
1.549 + return true;
1.550 +}
1.551 +
1.552 +bool
1.553 +SCInput::readBytes(void *p, size_t nbytes)
1.554 +{
1.555 + return readArray((uint8_t *) p, nbytes);
1.556 +}
1.557 +
1.558 +bool
1.559 +SCInput::readChars(jschar *p, size_t nchars)
1.560 +{
1.561 + JS_ASSERT(sizeof(jschar) == sizeof(uint16_t));
1.562 + return readArray((uint16_t *) p, nchars);
1.563 +}
1.564 +
1.565 +void
1.566 +SCInput::getPtr(const uint64_t *p, void **ptr)
1.567 +{
1.568 + // No endianness conversion is used for pointers, since they are not sent
1.569 + // across address spaces anyway.
1.570 + *ptr = reinterpret_cast<void*>(*p);
1.571 +}
1.572 +
1.573 +bool
1.574 +SCInput::readPtr(void **p)
1.575 +{
1.576 + uint64_t u;
1.577 + if (!readNativeEndian(&u))
1.578 + return false;
1.579 + *p = reinterpret_cast<void*>(u);
1.580 + return true;
1.581 +}
1.582 +
1.583 +SCOutput::SCOutput(JSContext *cx) : cx(cx), buf(cx) {}
1.584 +
1.585 +bool
1.586 +SCOutput::write(uint64_t u)
1.587 +{
1.588 + return buf.append(NativeEndian::swapToLittleEndian(u));
1.589 +}
1.590 +
1.591 +bool
1.592 +SCOutput::writePair(uint32_t tag, uint32_t data)
1.593 +{
1.594 + /*
1.595 + * As it happens, the tag word appears after the data word in the output.
1.596 + * This is because exponents occupy the last 2 bytes of doubles on the
1.597 + * little-endian platforms we care most about.
1.598 + *
1.599 + * For example, JSVAL_TRUE is written using writePair(SCTAG_BOOLEAN, 1).
1.600 + * PairToUInt64 produces the number 0xFFFF000200000001.
1.601 + * That is written out as the bytes 01 00 00 00 02 00 FF FF.
1.602 + */
1.603 + return write(PairToUInt64(tag, data));
1.604 +}
1.605 +
1.606 +static inline uint64_t
1.607 +ReinterpretDoubleAsUInt64(double d)
1.608 +{
1.609 + union {
1.610 + double d;
1.611 + uint64_t u;
1.612 + } pun;
1.613 + pun.d = d;
1.614 + return pun.u;
1.615 +}
1.616 +
1.617 +static inline double
1.618 +ReinterpretUInt64AsDouble(uint64_t u)
1.619 +{
1.620 + union {
1.621 + uint64_t u;
1.622 + double d;
1.623 + } pun;
1.624 + pun.u = u;
1.625 + return pun.d;
1.626 +}
1.627 +
1.628 +static inline double
1.629 +ReinterpretPairAsDouble(uint32_t tag, uint32_t data)
1.630 +{
1.631 + return ReinterpretUInt64AsDouble(PairToUInt64(tag, data));
1.632 +}
1.633 +
1.634 +bool
1.635 +SCOutput::writeDouble(double d)
1.636 +{
1.637 + return write(ReinterpretDoubleAsUInt64(CanonicalizeNaN(d)));
1.638 +}
1.639 +
1.640 +template <typename T>
1.641 +static void
1.642 +copyAndSwapToLittleEndian(void *dest, const T *src, size_t nelems)
1.643 +{
1.644 + if (nelems > 0)
1.645 + NativeEndian::copyAndSwapToLittleEndian(dest, src, nelems);
1.646 +}
1.647 +
1.648 +template <>
1.649 +void
1.650 +copyAndSwapToLittleEndian(void *dest, const uint8_t *src, size_t nelems)
1.651 +{
1.652 + memcpy(dest, src, nelems);
1.653 +}
1.654 +
1.655 +template <class T>
1.656 +bool
1.657 +SCOutput::writeArray(const T *p, size_t nelems)
1.658 +{
1.659 + JS_ASSERT(8 % sizeof(T) == 0);
1.660 + JS_ASSERT(sizeof(uint64_t) % sizeof(T) == 0);
1.661 +
1.662 + if (nelems == 0)
1.663 + return true;
1.664 +
1.665 + if (nelems + sizeof(uint64_t) / sizeof(T) - 1 < nelems) {
1.666 + js_ReportAllocationOverflow(context());
1.667 + return false;
1.668 + }
1.669 + size_t nwords = JS_HOWMANY(nelems, sizeof(uint64_t) / sizeof(T));
1.670 + size_t start = buf.length();
1.671 + if (!buf.growByUninitialized(nwords))
1.672 + return false;
1.673 +
1.674 + buf.back() = 0; /* zero-pad to an 8-byte boundary */
1.675 +
1.676 + T *q = (T *) &buf[start];
1.677 + copyAndSwapToLittleEndian(q, p, nelems);
1.678 + return true;
1.679 +}
1.680 +
1.681 +bool
1.682 +SCOutput::writeBytes(const void *p, size_t nbytes)
1.683 +{
1.684 + return writeArray((const uint8_t *) p, nbytes);
1.685 +}
1.686 +
1.687 +bool
1.688 +SCOutput::writeChars(const jschar *p, size_t nchars)
1.689 +{
1.690 + JS_ASSERT(sizeof(jschar) == sizeof(uint16_t));
1.691 + return writeArray((const uint16_t *) p, nchars);
1.692 +}
1.693 +
1.694 +bool
1.695 +SCOutput::writePtr(const void *p)
1.696 +{
1.697 + return write(reinterpret_cast<uint64_t>(p));
1.698 +}
1.699 +
1.700 +bool
1.701 +SCOutput::extractBuffer(uint64_t **datap, size_t *sizep)
1.702 +{
1.703 + *sizep = buf.length() * sizeof(uint64_t);
1.704 + return (*datap = buf.extractRawBuffer()) != nullptr;
1.705 +}
1.706 +
1.707 +} /* namespace js */
1.708 +
1.709 +JS_STATIC_ASSERT(JSString::MAX_LENGTH < UINT32_MAX);
1.710 +
1.711 +JSStructuredCloneWriter::~JSStructuredCloneWriter()
1.712 +{
1.713 + // Free any transferable data left lying around in the buffer
1.714 + uint64_t *data;
1.715 + size_t size;
1.716 + MOZ_ALWAYS_TRUE(extractBuffer(&data, &size));
1.717 + ClearStructuredClone(data, size, callbacks, closure);
1.718 +}
1.719 +
1.720 +bool
1.721 +JSStructuredCloneWriter::parseTransferable()
1.722 +{
1.723 + MOZ_ASSERT(transferableObjects.empty(), "parseTransferable called with stale data");
1.724 +
1.725 + if (JSVAL_IS_NULL(transferable) || JSVAL_IS_VOID(transferable))
1.726 + return true;
1.727 +
1.728 + if (!transferable.isObject())
1.729 + return reportErrorTransferable();
1.730 +
1.731 + JSContext *cx = context();
1.732 + RootedObject array(cx, &transferable.toObject());
1.733 + if (!JS_IsArrayObject(cx, array))
1.734 + return reportErrorTransferable();
1.735 +
1.736 + uint32_t length;
1.737 + if (!JS_GetArrayLength(cx, array, &length)) {
1.738 + return false;
1.739 + }
1.740 +
1.741 + RootedValue v(context());
1.742 +
1.743 + for (uint32_t i = 0; i < length; ++i) {
1.744 + if (!JS_GetElement(cx, array, i, &v))
1.745 + return false;
1.746 +
1.747 + if (!v.isObject())
1.748 + return reportErrorTransferable();
1.749 +
1.750 + RootedObject tObj(context(), CheckedUnwrap(&v.toObject()));
1.751 +
1.752 + if (!tObj) {
1.753 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr, JSMSG_UNWRAP_DENIED);
1.754 + return false;
1.755 + }
1.756 +
1.757 + // No duplicates allowed
1.758 + if (std::find(transferableObjects.begin(), transferableObjects.end(), tObj) != transferableObjects.end()) {
