1 // Copyright 2016 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "src/builtins/builtins-utils.h"
6 #include "src/builtins/builtins.h"
7 #include "src/code-factory.h"
8 #include "src/code-stub-assembler.h"
9 #include "src/compiler.h"
10 #include "src/conversions.h"
11 #include "src/counters.h"
12 #include "src/lookup.h"
13 #include "src/objects-inl.h"
14 #include "src/string-builder.h"
15
16 namespace v8 {
17 namespace internal {
18
19 namespace {
20
21 // ES6 section 19.2.1.1.1 CreateDynamicFunction
CreateDynamicFunction(Isolate * isolate,BuiltinArguments args,const char * token)22 MaybeHandle<Object> CreateDynamicFunction(Isolate* isolate,
23 BuiltinArguments args,
24 const char* token) {
25 // Compute number of arguments, ignoring the receiver.
26 DCHECK_LE(1, args.length());
27 int const argc = args.length() - 1;
28
29 Handle<JSFunction> target = args.target();
30 Handle<JSObject> target_global_proxy(target->global_proxy(), isolate);
31
32 if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) {
33 isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined);
34 return isolate->factory()->undefined_value();
35 }
36
37 // Build the source string.
38 Handle<String> source;
39 int parameters_end_pos = kNoSourcePosition;
40 {
41 IncrementalStringBuilder builder(isolate);
42 builder.AppendCharacter('(');
43 builder.AppendCString(token);
44 if (FLAG_harmony_function_tostring) {
45 builder.AppendCString(" anonymous(");
46 } else {
47 builder.AppendCharacter('(');
48 }
49 bool parenthesis_in_arg_string = false;
50 if (argc > 1) {
51 for (int i = 1; i < argc; ++i) {
52 if (i > 1) builder.AppendCharacter(',');
53 Handle<String> param;
54 ASSIGN_RETURN_ON_EXCEPTION(
55 isolate, param, Object::ToString(isolate, args.at(i)), Object);
56 param = String::Flatten(param);
57 builder.AppendString(param);
58 if (!FLAG_harmony_function_tostring) {
59 // If the formal parameters string include ) - an illegal
60 // character - it may make the combined function expression
61 // compile. We avoid this problem by checking for this early on.
62 DisallowHeapAllocation no_gc; // Ensure vectors stay valid.
63 String::FlatContent param_content = param->GetFlatContent();
64 for (int i = 0, length = param->length(); i < length; ++i) {
65 if (param_content.Get(i) == ')') {
66 parenthesis_in_arg_string = true;
67 break;
68 }
69 }
70 }
71 }
72 if (!FLAG_harmony_function_tostring) {
73 // If the formal parameters include an unbalanced block comment, the
74 // function must be rejected. Since JavaScript does not allow nested
75 // comments we can include a trailing block comment to catch this.
76 builder.AppendCString("\n/*``*/");
77 }
78 }
79 if (FLAG_harmony_function_tostring) {
80 builder.AppendCharacter('\n');
81 parameters_end_pos = builder.Length();
82 }
83 builder.AppendCString(") {\n");
84 if (argc > 0) {
85 Handle<String> body;
86 ASSIGN_RETURN_ON_EXCEPTION(
87 isolate, body, Object::ToString(isolate, args.at(argc)), Object);
88 builder.AppendString(body);
89 }
90 builder.AppendCString("\n})");
91 ASSIGN_RETURN_ON_EXCEPTION(isolate, source, builder.Finish(), Object);
92
93 // The SyntaxError must be thrown after all the (observable) ToString
94 // conversions are done.
95 if (parenthesis_in_arg_string) {
96 THROW_NEW_ERROR(isolate,
97 NewSyntaxError(MessageTemplate::kParenthesisInArgString),
98 Object);
99 }
100 }
101
102 // Compile the string in the constructor and not a helper so that errors to
103 // come from here.
