2 * Copyright (C) 2009 Google Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above
11 * copyright notice, this list of conditions and the following disclaimer
12 * in the documentation and/or other materials provided with the
14 * * Neither the name of Google Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived from
16 * this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 #include "ChromiumBridge.h"
35 #include "ScriptSourceCode.h" // for WebCore::ScriptSourceCode
36 #include "SecurityOrigin.h" // for WebCore::SecurityOrigin
37 #include "SharedPersistent.h"
38 #include "V8AbstractEventListener.h"
39 #include "V8DOMWrapper.h"
40 #include "V8GCController.h"
43 #include <wtf/PassRefPtr.h> // so generated bindings don't have to
44 #include <wtf/Vector.h>
46 #ifdef ENABLE_DOM_STATS_COUNTERS
47 #define INC_STATS(name) ChromiumBridge::incrementStatsCounter(name)
49 #define INC_STATS(name)
58 class ScriptExecutionContext;
60 class V8EventListener;
61 class V8IsolatedWorld;
63 // FIXME: use standard logging facilities in WebCore.
64 void logInfo(Frame*, const String& message, const String& url);
66 // The following Batch structs and methods are used for setting multiple
67 // properties on an ObjectTemplate, used from the generated bindings
68 // initialization (ConfigureXXXTemplate). This greatly reduces the binary
69 // size by moving from code driven setup to data table driven setup.
71 // BatchedAttribute translates into calls to SetAccessor() on either the
72 // instance or the prototype ObjectTemplate, based on |onProto|.
73 struct BatchedAttribute {
74 const char* const name;
75 v8::AccessorGetter getter;
76 v8::AccessorSetter setter;
77 V8ClassIndex::V8WrapperType data;
78 v8::AccessControl settings;
79 v8::PropertyAttribute attribute;
83 void batchConfigureAttributes(v8::Handle<v8::ObjectTemplate>, v8::Handle<v8::ObjectTemplate>, const BatchedAttribute*, size_t attributeCount);
85 inline void configureAttribute(v8::Handle<v8::ObjectTemplate> instance, v8::Handle<v8::ObjectTemplate> proto, const BatchedAttribute& attribute)
87 (attribute.onProto ? proto : instance)->SetAccessor(v8::String::New(attribute.name),
90 attribute.data == V8ClassIndex::INVALID_CLASS_INDEX ? v8::Handle<v8::Value>() : v8::Integer::New(V8ClassIndex::ToInt(attribute.data)),
95 // BatchedConstant translates into calls to Set() for setting up an object's
96 // constants. It sets the constant on both the FunctionTemplate and the
97 // ObjectTemplate. PropertyAttributes is always ReadOnly.
98 struct BatchedConstant {
99 const char* const name;
103 void batchConfigureConstants(v8::Handle<v8::FunctionTemplate>, v8::Handle<v8::ObjectTemplate>, const BatchedConstant*, size_t constantCount);
105 struct BatchedCallback {
106 const char* const name;
107 v8::InvocationCallback callback;
110 void batchConfigureCallbacks(v8::Handle<v8::ObjectTemplate>,
111 v8::Handle<v8::Signature>,
112 v8::PropertyAttribute,
113 const BatchedCallback*,
114 size_t callbackCount);
116 const int kMaxRecursionDepth = 20;
118 // Information about an extension that is registered for use with V8. If
119 // scheme is non-empty, it contains the URL scheme the extension should be
120 // used with. If group is non-zero, the extension will only be loaded into
121 // script contexts that belong to that group. Otherwise, the extension is
122 // used with all schemes and contexts.
123 struct V8ExtensionInfo {
126 v8::Extension* extension;
128 typedef WTF::Vector<V8ExtensionInfo> V8Extensions;
132 // The types of javascript errors that can be thrown.
141 explicit V8Proxy(Frame*);
145 Frame* frame() { return m_frame; }
147 // Clear page-specific data, but keep the global object identify.
148 void clearForNavigation();
150 // Clear page-specific data before shutting down the proxy object.
151 void clearForClose();
153 // Update document object of the frame.
154 void updateDocument();
156 // Update the security origin of a document
157 // (e.g., after setting docoument.domain).