1.759 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr, JSMSG_SC_DUP_TRANSFERABLE);
1.760 + return false;
1.761 + }
1.762 +
1.763 + if (!transferableObjects.append(tObj))
1.764 + return false;
1.765 + }
1.766 +
1.767 + return true;
1.768 +}
1.769 +
1.770 +bool
1.771 +JSStructuredCloneWriter::reportErrorTransferable()
1.772 +{
1.773 + ReportErrorTransferable(context(), callbacks);
1.774 + return false;
1.775 +}
1.776 +
1.777 +bool
1.778 +JSStructuredCloneWriter::writeString(uint32_t tag, JSString *str)
1.779 +{
1.780 + size_t length = str->length();
1.781 + const jschar *chars = str->getChars(context());
1.782 + if (!chars)
1.783 + return false;
1.784 + return out.writePair(tag, uint32_t(length)) && out.writeChars(chars, length);
1.785 +}
1.786 +
1.787 +bool
1.788 +JSStructuredCloneWriter::writeId(jsid id)
1.789 +{
1.790 + if (JSID_IS_INT(id))
1.791 + return out.writePair(SCTAG_INDEX, uint32_t(JSID_TO_INT(id)));
1.792 + JS_ASSERT(JSID_IS_STRING(id));
1.793 + return writeString(SCTAG_STRING, JSID_TO_STRING(id));
1.794 +}
1.795 +
1.796 +inline void
1.797 +JSStructuredCloneWriter::checkStack()
1.798 +{
1.799 +#ifdef DEBUG
1.800 + /* To avoid making serialization O(n^2), limit stack-checking at 10. */
1.801 + const size_t MAX = 10;
1.802 +
1.803 + size_t limit = Min(counts.length(), MAX);
1.804 + JS_ASSERT(objs.length() == counts.length());
1.805 + size_t total = 0;
1.806 + for (size_t i = 0; i < limit; i++) {
1.807 + JS_ASSERT(total + counts[i] >= total);
1.808 + total += counts[i];
1.809 + }
1.810 + if (counts.length() <= MAX)
1.811 + JS_ASSERT(total == ids.length());
1.812 + else
1.813 + JS_ASSERT(total <= ids.length());
1.814 +
1.815 + size_t j = objs.length();
1.816 + for (size_t i = 0; i < limit; i++)
1.817 + JS_ASSERT(memory.has(&objs[--j].toObject()));
1.818 +#endif
1.819 +}
1.820 +
1.821 +/*
1.822 + * Write out a typed array. Note that post-v1 structured clone buffers do not
1.823 + * perform endianness conversion on stored data, so multibyte typed arrays
1.824 + * cannot be deserialized into a different endianness machine. Endianness
1.825 + * conversion would prevent sharing ArrayBuffers: if you have Int8Array and
1.826 + * Int16Array views of the same ArrayBuffer, should the data bytes be
1.827 + * byte-swapped when writing or not? The Int8Array requires them to not be
1.828 + * swapped; the Int16Array requires that they are.
1.829 + */
1.830 +bool
1.831 +JSStructuredCloneWriter::writeTypedArray(HandleObject obj)
1.832 +{
1.833 + Rooted<TypedArrayObject*> tarr(context(), &obj->as<TypedArrayObject>());
1.834 +
1.835 + if (!TypedArrayObject::ensureHasBuffer(context(), tarr))
1.836 + return false;
1.837 +
1.838 + if (!out.writePair(SCTAG_TYPED_ARRAY_OBJECT, tarr->length()))
1.839 + return false;
1.840 + uint64_t type = tarr->type();
1.841 + if (!out.write(type))
1.842 + return false;
1.843 +
1.844 + // Write out the ArrayBuffer tag and contents
1.845 + RootedValue val(context(), TypedArrayObject::bufferValue(tarr));
1.846 + if (!startWrite(val))
1.847 + return false;
1.848 +
1.849 + return out.write(tarr->byteOffset());
1.850 +}
1.851 +
1.852 +bool
1.853 +JSStructuredCloneWriter::writeArrayBuffer(HandleObject obj)
1.854 +{
1.855 + ArrayBufferObject &buffer = obj->as<ArrayBufferObject>();
1.856 +
1.857 + return out.writePair(SCTAG_ARRAY_BUFFER_OBJECT, buffer.byteLength()) &&
1.858 + out.writeBytes(buffer.dataPointer(), buffer.byteLength());
1.859 +}
1.860 +
1.861 +bool
1.862 +JSStructuredCloneWriter::startObject(HandleObject obj, bool *backref)
1.863 +{
1.864 + /* Handle cycles in the object graph. */
1.865 + CloneMemory::AddPtr p = memory.lookupForAdd(obj);
1.866 + if ((*backref = p))
1.867 + return out.writePair(SCTAG_BACK_REFERENCE_OBJECT, p->value());
1.868 + if (!memory.add(p, obj, memory.count()))
1.869 + return false;
1.870 +
1.871 + if (memory.count() == UINT32_MAX) {
1.872 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.873 + JSMSG_NEED_DIET, "object graph to serialize");
1.874 + return false;
1.875 + }
1.876 +
1.877 + return true;
1.878 +}
1.879 +
1.880 +bool
1.881 +JSStructuredCloneWriter::traverseObject(HandleObject obj)
1.882 +{
1.883 + /*
1.884 + * Get enumerable property ids and put them in reverse order so that they
1.885 + * will come off the stack in forward order.
1.886 + */
1.887 + size_t initialLength = ids.length();
1.888 + if (!GetPropertyNames(context(), obj, JSITER_OWNONLY, &ids))
1.889 + return false;
1.890 + jsid *begin = ids.begin() + initialLength, *end = ids.end();
1.891 + size_t count = size_t(end - begin);
1.892 + Reverse(begin, end);
1.893 +
1.894 + /* Push obj and count to the stack. */
1.895 + if (!objs.append(ObjectValue(*obj)) || !counts.append(count))
1.896 + return false;
1.897 + checkStack();
1.898 +
1.899 + /* Write the header for obj. */
1.900 + return out.writePair(obj->is<ArrayObject>() ? SCTAG_ARRAY_OBJECT : SCTAG_OBJECT_OBJECT, 0);
1.901 +}
1.902 +
1.903 +static bool
1.904 +PrimitiveToObject(JSContext *cx, Value *vp)
1.905 +{
1.906 + JSObject *obj = PrimitiveToObject(cx, *vp);
1.907 + if (!obj)
1.908 + return false;
1.909 +
1.910 + vp->setObject(*obj);
1.911 + return true;
1.912 +}
1.913 +
1.914 +bool
1.915 +JSStructuredCloneWriter::startWrite(const Value &v)
1.916 +{
1.917 + assertSameCompartment(context(), v);
1.918 +
1.919 + if (v.isString()) {
1.920 + return writeString(SCTAG_STRING, v.toString());
1.921 + } else if (v.isNumber()) {
1.922 + return out.writeDouble(v.toNumber());
1.923 + } else if (v.isBoolean()) {
1.924 + return out.writePair(SCTAG_BOOLEAN, v.toBoolean());
1.925 + } else if (v.isNull()) {
1.926 + return out.writePair(SCTAG_NULL, 0);
1.927 + } else if (v.isUndefined()) {
1.928 + return out.writePair(SCTAG_UNDEFINED, 0);
1.929 + } else if (v.isObject()) {
1.930 + RootedObject obj(context(), &v.toObject());
1.931 +
1.932 + // The object might be a security wrapper. See if we can clone what's
1.933 + // behind it. If we can, unwrap the object.