104 Handle<JSFunction> function;
105 {
106 ASSIGN_RETURN_ON_EXCEPTION(
107 isolate, function,
108 Compiler::GetFunctionFromString(
109 handle(target->native_context(), isolate), source,
110 ONLY_SINGLE_FUNCTION_LITERAL, parameters_end_pos),
111 Object);
112 Handle<Object> result;
113 ASSIGN_RETURN_ON_EXCEPTION(
114 isolate, result,
115 Execution::Call(isolate, function, target_global_proxy, 0, nullptr),
116 Object);
117 function = Handle<JSFunction>::cast(result);
118 function->shared()->set_name_should_print_as_anonymous(true);
119 }
120
121 // If new.target is equal to target then the function created
122 // is already correctly setup and nothing else should be done
123 // here. But if new.target is not equal to target then we are
124 // have a Function builtin subclassing case and therefore the
125 // function has wrong initial map. To fix that we create a new
126 // function object with correct initial map.
127 Handle<Object> unchecked_new_target = args.new_target();
128 if (!unchecked_new_target->IsUndefined(isolate) &&
129 !unchecked_new_target.is_identical_to(target)) {
130 Handle<JSReceiver> new_target =
131 Handle<JSReceiver>::cast(unchecked_new_target);
132 Handle<Map> initial_map;
133 ASSIGN_RETURN_ON_EXCEPTION(
134 isolate, initial_map,
135 JSFunction::GetDerivedMap(isolate, target, new_target), Object);
136
137 Handle<SharedFunctionInfo> shared_info(function->shared(), isolate);
138 Handle<Map> map = Map::AsLanguageMode(
139 initial_map, shared_info->language_mode(), shared_info->kind());
140
141 Handle<Context> context(function->context(), isolate);
142 function = isolate->factory()->NewFunctionFromSharedFunctionInfo(
143 map, shared_info, context, NOT_TENURED);
144 }
145 return function;
146 }
147
148 } // namespace
149
150 // ES6 section 19.2.1.1 Function ( p1, p2, ... , pn, body )
BUILTIN(FunctionConstructor)151 BUILTIN(FunctionConstructor) {
152 HandleScope scope(isolate);
153 Handle<Object> result;
154 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
155 isolate, result, CreateDynamicFunction(isolate, args, "function"));
156 return *result;
157 }
158
159 // ES6 section 25.2.1.1 GeneratorFunction (p1, p2, ... , pn, body)
BUILTIN(GeneratorFunctionConstructor)160 BUILTIN(GeneratorFunctionConstructor) {
161 HandleScope scope(isolate);
162 RETURN_RESULT_OR_FAILURE(isolate,
163 CreateDynamicFunction(isolate, args, "function*"));
164 }
165
BUILTIN(AsyncFunctionConstructor)166 BUILTIN(AsyncFunctionConstructor) {
167 HandleScope scope(isolate);
168 Handle<Object> maybe_func;
169 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
170 isolate, maybe_func,
171 CreateDynamicFunction(isolate, args, "async function"));
172 if (!maybe_func->IsJSFunction()) return *maybe_func;
173
174 // Do not lazily compute eval position for AsyncFunction, as they may not be
175 // determined after the function is resumed.
176 Handle<JSFunction> func = Handle<JSFunction>::cast(maybe_func);
177 Handle<Script> script = handle(Script::cast(func->shared()->script()));
178 int position = script->GetEvalPosition();
179 USE(position);
180
181 return *func;
182 }
183
184 namespace {
185
DoFunctionBind(Isolate * isolate,BuiltinArguments args)186 Object* DoFunctionBind(Isolate* isolate, BuiltinArguments args) {
187 HandleScope scope(isolate);
188 DCHECK_LE(1, args.length());
189 if (!args.receiver()->IsCallable()) {
190 THROW_NEW_ERROR_RETURN_FAILURE(
191 isolate, NewTypeError(MessageTemplate::kFunctionBind));
192 }
193
194 // Allocate the bound function with the given {this_arg} and {args}.