158 void updateSecurityOrigin();
160 // Destroy the global object.
161 void destroyGlobal();
163 // FIXME: Need comment. User Gesture related.
164 bool inlineCode() const { return m_inlineCode; }
165 void setInlineCode(bool value) { m_inlineCode = value; }
167 bool timerCallback() const { return m_timerCallback; }
168 void setTimerCallback(bool value) { m_timerCallback = value; }
170 // Has the context for this proxy been initialized?
171 bool isContextInitialized();
173 // Disconnects the proxy from its owner frame,
174 // and clears all timeouts on the DOM window.
175 void disconnectFrame();
178 static void setSVGContext(void*, SVGElement*);
179 static SVGElement* svgContext(void*);
181 // These helper functions are required in case we are given a PassRefPtr
182 // to a (possibly) newly created object and must prevent its reference
183 // count from dropping to zero as would happen in code like
185 // V8Proxy::setSVGContext(imp->getNewlyCreatedObject().get(), context);
186 // foo(imp->getNewlyCreatedObject().get());
188 // In the above two lines each time getNewlyCreatedObject() is called it
189 // creates a new object because we don't ref() it. (So our attemts to
190 // associate a context with it fail.) Such code should be rewritten to
192 // foo(V8Proxy::withSVGContext(imp->getNewlyCreatedObject(), context).get());
194 // where PassRefPtr::~PassRefPtr() is invoked only after foo() is
196 template <typename T>
197 static PassRefPtr<T> withSVGContext(PassRefPtr<T> object, SVGElement* context)
199 setSVGContext(object.get(), context);
202 static void* withSVGContext(void* object, SVGElement* context)
204 setSVGContext(object, context);
209 void setEventHandlerLineNumber(int lineNumber) { m_handlerLineNumber = lineNumber; }
210 void finishedWithEvent(Event*) { }
212 // Evaluate JavaScript in a new isolated world. The script gets its own
213 // global scope, its own prototypes for intrinsic JavaScript objects (String,
214 // Array, and so-on), and its own wrappers for all DOM nodes and DOM
216 void evaluateInIsolatedWorld(int worldId, const Vector<ScriptSourceCode>& sources, int extensionGroup);
218 // Evaluate JavaScript in a new context. The script gets its own global scope
219 // and its own prototypes for intrinsic JavaScript objects (String, Array,
220 // and so-on). It shares the wrappers for all DOM nodes and DOM constructors.
221 void evaluateInNewContext(const Vector<ScriptSourceCode>&, int extensionGroup);
223 // Evaluate a script file in the current execution environment.
224 // The caller must hold an execution context.
225 // If cannot evalute the script, it returns an error.
226 v8::Local<v8::Value> evaluate(const ScriptSourceCode&, Node*);
228 // Run an already compiled script.
229 v8::Local<v8::Value> runScript(v8::Handle<v8::Script>, bool isInlineCode);
231 // Call the function with the given receiver and arguments.
232 v8::Local<v8::Value> callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Object>, int argc, v8::Handle<v8::Value> argv[]);
234 // Call the function as constructor with the given arguments.
235 v8::Local<v8::Value> newInstance(v8::Handle<v8::Function>, int argc, v8::Handle<v8::Value> argv[]);
237 // To create JS Wrapper objects, we create a cache of a 'boiler plate'
238 // object, and then simply Clone that object each time we need a new one.
239 // This is faster than going through the full object creation process.
240 v8::Local<v8::Object> createWrapperFromCache(V8ClassIndex::V8WrapperType type)
242 int classIndex = V8ClassIndex::ToInt(type);
243 v8::Local<v8::Object> clone(m_wrapperBoilerplates->CloneElementAt(classIndex));
244 return clone.IsEmpty() ? createWrapperFromCacheSlowCase(type) : clone;
247 // Returns the window object associated with a context.
248 static DOMWindow* retrieveWindow(v8::Handle<v8::Context>);
249 // Returns V8Proxy object of the currently executing context.
250 static V8Proxy* retrieve();
251 // Returns V8Proxy object associated with a frame.