1.934 + obj = CheckedUnwrap(obj);
1.935 + if (!obj) {
1.936 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr, JSMSG_UNWRAP_DENIED);
1.937 + return false;
1.938 + }
1.939 +
1.940 + AutoCompartment ac(context(), obj);
1.941 +
1.942 + bool backref;
1.943 + if (!startObject(obj, &backref))
1.944 + return false;
1.945 + if (backref)
1.946 + return true;
1.947 +
1.948 + if (obj->is<RegExpObject>()) {
1.949 + RegExpObject &reobj = obj->as<RegExpObject>();
1.950 + return out.writePair(SCTAG_REGEXP_OBJECT, reobj.getFlags()) &&
1.951 + writeString(SCTAG_STRING, reobj.getSource());
1.952 + } else if (obj->is<DateObject>()) {
1.953 + double d = js_DateGetMsecSinceEpoch(obj);
1.954 + return out.writePair(SCTAG_DATE_OBJECT, 0) && out.writeDouble(d);
1.955 + } else if (obj->is<TypedArrayObject>()) {
1.956 + return writeTypedArray(obj);
1.957 + } else if (obj->is<ArrayBufferObject>() && obj->as<ArrayBufferObject>().hasData()) {
1.958 + return writeArrayBuffer(obj);
1.959 + } else if (obj->is<JSObject>() || obj->is<ArrayObject>()) {
1.960 + return traverseObject(obj);
1.961 + } else if (obj->is<BooleanObject>()) {
1.962 + return out.writePair(SCTAG_BOOLEAN_OBJECT, obj->as<BooleanObject>().unbox());
1.963 + } else if (obj->is<NumberObject>()) {
1.964 + return out.writePair(SCTAG_NUMBER_OBJECT, 0) &&
1.965 + out.writeDouble(obj->as<NumberObject>().unbox());
1.966 + } else if (obj->is<StringObject>()) {
1.967 + return writeString(SCTAG_STRING_OBJECT, obj->as<StringObject>().unbox());
1.968 + }
1.969 +
1.970 + if (callbacks && callbacks->write)
1.971 + return callbacks->write(context(), this, obj, closure);
1.972 + /* else fall through */
1.973 + }
1.974 +
1.975 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr, JSMSG_SC_UNSUPPORTED_TYPE);
1.976 + return false;
1.977 +}
1.978 +
1.979 +bool
1.980 +JSStructuredCloneWriter::writeTransferMap()
1.981 +{
1.982 + if (transferableObjects.empty())
1.983 + return true;
1.984 +
1.985 + if (!out.writePair(SCTAG_TRANSFER_MAP_HEADER, (uint32_t)SCTAG_TM_UNREAD))
1.986 + return false;
1.987 +
1.988 + if (!out.write(transferableObjects.length()))
1.989 + return false;
1.990 +
1.991 + for (JS::AutoObjectVector::Range tr = transferableObjects.all(); !tr.empty(); tr.popFront()) {
1.992 + JSObject *obj = tr.front();
1.993 +
1.994 + if (!memory.put(obj, memory.count()))
1.995 + return false;
1.996 +
1.997 + // Emit a placeholder pointer. We will steal the data and neuter the
1.998 + // transferable later, in the case of ArrayBufferObject.
1.999 + if (!out.writePair(SCTAG_TRANSFER_MAP_PENDING_ENTRY, JS::SCTAG_TMO_UNFILLED))
1.1000 + return false;
1.1001 + if (!out.writePtr(nullptr)) // Pointer to ArrayBuffer contents or to SharedArrayRawBuffer.
1.1002 + return false;
1.1003 + if (!out.write(0)) // extraData
1.1004 + return false;
1.1005 + }
1.1006 +
1.1007 + return true;
1.1008 +}
1.1009 +
1.1010 +bool
1.1011 +JSStructuredCloneWriter::transferOwnership()
1.1012 +{
1.1013 + if (transferableObjects.empty())
1.1014 + return true;
1.1015 +
1.1016 + // Walk along the transferables and the transfer map at the same time,
1.1017 + // grabbing out pointers from the transferables and stuffing them into the
1.1018 + // transfer map.
1.1019 + uint64_t *point = out.rawBuffer();
1.1020 + JS_ASSERT(uint32_t(LittleEndian::readUint64(point) >> 32) == SCTAG_TRANSFER_MAP_HEADER);
1.1021 + point++;
1.1022 + JS_ASSERT(LittleEndian::readUint64(point) == transferableObjects.length());
1.1023 + point++;
1.1024 +
1.1025 + for (JS::AutoObjectVector::Range tr = transferableObjects.all(); !tr.empty(); tr.popFront()) {
1.1026 + RootedObject obj(context(), tr.front());
1.1027 +
1.1028 + uint32_t tag;
1.1029 + JS::TransferableOwnership ownership;
1.1030 + void *content;
1.1031 + uint64_t extraData;
1.1032 +
1.1033 +#if DEBUG
1.1034 + SCInput::getPair(point, &tag, (uint32_t*) &ownership);
1.1035 + MOZ_ASSERT(tag == SCTAG_TRANSFER_MAP_PENDING_ENTRY);
1.1036 + MOZ_ASSERT(ownership == JS::SCTAG_TMO_UNFILLED);
1.1037 +#endif
1.1038 +
1.1039 + if (obj->is<ArrayBufferObject>()) {
1.1040 + size_t nbytes = obj->as<ArrayBufferObject>().byteLength();
1.1041 + content = JS_StealArrayBufferContents(context(), obj);
1.1042 + if (!content)
1.1043 + return false; // Destructor will clean up the already-transferred data
1.1044 + tag = SCTAG_TRANSFER_MAP_ARRAY_BUFFER;
1.1045 + if (obj->as<ArrayBufferObject>().isMappedArrayBuffer())
1.1046 + ownership = JS::SCTAG_TMO_MAPPED_DATA;
1.1047 + else
1.1048 + ownership = JS::SCTAG_TMO_ALLOC_DATA;
1.1049 + extraData = nbytes;
1.1050 + } else if (obj->is<SharedArrayBufferObject>()) {
1.1051 + SharedArrayRawBuffer *rawbuf = obj->as<SharedArrayBufferObject>().rawBufferObject();
1.1052 +
1.1053 + // Avoids a race condition where the parent thread frees the buffer
1.1054 + // before the child has accepted the transferable.