195 Handle<JSReceiver> target = args.at<JSReceiver>(0);
196 Handle<Object> this_arg = isolate->factory()->undefined_value();
197 ScopedVector<Handle<Object>> argv(std::max(0, args.length() - 2));
198 if (args.length() > 1) {
199 this_arg = args.at(1);
200 for (int i = 2; i < args.length(); ++i) {
201 argv[i - 2] = args.at(i);
202 }
203 }
204 Handle<JSBoundFunction> function;
205 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
206 isolate, function,
207 isolate->factory()->NewJSBoundFunction(target, this_arg, argv));
208
209 LookupIterator length_lookup(target, isolate->factory()->length_string(),
210 target, LookupIterator::OWN);
211 // Setup the "length" property based on the "length" of the {target}.
212 // If the targets length is the default JSFunction accessor, we can keep the
213 // accessor that's installed by default on the JSBoundFunction. It lazily
214 // computes the value from the underlying internal length.
215 if (!target->IsJSFunction() ||
216 length_lookup.state() != LookupIterator::ACCESSOR ||
217 !length_lookup.GetAccessors()->IsAccessorInfo()) {
218 Handle<Object> length(Smi::kZero, isolate);
219 Maybe<PropertyAttributes> attributes =
220 JSReceiver::GetPropertyAttributes(&length_lookup);
221 if (!attributes.IsJust()) return isolate->heap()->exception();
222 if (attributes.FromJust() != ABSENT) {
223 Handle<Object> target_length;
224 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, target_length,
225 Object::GetProperty(&length_lookup));
226 if (target_length->IsNumber()) {
227 length = isolate->factory()->NewNumber(std::max(
228 0.0, DoubleToInteger(target_length->Number()) - argv.length()));
229 }
230 }
231 LookupIterator it(function, isolate->factory()->length_string(), function);
232 DCHECK_EQ(LookupIterator::ACCESSOR, it.state());
233 RETURN_FAILURE_ON_EXCEPTION(isolate,
234 JSObject::DefineOwnPropertyIgnoreAttributes(
235 &it, length, it.property_attributes()));
236 }
237
238 // Setup the "name" property based on the "name" of the {target}.
239 // If the targets name is the default JSFunction accessor, we can keep the
240 // accessor that's installed by default on the JSBoundFunction. It lazily
241 // computes the value from the underlying internal name.
242 LookupIterator name_lookup(target, isolate->factory()->name_string(), target,
243 LookupIterator::OWN);
244 if (!target->IsJSFunction() ||
245 name_lookup.state() != LookupIterator::ACCESSOR ||
246 !name_lookup.GetAccessors()->IsAccessorInfo()) {
247 Handle<Object> target_name;
248 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, target_name,
249 Object::GetProperty(&name_lookup));
250 Handle<String> name;
251 if (target_name->IsString()) {
252 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
253 isolate, name,
254 Name::ToFunctionName(Handle<String>::cast(target_name)));
255 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
256 isolate, name, isolate->factory()->NewConsString(
257 isolate->factory()->bound__string(), name));
258 } else {
259 name = isolate->factory()->bound__string();
260 }
261 LookupIterator it(function, isolate->factory()->name_string());
262 DCHECK_EQ(LookupIterator::ACCESSOR, it.state());
263 RETURN_FAILURE_ON_EXCEPTION(isolate,
264 JSObject::DefineOwnPropertyIgnoreAttributes(
265 &it, name, it.property_attributes()));
266 }
267 return *function;
268 }
269
270 } // namespace
271
272 // ES6 section 19.2.3.2 Function.prototype.bind ( thisArg, ...args )
BUILTIN(FunctionPrototypeBind)273 BUILTIN(FunctionPrototypeBind) { return DoFunctionBind(isolate, args); }
274