1.1055 + rawbuf->addReference();
1.1056 +
1.1057 + tag = SCTAG_TRANSFER_MAP_SHARED_BUFFER;
1.1058 + ownership = JS::SCTAG_TMO_SHARED_BUFFER;
1.1059 + content = rawbuf;
1.1060 + extraData = 0;
1.1061 + } else {
1.1062 + if (!callbacks || !callbacks->writeTransfer)
1.1063 + return reportErrorTransferable();
1.1064 + if (!callbacks->writeTransfer(context(), obj, closure, &tag, &ownership, &content, &extraData))
1.1065 + return false;
1.1066 + JS_ASSERT(tag > SCTAG_TRANSFER_MAP_PENDING_ENTRY);
1.1067 + }
1.1068 +
1.1069 + LittleEndian::writeUint64(point++, PairToUInt64(tag, ownership));
1.1070 + LittleEndian::writeUint64(point++, reinterpret_cast<uint64_t>(content));
1.1071 + LittleEndian::writeUint64(point++, extraData);
1.1072 + }
1.1073 +
1.1074 + JS_ASSERT(point <= out.rawBuffer() + out.count());
1.1075 + JS_ASSERT_IF(point < out.rawBuffer() + out.count(),
1.1076 + uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER);
1.1077 +
1.1078 + return true;
1.1079 +}
1.1080 +
1.1081 +bool
1.1082 +JSStructuredCloneWriter::write(const Value &v)
1.1083 +{
1.1084 + if (!startWrite(v))
1.1085 + return false;
1.1086 +
1.1087 + while (!counts.empty()) {
1.1088 + RootedObject obj(context(), &objs.back().toObject());
1.1089 + AutoCompartment ac(context(), obj);
1.1090 + if (counts.back()) {
1.1091 + counts.back()--;
1.1092 + RootedId id(context(), ids.back());
1.1093 + ids.popBack();
1.1094 + checkStack();
1.1095 + if (JSID_IS_STRING(id) || JSID_IS_INT(id)) {
1.1096 + /*
1.1097 + * If obj still has an own property named id, write it out.
1.1098 + * The cost of re-checking could be avoided by using
1.1099 + * NativeIterators.
1.1100 + */
1.1101 + bool found;
1.1102 + if (!HasOwnProperty(context(), obj, id, &found))
1.1103 + return false;
1.1104 +
1.1105 + if (found) {
1.1106 + RootedValue val(context());
1.1107 + if (!writeId(id) ||
1.1108 + !JSObject::getGeneric(context(), obj, obj, id, &val) ||
1.1109 + !startWrite(val))
1.1110 + return false;
1.1111 + }
1.1112 + }
1.1113 + } else {
1.1114 + out.writePair(SCTAG_NULL, 0);
1.1115 + objs.popBack();
1.1116 + counts.popBack();
1.1117 + }
1.1118 + }
1.1119 +
1.1120 + memory.clear();
1.1121 + return transferOwnership();
1.1122 +}
1.1123 +
1.1124 +bool
1.1125 +JSStructuredCloneReader::checkDouble(double d)
1.1126 +{
1.1127 + jsval_layout l;
1.1128 + l.asDouble = d;
1.1129 + if (!JSVAL_IS_DOUBLE_IMPL(l)) {
1.1130 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1131 + JSMSG_SC_BAD_SERIALIZED_DATA, "unrecognized NaN");
1.1132 + return false;
1.1133 + }
1.1134 + return true;
1.1135 +}
1.1136 +
1.1137 +namespace {
1.1138 +
1.1139 +class Chars {
1.1140 + JSContext *cx;
1.1141 + jschar *p;
1.1142 + public:
1.1143 + Chars(JSContext *cx) : cx(cx), p(nullptr) {}
1.1144 + ~Chars() { js_free(p); }
1.1145 +
1.1146 + bool allocate(size_t len) {
1.1147 + JS_ASSERT(!p);
1.1148 + // We're going to null-terminate!
1.1149 + p = cx->pod_malloc<jschar>(len + 1);
1.1150 + if (p) {
1.1151 + p[len] = jschar(0);
1.1152 + return true;
1.1153 + }
1.1154 + return false;
1.1155 + }
1.1156 + jschar *get() { return p; }
1.1157 + void forget() { p = nullptr; }
1.1158 +};
1.1159 +
1.1160 +} /* anonymous namespace */
1.1161 +
1.1162 +JSString *
1.1163 +JSStructuredCloneReader::readString(uint32_t nchars)
1.1164 +{
1.1165 + if (nchars > JSString::MAX_LENGTH) {
1.1166 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1167 + JSMSG_SC_BAD_SERIALIZED_DATA, "string length");
1.1168 + return nullptr;
1.1169 + }
1.1170 + Chars chars(context());
1.1171 + if (!chars.allocate(nchars) || !in.readChars(chars.get(), nchars))
1.1172 + return nullptr;
1.1173 + JSString *str = js_NewString<CanGC>(context(), chars.get(), nchars);
1.1174 + if (str)
1.1175 + chars.forget();
1.1176 + return str;
1.1177 +}
1.1178 +
1.1179 +static uint32_t
1.1180 +TagToV1ArrayType(uint32_t tag)
1.1181 +{
1.1182 + JS_ASSERT(tag >= SCTAG_TYPED_ARRAY_V1_MIN && tag <= SCTAG_TYPED_ARRAY_V1_MAX);
1.1183 + return tag - SCTAG_TYPED_ARRAY_V1_MIN;
1.1184 +}
1.1185 +
1.1186 +bool
1.1187 +JSStructuredCloneReader::readTypedArray(uint32_t arrayType, uint32_t nelems, Value *vp,
1.1188 + bool v1Read)
1.1189 +{
1.1190 + if (arrayType > ScalarTypeDescr::TYPE_UINT8_CLAMPED) {
1.1191 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1192 + JSMSG_SC_BAD_SERIALIZED_DATA, "unhandled typed array element type");
1.1193 + return false;
1.1194 + }
1.1195 +
1.1196 + // Push a placeholder onto the allObjs list to stand in for the typed array
1.1197 + uint32_t placeholderIndex = allObjs.length();
1.1198 + Value dummy = JSVAL_NULL;
1.1199 + if (!allObjs.append(dummy))
1.1200 + return false;
1.1201 +
1.1202 + // Read the ArrayBuffer object and its contents (but no properties)
1.1203 + RootedValue v(context());
1.1204 + uint32_t byteOffset;
1.1205 + if (v1Read) {
1.1206 + if (!readV1ArrayBuffer(arrayType, nelems, v.address()))
1.1207 + return false;
1.1208 + byteOffset = 0;
1.1209 + } else {
1.1210 + if (!startRead(v.address()))
1.1211 + return false;
1.1212 + uint64_t n;
1.1213 + if (!in.read(&n))
1.1214 + return false;
1.1215 + byteOffset = n;
1.1216 + }
1.1217 + RootedObject buffer(context(), &v.toObject());
1.1218 + RootedObject obj(context(), nullptr);
1.1219 +
1.1220 + switch (arrayType) {
1.1221 + case ScalarTypeDescr::TYPE_INT8:
1.1222 + obj = JS_NewInt8ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1223 + break;
1.1224 + case ScalarTypeDescr::TYPE_UINT8:
1.1225 + obj = JS_NewUint8ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1226 + break;
1.1227 + case ScalarTypeDescr::TYPE_INT16:
1.1228 + obj = JS_NewInt16ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1229 + break;
1.1230 + case ScalarTypeDescr::TYPE_UINT16:
1.1231 + obj = JS_NewUint16ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1232 + break;
1.1233 + case ScalarTypeDescr::TYPE_INT32:
1.1234 + obj = JS_NewInt32ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1235 + break;
1.1236 + case ScalarTypeDescr::TYPE_UINT32:
1.1237 + obj = JS_NewUint32ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1238 + break;
1.1239 + case ScalarTypeDescr::TYPE_FLOAT32:
1.1240 + obj = JS_NewFloat32ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1241 + break;
1.1242 + case ScalarTypeDescr::TYPE_FLOAT64:
1.1243 + obj = JS_NewFloat64ArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1244 + break;
1.1245 + case ScalarTypeDescr::TYPE_UINT8_CLAMPED:
1.1246 + obj = JS_NewUint8ClampedArrayWithBuffer(context(), buffer, byteOffset, nelems);
1.1247 + break;
1.1248 + default:
1.1249 + MOZ_ASSUME_UNREACHABLE("unknown TypedArrayObject type");
1.1250 + }
1.1251 +
1.1252 + if (!obj)
1.1253 + return false;
1.1254 + vp->setObject(*obj);
1.1255 +
1.1256 + allObjs[placeholderIndex] = *vp;
1.1257 +
1.1258 + return true;
1.1259 +}
1.1260 +
1.1261 +bool
1.1262 +JSStructuredCloneReader::readArrayBuffer(uint32_t nbytes, Value *vp)
1.1263 +{
1.1264 + JSObject *obj = ArrayBufferObject::create(context(), nbytes);
1.1265 + if (!obj)
1.1266 + return false;
1.1267 + vp->setObject(*obj);
1.1268 + ArrayBufferObject &buffer = obj->as<ArrayBufferObject>();
1.1269 + JS_ASSERT(buffer.byteLength() == nbytes);
1.1270 + return in.readArray(buffer.dataPointer(), nbytes);
1.1271 +}
1.1272 +
1.1273 +static size_t
1.1274 +bytesPerTypedArrayElement(uint32_t arrayType)
1.1275 +{
1.1276 + switch (arrayType) {
1.1277 + case ScalarTypeDescr::TYPE_INT8:
1.1278 + case ScalarTypeDescr::TYPE_UINT8:
1.1279 + case ScalarTypeDescr::TYPE_UINT8_CLAMPED:
1.1280 + return sizeof(uint8_t);
1.1281 + case ScalarTypeDescr::TYPE_INT16:
1.1282 + case ScalarTypeDescr::TYPE_UINT16:
1.1283 + return sizeof(uint16_t);
1.1284 + case ScalarTypeDescr::TYPE_INT32:
1.1285 + case ScalarTypeDescr::TYPE_UINT32:
1.1286 + case ScalarTypeDescr::TYPE_FLOAT32:
1.1287 + return sizeof(uint32_t);
1.1288 + case ScalarTypeDescr::TYPE_FLOAT64:
1.1289 + return sizeof(uint64_t);
1.1290 + default:
1.1291 + MOZ_ASSUME_UNREACHABLE("unknown TypedArrayObject type");
1.1292 + }
1.1293 +}
1.1294 +
1.1295 +/*
1.1296 + * Read in the data for a structured clone version 1 ArrayBuffer, performing
1.1297 + * endianness-conversion while reading.
1.1298 + */
1.1299 +bool
1.1300 +JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems, Value *vp)
1.1301 +{
1.1302 + JS_ASSERT(arrayType <= ScalarTypeDescr::TYPE_UINT8_CLAMPED);
1.1303 +
1.1304 + uint32_t nbytes = nelems * bytesPerTypedArrayElement(arrayType);
1.1305 + JSObject *obj = ArrayBufferObject::create(context(), nbytes);
1.1306 + if (!obj)
1.1307 + return false;
1.1308 + vp->setObject(*obj);
1.1309 + ArrayBufferObject &buffer = obj->as<ArrayBufferObject>();
1.1310 + JS_ASSERT(buffer.byteLength() == nbytes);
1.1311 +
1.1312 + switch (arrayType) {
1.1313 + case ScalarTypeDescr::TYPE_INT8:
1.1314 + case ScalarTypeDescr::TYPE_UINT8:
1.1315 + case ScalarTypeDescr::TYPE_UINT8_CLAMPED:
1.1316 + return in.readArray((uint8_t*) buffer.dataPointer(), nelems);
1.1317 + case ScalarTypeDescr::TYPE_INT16:
1.1318 + case ScalarTypeDescr::TYPE_UINT16:
1.1319 + return in.readArray((uint16_t*) buffer.dataPointer(), nelems);
1.1320 + case ScalarTypeDescr::TYPE_INT32:
1.1321 + case ScalarTypeDescr::TYPE_UINT32:
1.1322 + case ScalarTypeDescr::TYPE_FLOAT32:
1.1323 + return in.readArray((uint32_t*) buffer.dataPointer(), nelems);
1.1324 + case ScalarTypeDescr::TYPE_FLOAT64:
1.1325 + return in.readArray((uint64_t*) buffer.dataPointer(), nelems);
1.1326 + default:
1.1327 + MOZ_ASSUME_UNREACHABLE("unknown TypedArrayObject type");
1.1328 + }
1.1329 +}
1.1330 +
1.1331 +bool
1.1332 +JSStructuredCloneReader::startRead(Value *vp)
1.1333 +{
1.1334 + uint32_t tag, data;
1.1335 +
1.1336 + if (!in.readPair(&tag, &data))
1.1337 + return false;
1.1338 + switch (tag) {
1.1339 + case SCTAG_NULL:
1.1340 + vp->setNull();
1.1341 + break;
1.1342 +
1.1343 + case SCTAG_UNDEFINED:
1.1344 + vp->setUndefined();
1.1345 + break;
1.1346 +
1.1347 + case SCTAG_BOOLEAN:
1.1348 + case SCTAG_BOOLEAN_OBJECT:
1.1349 + vp->setBoolean(!!data);
1.1350 + if (tag == SCTAG_BOOLEAN_OBJECT && !PrimitiveToObject(context(), vp))
1.1351 + return false;
1.1352 + break;
1.1353 +
1.1354 + case SCTAG_STRING:
1.1355 + case SCTAG_STRING_OBJECT: {
1.1356 + JSString *str = readString(data);
1.1357 + if (!str)
1.1358 + return false;
1.1359 + vp->setString(str);
1.1360 + if (tag == SCTAG_STRING_OBJECT && !PrimitiveToObject(context(), vp))
1.1361 + return false;
1.1362 + break;
1.1363 + }
1.1364 +
1.1365 + case SCTAG_NUMBER_OBJECT: {
1.1366 + double d;
1.1367 + if (!in.readDouble(&d) || !checkDouble(d))
1.1368 + return false;
1.1369 + vp->setDouble(d);
1.1370 + if (!PrimitiveToObject(context(), vp))
1.1371 + return false;
1.1372 + break;
1.1373 + }
1.1374 +
1.1375 + case SCTAG_DATE_OBJECT: {
1.1376 + double d;
1.1377 + if (!in.readDouble(&d) || !checkDouble(d))
1.1378 + return false;
1.1379 + if (!IsNaN(d) && d != TimeClip(d)) {
1.1380 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1381 + JSMSG_SC_BAD_SERIALIZED_DATA, "date");
1.1382 + return false;
1.1383 + }
1.1384 + JSObject *obj = js_NewDateObjectMsec(context(), d);
1.1385 + if (!obj)
1.1386 + return false;
1.1387 + vp->setObject(*obj);
1.1388 + break;
1.1389 + }
1.1390 +
1.1391 + case SCTAG_REGEXP_OBJECT: {
1.1392 + RegExpFlag flags = RegExpFlag(data);
1.1393 + uint32_t tag2, nchars;
1.1394 + if (!in.readPair(&tag2, &nchars))
1.1395 + return false;
1.1396 + if (tag2 != SCTAG_STRING) {
1.1397 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1398 + JSMSG_SC_BAD_SERIALIZED_DATA, "regexp");
1.1399 + return false;
1.1400 + }
1.1401 + JSString *str = readString(nchars);
1.1402 + if (!str)
1.1403 + return false;
1.1404 + JSFlatString *flat = str->ensureFlat(context());
1.1405 + if (!flat)
1.1406 + return false;
1.1407 +
1.1408 + RegExpObject *reobj = RegExpObject::createNoStatics(context(), flat->chars(),
1.1409 + flat->length(), flags, nullptr);
1.1410 + if (!reobj)
1.1411 + return false;
1.1412 + vp->setObject(*reobj);
1.1413 + break;
1.1414 + }
1.1415 +
1.1416 + case SCTAG_ARRAY_OBJECT:
1.1417 + case SCTAG_OBJECT_OBJECT: {
1.1418 + JSObject *obj = (tag == SCTAG_ARRAY_OBJECT)
1.1419 + ? NewDenseEmptyArray(context())
1.1420 + : NewBuiltinClassInstance(context(), &JSObject::class_);
1.1421 + if (!obj || !objs.append(ObjectValue(*obj)))
1.1422 + return false;
1.1423 + vp->setObject(*obj);
1.1424 + break;
1.1425 + }
1.1426 +
1.1427 + case SCTAG_BACK_REFERENCE_OBJECT: {
1.1428 + if (data >= allObjs.length()) {
1.1429 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1430 + JSMSG_SC_BAD_SERIALIZED_DATA,
1.1431 + "invalid back reference in input");
1.1432 + return false;
1.1433 + }
1.1434 + *vp = allObjs[data];
1.1435 + return true;
1.1436 + }
1.1437 +
1.1438 + case SCTAG_TRANSFER_MAP_HEADER:
1.1439 + case SCTAG_TRANSFER_MAP_PENDING_ENTRY:
1.1440 + // We should be past all the transfer map tags.