Generate_FastFunctionPrototypeBind(compiler::CodeAssemblerState * state)275 void Builtins::Generate_FastFunctionPrototypeBind(
276 compiler::CodeAssemblerState* state) {
277 using compiler::Node;
278 typedef CodeStubAssembler::Label Label;
279 typedef CodeStubAssembler::Variable Variable;
280
281 CodeStubAssembler assembler(state);
282 Label slow(&assembler);
283
284 Node* argc = assembler.Parameter(BuiltinDescriptor::kArgumentsCount);
285 Node* context = assembler.Parameter(BuiltinDescriptor::kContext);
286 Node* new_target = assembler.Parameter(BuiltinDescriptor::kNewTarget);
287
288 CodeStubArguments args(&assembler, assembler.ChangeInt32ToIntPtr(argc));
289
290 // Check that receiver has instance type of JS_FUNCTION_TYPE
291 Node* receiver = args.GetReceiver();
292 assembler.GotoIf(assembler.TaggedIsSmi(receiver), &slow);
293
294 Node* receiver_map = assembler.LoadMap(receiver);
295 Node* instance_type = assembler.LoadMapInstanceType(receiver_map);
296 assembler.GotoIf(
297 assembler.Word32NotEqual(instance_type,
298 assembler.Int32Constant(JS_FUNCTION_TYPE)),
299 &slow);
300
301 // Disallow binding of slow-mode functions. We need to figure out whether the
302 // length and name property are in the original state.
303 assembler.Comment("Disallow binding of slow-mode functions");
304 assembler.GotoIf(assembler.IsDictionaryMap(receiver_map), &slow);
305
306 // Check whether the length and name properties are still present as
307 // AccessorInfo objects. In that case, their value can be recomputed even if
308 // the actual value on the object changes.
309 assembler.Comment("Check descriptor array length");
310 Node* descriptors = assembler.LoadMapDescriptors(receiver_map);
311 Node* descriptors_length = assembler.LoadFixedArrayBaseLength(descriptors);
312 assembler.GotoIf(assembler.SmiLessThanOrEqual(descriptors_length,
313 assembler.SmiConstant(1)),
314 &slow);
315
316 // Check whether the length and name properties are still present as
317 // AccessorInfo objects. In that case, their value can be recomputed even if
318 // the actual value on the object changes.
319 assembler.Comment("Check name and length properties");
320 const int length_index = JSFunction::kLengthDescriptorIndex;
321 Node* maybe_length = assembler.LoadFixedArrayElement(
322 descriptors, DescriptorArray::ToKeyIndex(length_index));
323 assembler.GotoIf(
324 assembler.WordNotEqual(maybe_length,
325 assembler.LoadRoot(Heap::klength_stringRootIndex)),
326 &slow);
327
328 Node* maybe_length_accessor = assembler.LoadFixedArrayElement(
329 descriptors, DescriptorArray::ToValueIndex(length_index));
330 assembler.GotoIf(assembler.TaggedIsSmi(maybe_length_accessor), &slow);
331 Node* length_value_map = assembler.LoadMap(maybe_length_accessor);
332 assembler.GotoIfNot(assembler.IsAccessorInfoMap(length_value_map), &slow);
333
334 const int name_index = JSFunction::kNameDescriptorIndex;
335 Node* maybe_name = assembler.LoadFixedArrayElement(
336 descriptors, DescriptorArray::ToKeyIndex(name_index));
337 assembler.GotoIf(
338 assembler.WordNotEqual(maybe_name,
339 assembler.LoadRoot(Heap::kname_stringRootIndex)),
340 &slow);
341
342 Node* maybe_name_accessor = assembler.LoadFixedArrayElement(
343 descriptors, DescriptorArray::ToValueIndex(name_index));
344 assembler.GotoIf(assembler.TaggedIsSmi(maybe_name_accessor), &slow);
345 Node* name_value_map = assembler.LoadMap(maybe_name_accessor);
346 assembler.GotoIfNot(assembler.IsAccessorInfoMap(name_value_map), &slow);
347
348 // Choose the right bound function map based on whether the target is
349 // constructable.