1.1441 + JS_ReportErrorNumber(context(), js_GetErrorMessage, NULL,
1.1442 + JSMSG_SC_BAD_SERIALIZED_DATA,
1.1443 + "invalid input");
1.1444 + return false;
1.1445 +
1.1446 + case SCTAG_ARRAY_BUFFER_OBJECT:
1.1447 + if (!readArrayBuffer(data, vp))
1.1448 + return false;
1.1449 + break;
1.1450 +
1.1451 + case SCTAG_TYPED_ARRAY_OBJECT:
1.1452 + // readTypedArray adds the array to allObjs
1.1453 + uint64_t arrayType;
1.1454 + if (!in.read(&arrayType))
1.1455 + return false;
1.1456 + return readTypedArray(arrayType, data, vp);
1.1457 + break;
1.1458 +
1.1459 + default: {
1.1460 + if (tag <= SCTAG_FLOAT_MAX) {
1.1461 + double d = ReinterpretPairAsDouble(tag, data);
1.1462 + if (!checkDouble(d))
1.1463 + return false;
1.1464 + vp->setNumber(d);
1.1465 + break;
1.1466 + }
1.1467 +
1.1468 + if (SCTAG_TYPED_ARRAY_V1_MIN <= tag && tag <= SCTAG_TYPED_ARRAY_V1_MAX) {
1.1469 + // A v1-format typed array
1.1470 + // readTypedArray adds the array to allObjs
1.1471 + return readTypedArray(TagToV1ArrayType(tag), data, vp, true);
1.1472 + }
1.1473 +
1.1474 + if (!callbacks || !callbacks->read) {
1.1475 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1476 + JSMSG_SC_BAD_SERIALIZED_DATA, "unsupported type");
1.1477 + return false;
1.1478 + }
1.1479 + JSObject *obj = callbacks->read(context(), this, tag, data, closure);
1.1480 + if (!obj)
1.1481 + return false;
1.1482 + vp->setObject(*obj);
1.1483 + }
1.1484 + }
1.1485 +
1.1486 + if (vp->isObject() && !allObjs.append(*vp))
1.1487 + return false;
1.1488 +
1.1489 + return true;
1.1490 +}
1.1491 +
1.1492 +bool
1.1493 +JSStructuredCloneReader::readId(jsid *idp)
1.1494 +{
1.1495 + uint32_t tag, data;
1.1496 + if (!in.readPair(&tag, &data))
1.1497 + return false;
1.1498 +
1.1499 + if (tag == SCTAG_INDEX) {
1.1500 + *idp = INT_TO_JSID(int32_t(data));
1.1501 + return true;
1.1502 + }
1.1503 + if (tag == SCTAG_STRING) {
1.1504 + JSString *str = readString(data);
1.1505 + if (!str)
1.1506 + return false;
1.1507 + JSAtom *atom = AtomizeString(context(), str);
1.1508 + if (!atom)
1.1509 + return false;
1.1510 + *idp = NON_INTEGER_ATOM_TO_JSID(atom);
1.1511 + return true;
1.1512 + }
1.1513 + if (tag == SCTAG_NULL) {
1.1514 + *idp = JSID_VOID;
1.1515 + return true;
1.1516 + }
1.1517 + JS_ReportErrorNumber(context(), js_GetErrorMessage, nullptr,
1.1518 + JSMSG_SC_BAD_SERIALIZED_DATA, "id");
1.1519 + return false;
1.1520 +}
1.1521 +
1.1522 +bool
1.1523 +JSStructuredCloneReader::readTransferMap()
1.1524 +{
1.1525 + JSContext *cx = context();
1.1526 + uint64_t *headerPos = in.tell();
1.1527 +
1.1528 + uint32_t tag, data;
1.1529 + if (!in.getPair(&tag, &data))
1.1530 + return in.reportTruncated();
1.1531 +
1.1532 + if (tag != SCTAG_TRANSFER_MAP_HEADER || TransferableMapHeader(data) == SCTAG_TM_TRANSFERRED)
1.1533 + return true;
1.1534 +
1.1535 + uint64_t numTransferables;
1.1536 + MOZ_ALWAYS_TRUE(in.readPair(&tag, &data));
1.1537 + if (!in.read(&numTransferables))
1.1538 + return false;
1.1539 +
1.1540 + for (uint64_t i = 0; i < numTransferables; i++) {
1.1541 + uint64_t *pos = in.tell();
1.1542 +
1.1543 + if (!in.readPair(&tag, &data))
1.1544 + return false;
1.1545 +
1.1546 + JS_ASSERT(tag != SCTAG_TRANSFER_MAP_PENDING_ENTRY);
1.1547 + RootedObject obj(cx);
1.1548 +
1.1549 + void *content;
1.1550 + if (!in.readPtr(&content))
1.1551 + return false;
1.1552 +
1.1553 + uint64_t extraData;
1.1554 + if (!in.read(&extraData))
1.1555 + return false;
1.1556 +
1.1557 + if (tag == SCTAG_TRANSFER_MAP_ARRAY_BUFFER) {
1.1558 + size_t nbytes = extraData;
1.1559 + JS_ASSERT(data == JS::SCTAG_TMO_ALLOC_DATA ||
1.1560 + data == JS::SCTAG_TMO_MAPPED_DATA);
1.1561 + if (data == JS::SCTAG_TMO_ALLOC_DATA)
1.1562 + obj = JS_NewArrayBufferWithContents(cx, nbytes, content);
1.1563 + else if (data == JS::SCTAG_TMO_MAPPED_DATA)
1.1564 + obj = JS_NewMappedArrayBufferWithContents(cx, nbytes, content);
1.1565 + } else if (tag == SCTAG_TRANSFER_MAP_SHARED_BUFFER) {
1.1566 + JS_ASSERT(data == JS::SCTAG_TMO_SHARED_BUFFER);
1.1567 + obj = SharedArrayBufferObject::New(context(), (SharedArrayRawBuffer *)content);
1.1568 + } else {
1.1569 + if (!callbacks || !callbacks->readTransfer) {
1.1570 + ReportErrorTransferable(cx, callbacks);
1.1571 + return false;
1.1572 + }
1.1573 + if (!callbacks->readTransfer(cx, this, tag, content, extraData, closure, &obj))
1.1574 + return false;
1.1575 + MOZ_ASSERT(obj);
1.1576 + MOZ_ASSERT(!cx->isExceptionPending());
1.1577 + }
1.1578 +
1.1579 + // On failure, the buffer will still own the data (since its ownership will not get set to SCTAG_TMO_UNOWNED),
1.1580 + // so the data will be freed by ClearStructuredClone
1.1581 + if (!obj)
1.1582 + return false;
1.1583 +
1.1584 + // Mark the SCTAG_TRANSFER_MAP_* entry as no longer owned by the input
1.1585 + // buffer.
1.1586 + *pos = PairToUInt64(tag, JS::SCTAG_TMO_UNOWNED);
1.1587 + MOZ_ASSERT(headerPos < pos && pos < in.end());
1.1588 +
1.1589 + if (!allObjs.append(ObjectValue(*obj)))
1.1590 + return false;
1.1591 + }
1.1592 +
1.1593 + // Mark the whole transfer map as consumed.
1.1594 + MOZ_ASSERT(headerPos <= in.tell());
1.1595 +#ifdef DEBUG
1.1596 + SCInput::getPair(headerPos, &tag, &data);
1.1597 + MOZ_ASSERT(tag == SCTAG_TRANSFER_MAP_HEADER);
1.1598 + MOZ_ASSERT(TransferableMapHeader(data) != SCTAG_TM_TRANSFERRED);
1.1599 +#endif
1.1600 + *headerPos = PairToUInt64(SCTAG_TRANSFER_MAP_HEADER, SCTAG_TM_TRANSFERRED);
1.1601 +
1.1602 + return true;
1.1603 +}
1.1604 +
1.1605 +bool
1.1606 +JSStructuredCloneReader::read(Value *vp)
1.1607 +{
1.1608 + if (!readTransferMap())
1.1609 + return false;
1.1610 +
1.1611 + if (!startRead(vp))
1.1612 + return false;
1.1613 +
1.1614 + while (objs.length() != 0) {
1.1615 + RootedObject obj(context(), &objs.back().toObject());
1.1616 +
1.1617 + RootedId id(context());
1.1618 + if (!readId(id.address()))
1.1619 + return false;
1.1620 +
1.1621 + if (JSID_IS_VOID(id)) {
1.1622 + objs.popBack();
1.1623 + } else {
1.1624 + RootedValue v(context());
1.1625 + if (!startRead(v.address()) || !JSObject::defineGeneric(context(), obj, id, v))
1.1626 + return false;
1.1627 + }
1.1628 + }
1.1629 +
1.1630 + allObjs.clear();
1.1631 +
1.1632 + return true;
1.1633 +}
1.1634 +
1.1635 +using namespace js;
1.1636 +
1.1637 +JS_PUBLIC_API(bool)
1.1638 +JS_ReadStructuredClone(JSContext *cx, uint64_t *buf, size_t nbytes,
1.1639 + uint32_t version, MutableHandleValue vp,
1.1640 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1641 + void *closure)
1.1642 +{
1.1643 + AssertHeapIsIdle(cx);
1.1644 + CHECK_REQUEST(cx);
1.1645 +
1.1646 + if (version > JS_STRUCTURED_CLONE_VERSION) {
1.1647 + JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_BAD_CLONE_VERSION);
1.1648 + return false;
1.1649 + }
1.1650 + const JSStructuredCloneCallbacks *callbacks =
1.1651 + optionalCallbacks ?
1.1652 + optionalCallbacks :
1.1653 + cx->runtime()->structuredCloneCallbacks;
1.1654 + return ReadStructuredClone(cx, buf, nbytes, vp, callbacks, closure);
1.1655 +}
1.1656 +
1.1657 +JS_PUBLIC_API(bool)
1.1658 +JS_WriteStructuredClone(JSContext *cx, HandleValue value, uint64_t **bufp, size_t *nbytesp,
1.1659 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1660 + void *closure, HandleValue transferable)
1.1661 +{
1.1662 + AssertHeapIsIdle(cx);
1.1663 + CHECK_REQUEST(cx);
1.1664 + assertSameCompartment(cx, value);
1.1665 +
1.1666 + const JSStructuredCloneCallbacks *callbacks =
1.1667 + optionalCallbacks ?
1.1668 + optionalCallbacks :
1.1669 + cx->runtime()->structuredCloneCallbacks;
1.1670 + return WriteStructuredClone(cx, value, bufp, nbytesp, callbacks, closure, transferable);
1.1671 +}
1.1672 +
1.1673 +JS_PUBLIC_API(bool)
1.1674 +JS_ClearStructuredClone(uint64_t *data, size_t nbytes,
1.1675 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1676 + void *closure)
1.1677 +{
1.1678 + ClearStructuredClone(data, nbytes, optionalCallbacks, closure);
1.1679 + return true;
1.1680 +}
1.1681 +
1.1682 +JS_PUBLIC_API(bool)
1.1683 +JS_StructuredCloneHasTransferables(const uint64_t *data, size_t nbytes,
1.1684 + bool *hasTransferable)
1.1685 +{
1.1686 + bool transferable;
1.1687 + if (!StructuredCloneHasTransferObjects(data, nbytes, &transferable))
1.1688 + return false;
1.1689 +
1.1690 + *hasTransferable = transferable;
1.1691 + return true;
1.1692 +}
1.1693 +
1.1694 +JS_PUBLIC_API(bool)
1.1695 +JS_StructuredClone(JSContext *cx, HandleValue value, MutableHandleValue vp,
1.1696 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1697 + void *closure)
1.1698 +{
1.1699 + AssertHeapIsIdle(cx);
1.1700 + CHECK_REQUEST(cx);
1.1701 +
1.1702 + // Strings are associated with zones, not compartments,
1.1703 + // so we copy the string by wrapping it.
1.1704 + if (value.isString()) {
1.1705 + RootedString strValue(cx, value.toString());
1.1706 + if (!cx->compartment()->wrap(cx, strValue.address())) {
1.1707 + return false;
1.1708 + }
1.1709 + vp.setString(strValue);
1.1710 + return true;
1.1711 + }
1.1712 +
1.1713 + const JSStructuredCloneCallbacks *callbacks =
1.1714 + optionalCallbacks ?
1.1715 + optionalCallbacks :
1.1716 + cx->runtime()->structuredCloneCallbacks;
1.1717 +
1.1718 + JSAutoStructuredCloneBuffer buf;
1.1719 + {
1.1720 + // If we use Maybe<AutoCompartment> here, G++ can't tell that the
1.1721 + // destructor is only called when Maybe::construct was called, and
1.1722 + // we get warnings about using uninitialized variables.