350 assembler.Comment("Choose the right bound function map");
351 Variable bound_function_map(&assembler, MachineRepresentation::kTagged);
352 Label with_constructor(&assembler);
353 CodeStubAssembler::VariableList vars({&bound_function_map}, assembler.zone());
354 Node* native_context = assembler.LoadNativeContext(context);
355
356 Label map_done(&assembler, vars);
357 Node* bit_field = assembler.LoadMapBitField(receiver_map);
358 int mask = static_cast<int>(1 << Map::kIsConstructor);
359 assembler.GotoIf(assembler.IsSetWord32(bit_field, mask), &with_constructor);
360
361 bound_function_map.Bind(assembler.LoadContextElement(
362 native_context, Context::BOUND_FUNCTION_WITHOUT_CONSTRUCTOR_MAP_INDEX));
363 assembler.Goto(&map_done);
364
365 assembler.Bind(&with_constructor);
366 bound_function_map.Bind(assembler.LoadContextElement(
367 native_context, Context::BOUND_FUNCTION_WITH_CONSTRUCTOR_MAP_INDEX));
368 assembler.Goto(&map_done);
369
370 assembler.Bind(&map_done);
371
372 // Verify that __proto__ matches that of a the target bound function.
373 assembler.Comment("Verify that __proto__ matches target bound function");
374 Node* prototype = assembler.LoadMapPrototype(receiver_map);
375 Node* expected_prototype =
376 assembler.LoadMapPrototype(bound_function_map.value());
377 assembler.GotoIf(assembler.WordNotEqual(prototype, expected_prototype),
378 &slow);
379
380 // Allocate the arguments array.
381 assembler.Comment("Allocate the arguments array");
382 Variable argument_array(&assembler, MachineRepresentation::kTagged);
383 Label empty_arguments(&assembler);
384 Label arguments_done(&assembler, &argument_array);
385 assembler.GotoIf(
386 assembler.Uint32LessThanOrEqual(argc, assembler.Int32Constant(1)),
387 &empty_arguments);
388 Node* elements_length = assembler.ChangeUint32ToWord(
389 assembler.Int32Sub(argc, assembler.Int32Constant(1)));
390 Node* elements = assembler.AllocateFixedArray(FAST_ELEMENTS, elements_length);
391 Variable index(&assembler, MachineType::PointerRepresentation());
392 index.Bind(assembler.IntPtrConstant(0));
393 CodeStubAssembler::VariableList foreach_vars({&index}, assembler.zone());
394 args.ForEach(foreach_vars,
395 [&assembler, elements, &index](compiler::Node* arg) {
396 assembler.StoreFixedArrayElement(elements, index.value(), arg);
397 assembler.Increment(index);
398 },
399 assembler.IntPtrConstant(1));
400 argument_array.Bind(elements);
401 assembler.Goto(&arguments_done);
402
403 assembler.Bind(&empty_arguments);
404 argument_array.Bind(assembler.EmptyFixedArrayConstant());
405 assembler.Goto(&arguments_done);
406
407 assembler.Bind(&arguments_done);
408
409 // Determine bound receiver.
410 assembler.Comment("Determine bound receiver");
411 Variable bound_receiver(&assembler, MachineRepresentation::kTagged);
412 Label has_receiver(&assembler);
413 Label receiver_done(&assembler, &bound_receiver);
414 assembler.GotoIf(assembler.Word32NotEqual(argc, assembler.Int32Constant(0)),
415 &has_receiver);
416 bound_receiver.Bind(assembler.UndefinedConstant());
417 assembler.Goto(&receiver_done);
418
419 assembler.Bind(&has_receiver);
420 bound_receiver.Bind(args.AtIndex(0));
421 assembler.Goto(&receiver_done);
422
423 assembler.Bind(&receiver_done);
424
425 // Allocate the resulting bound function.