1.1723 + if (value.isObject()) {
1.1724 + AutoCompartment ac(cx, &value.toObject());
1.1725 + if (!buf.write(cx, value, callbacks, closure))
1.1726 + return false;
1.1727 + } else {
1.1728 + if (!buf.write(cx, value, callbacks, closure))
1.1729 + return false;
1.1730 + }
1.1731 + }
1.1732 +
1.1733 + return buf.read(cx, vp, callbacks, closure);
1.1734 +}
1.1735 +
1.1736 +JSAutoStructuredCloneBuffer::JSAutoStructuredCloneBuffer(JSAutoStructuredCloneBuffer &&other)
1.1737 +{
1.1738 + other.steal(&data_, &nbytes_, &version_);
1.1739 +}
1.1740 +
1.1741 +JSAutoStructuredCloneBuffer&
1.1742 +JSAutoStructuredCloneBuffer::operator=(JSAutoStructuredCloneBuffer &&other)
1.1743 +{
1.1744 + JS_ASSERT(&other != this);
1.1745 + clear();
1.1746 + other.steal(&data_, &nbytes_, &version_);
1.1747 + return *this;
1.1748 +}
1.1749 +
1.1750 +void
1.1751 +JSAutoStructuredCloneBuffer::clear()
1.1752 +{
1.1753 + if (data_) {
1.1754 + ClearStructuredClone(data_, nbytes_, callbacks_, closure_);
1.1755 + data_ = nullptr;
1.1756 + nbytes_ = 0;
1.1757 + version_ = 0;
1.1758 + }
1.1759 +}
1.1760 +
1.1761 +bool
1.1762 +JSAutoStructuredCloneBuffer::copy(const uint64_t *srcData, size_t nbytes, uint32_t version)
1.1763 +{
1.1764 + // transferable objects cannot be copied
1.1765 + bool hasTransferable;
1.1766 + if (!StructuredCloneHasTransferObjects(data_, nbytes_, &hasTransferable) ||
1.1767 + hasTransferable)
1.1768 + return false;
1.1769 +
1.1770 + uint64_t *newData = static_cast<uint64_t *>(js_malloc(nbytes));
1.1771 + if (!newData)
1.1772 + return false;
1.1773 +
1.1774 + js_memcpy(newData, srcData, nbytes);
1.1775 +
1.1776 + clear();
1.1777 + data_ = newData;
1.1778 + nbytes_ = nbytes;
1.1779 + version_ = version;
1.1780 + return true;
1.1781 +}
1.1782 +
1.1783 +void
1.1784 +JSAutoStructuredCloneBuffer::adopt(uint64_t *data, size_t nbytes, uint32_t version)
1.1785 +{
1.1786 + clear();
1.1787 + data_ = data;
1.1788 + nbytes_ = nbytes;
1.1789 + version_ = version;
1.1790 +}
1.1791 +
1.1792 +void
1.1793 +JSAutoStructuredCloneBuffer::steal(uint64_t **datap, size_t *nbytesp, uint32_t *versionp)
1.1794 +{
1.1795 + *datap = data_;
1.1796 + *nbytesp = nbytes_;
1.1797 + if (versionp)
1.1798 + *versionp = version_;
1.1799 +
1.1800 + data_ = nullptr;
1.1801 + nbytes_ = 0;
1.1802 + version_ = 0;
1.1803 +}
1.1804 +
1.1805 +bool
1.1806 +JSAutoStructuredCloneBuffer::read(JSContext *cx, MutableHandleValue vp,
1.1807 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1808 + void *closure)
1.1809 +{
1.1810 + JS_ASSERT(cx);
1.1811 + JS_ASSERT(data_);
1.1812 + return !!JS_ReadStructuredClone(cx, data_, nbytes_, version_, vp,
1.1813 + optionalCallbacks, closure);
1.1814 +}
1.1815 +
1.1816 +bool
1.1817 +JSAutoStructuredCloneBuffer::write(JSContext *cx, HandleValue value,
1.1818 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1819 + void *closure)
1.1820 +{
1.1821 + HandleValue transferable = UndefinedHandleValue;
1.1822 + return write(cx, value, transferable, optionalCallbacks, closure);
1.1823 +}
1.1824 +
1.1825 +bool
1.1826 +JSAutoStructuredCloneBuffer::write(JSContext *cx, HandleValue value,
1.1827 + HandleValue transferable,
1.1828 + const JSStructuredCloneCallbacks *optionalCallbacks,
1.1829 + void *closure)
1.1830 +{
1.1831 + clear();
1.1832 + bool ok = !!JS_WriteStructuredClone(cx, value, &data_, &nbytes_,
1.1833 + optionalCallbacks, closure,
1.1834 + transferable);
1.1835 + if (!ok) {
1.1836 + data_ = nullptr;
1.1837 + nbytes_ = 0;
1.1838 + version_ = JS_STRUCTURED_CLONE_VERSION;
1.1839 + }
1.1840 + return ok;
1.1841 +}
1.1842 +
1.1843 +JS_PUBLIC_API(void)
1.1844 +JS_SetStructuredCloneCallbacks(JSRuntime *rt, const JSStructuredCloneCallbacks *callbacks)
1.1845 +{
1.1846 + rt->structuredCloneCallbacks = callbacks;
1.1847 +}
1.1848 +
1.1849 +JS_PUBLIC_API(bool)
1.1850 +JS_ReadUint32Pair(JSStructuredCloneReader *r, uint32_t *p1, uint32_t *p2)
1.1851 +{
1.1852 + return r->input().readPair((uint32_t *) p1, (uint32_t *) p2);
1.1853 +}
1.1854 +
1.1855 +JS_PUBLIC_API(bool)
1.1856 +JS_ReadBytes(JSStructuredCloneReader *r, void *p, size_t len)
1.1857 +{
1.1858 + return r->input().readBytes(p, len);
1.1859 +}
1.1860 +
1.1861 +JS_PUBLIC_API(bool)
1.1862 +JS_ReadTypedArray(JSStructuredCloneReader *r, MutableHandleValue vp)
1.1863 +{
1.1864 + uint32_t tag, nelems;
1.1865 + if (!r->input().readPair(&tag, &nelems))
1.1866 + return false;
1.1867 + if (tag >= SCTAG_TYPED_ARRAY_V1_MIN && tag <= SCTAG_TYPED_ARRAY_V1_MAX) {
1.1868 + return r->readTypedArray(TagToV1ArrayType(tag), nelems, vp.address(), true);
1.1869 + } else if (tag == SCTAG_TYPED_ARRAY_OBJECT) {
1.1870 + uint64_t arrayType;
1.1871 + if (!r->input().read(&arrayType))
1.1872 + return false;
1.1873 + return r->readTypedArray(arrayType, nelems, vp.address());
1.1874 + } else {
1.1875 + JS_ReportErrorNumber(r->context(), js_GetErrorMessage, nullptr,
1.1876 + JSMSG_SC_BAD_SERIALIZED_DATA, "expected type array");
1.1877 + return false;
1.1878 + }
1.1879 +}
1.1880 +
1.1881 +JS_PUBLIC_API(bool)
1.1882 +JS_WriteUint32Pair(JSStructuredCloneWriter *w, uint32_t tag, uint32_t data)
1.1883 +{
1.1884 + return w->output().writePair(tag, data);
1.1885 +}
1.1886 +
1.1887 +JS_PUBLIC_API(bool)
1.1888 +JS_WriteBytes(JSStructuredCloneWriter *w, const void *p, size_t len)
1.1889 +{
1.1890 + return w->output().writeBytes(p, len);
1.1891 +}
1.1892 +
1.1893 +JS_PUBLIC_API(bool)
1.1894 +JS_WriteTypedArray(JSStructuredCloneWriter *w, HandleValue v)
1.1895 +{
1.1896 + JS_ASSERT(v.isObject());
1.1897 + assertSameCompartment(w->context(), v);
1.1898 + RootedObject obj(w->context(), &v.toObject());
1.1899 +
1.1900 + // If the object is a security wrapper, see if we're allowed to unwrap it.
1.1901 + // If we aren't, throw.
1.1902 + if (obj->is<WrapperObject>())
1.1903 + obj = CheckedUnwrap(obj);
1.1904 + if (!obj) {
1.1905 + JS_ReportErrorNumber(w->context(), js_GetErrorMessage, nullptr, JSMSG_UNWRAP_DENIED);
1.1906 + return false;
1.1907 + }
1.1908 + return w->writeTypedArray(obj);
1.1909 +}