426 assembler.Comment("Allocate the resulting bound function");
427 Node* bound_function = assembler.Allocate(JSBoundFunction::kSize);
428 assembler.StoreMapNoWriteBarrier(bound_function, bound_function_map.value());
429 assembler.StoreObjectFieldNoWriteBarrier(
430 bound_function, JSBoundFunction::kBoundTargetFunctionOffset, receiver);
431 assembler.StoreObjectFieldNoWriteBarrier(bound_function,
432 JSBoundFunction::kBoundThisOffset,
433 bound_receiver.value());
434 assembler.StoreObjectFieldNoWriteBarrier(
435 bound_function, JSBoundFunction::kBoundArgumentsOffset,
436 argument_array.value());
437 Node* empty_fixed_array = assembler.EmptyFixedArrayConstant();
438 assembler.StoreObjectFieldNoWriteBarrier(
439 bound_function, JSObject::kPropertiesOffset, empty_fixed_array);
440 assembler.StoreObjectFieldNoWriteBarrier(
441 bound_function, JSObject::kElementsOffset, empty_fixed_array);
442
443 args.PopAndReturn(bound_function);
444 assembler.Bind(&slow);
445
446 Node* target = assembler.LoadFromFrame(
447 StandardFrameConstants::kFunctionOffset, MachineType::TaggedPointer());
448 assembler.TailCallStub(
449 CodeFactory::FunctionPrototypeBind(assembler.isolate()), context, target,
450 new_target, argc);
451 }
452
453 // TODO(verwaest): This is a temporary helper until the FastFunctionBind stub
454 // can tailcall to the builtin directly.
RUNTIME_FUNCTION(Runtime_FunctionBind)455 RUNTIME_FUNCTION(Runtime_FunctionBind) {
456 DCHECK_EQ(2, args.length());
457 Arguments* incoming = reinterpret_cast<Arguments*>(args[0]);
458 // Rewrap the arguments as builtins arguments.
459 int argc = incoming->length() + BuiltinArguments::kNumExtraArgsWithReceiver;
460 BuiltinArguments caller_args(argc, incoming->arguments() + 1);
461 return DoFunctionBind(isolate, caller_args);
462 }
463
464 // ES6 section 19.2.3.5 Function.prototype.toString ( )
BUILTIN(FunctionPrototypeToString)465 BUILTIN(FunctionPrototypeToString) {
466 HandleScope scope(isolate);
467 Handle<Object> receiver = args.receiver();
468 if (receiver->IsJSBoundFunction()) {
469 return *JSBoundFunction::ToString(Handle<JSBoundFunction>::cast(receiver));
470 } else if (receiver->IsJSFunction()) {
471 return *JSFunction::ToString(Handle<JSFunction>::cast(receiver));
472 }
473 THROW_NEW_ERROR_RETURN_FAILURE(
474 isolate, NewTypeError(MessageTemplate::kNotGeneric,
475 isolate->factory()->NewStringFromAsciiChecked(
476 "Function.prototype.toString")));
477 }
478
479 // ES6 section 19.2.3.6 Function.prototype [ @@hasInstance ] ( V )
Generate_FunctionPrototypeHasInstance(compiler::CodeAssemblerState * state)480 void Builtins::Generate_FunctionPrototypeHasInstance(
481 compiler::CodeAssemblerState* state) {
482 using compiler::Node;
483 CodeStubAssembler assembler(state);
484
485 Node* f = assembler.Parameter(0);
486 Node* v = assembler.Parameter(1);
487 Node* context = assembler.Parameter(4);
488 Node* result = assembler.OrdinaryHasInstance(context, f, v);
489 assembler.Return(result);
490 }
491
492 } // namespace internal
493 } // namespace v8
494