252 static V8Proxy* retrieve(Frame*);
253 // Returns V8Proxy object associated with a script execution context.
254 static V8Proxy* retrieve(ScriptExecutionContext*);
256 // Returns the frame object of the window object associated with
258 static Frame* retrieveFrame(v8::Handle<v8::Context>);
261 // The three functions below retrieve WebFrame instances relating the
262 // currently executing JavaScript. Since JavaScript can make function calls
263 // across frames, though, we need to be more precise.
265 // For example, imagine that a JS function in frame A calls a function in
266 // frame B, which calls native code, which wants to know what the 'active'
269 // The 'entered context' is the context where execution first entered the
270 // script engine; the context that is at the bottom of the JS function stack.
271 // RetrieveFrameForEnteredContext() would return Frame A in our example.
272 // This frame is often referred to as the "dynamic global object."
274 // The 'current context' is the context the JS engine is currently inside of;
275 // the context that is at the top of the JS function stack.
276 // RetrieveFrameForCurrentContext() would return Frame B in our example.
277 // This frame is often referred to as the "lexical global object."
279 // Finally, the 'calling context' is the context one below the current
280 // context on the JS function stack. For example, if function f calls
281 // function g, then the calling context will be the context associated with
282 // f. This context is commonly used by DOM security checks because they want
283 // to know who called them.
285 // If you are unsure which of these functions to use, ask abarth.
287 // NOTE: These cannot be declared as inline function, because VS complains at
289 static Frame* retrieveFrameForEnteredContext();
290 static Frame* retrieveFrameForCurrentContext();
291 static Frame* retrieveFrameForCallingContext();
293 // Returns V8 Context of a frame. If none exists, creates
294 // a new context. It is potentially slow and consumes memory.
295 static v8::Local<v8::Context> context(Frame*);
296 static v8::Local<v8::Context> mainWorldContext(Frame*);
297 static v8::Local<v8::Context> currentContext();
299 // If the current context causes out of memory, JavaScript setting
300 // is disabled and it returns true.
301 static bool handleOutOfMemory();
303 // Check if the active execution context can access the target frame.
304 static bool canAccessFrame(Frame*, bool reportError);
306 // Check if it is safe to access the given node from the
307 // current security context.
308 static bool checkNodeSecurity(Node*);
310 static v8::Handle<v8::Value> checkNewLegal(const v8::Arguments&);
312 static v8::Handle<v8::Script> compileScript(v8::Handle<v8::String> code, const String& fileName, int baseLine);
314 // If the exception code is different from zero, a DOM exception is
315 // schedule to be thrown.
316 static void setDOMException(int exceptionCode);
318 // Schedule an error object to be thrown.
319 static v8::Handle<v8::Value> throwError(ErrorType, const char* message);
321 // Create an instance of a function descriptor and set to the global object
322 // as a named property. Used by v8_test_shell.
323 static void bindJsObjectToWindow(Frame*, const char* name, int type, v8::Handle<v8::FunctionTemplate>, void*);
325 template <int tag, typename T>
326 static v8::Handle<v8::Value> constructDOMObject(const v8::Arguments&);
328 // Process any pending JavaScript console messages.
329 static void processConsoleMessages();
331 // Function for retrieving the line number and source name for the top
332 // JavaScript stack frame.
334 // It will return true if the line number was successfully retrieved and written
335 // into the |result| parameter, otherwise the function will return false. It may
336 // fail due to a stck overflow in the underlying JavaScript implentation, handling
337 // of such exception is up to the caller.
338 static bool sourceLineNumber(int& result);
339 static bool sourceName(String& result);
341 v8::Local<v8::Context> context();
343 bool setContextDebugId(int id);
344 static int contextDebugId(v8::Handle<v8::Context>);
346 static v8::Handle<v8::Value> getHiddenObjectPrototype(v8::Handle<v8::Context>);
347 // WARNING: Call |installHiddenObjectPrototype| only on fresh contexts!
348 static void installHiddenObjectPrototype(v8::Handle<v8::Context>);
350 // Registers a v8 extension to be available on webpages. The two forms
351 // offer various restrictions on what types of contexts the extension is
352 // loaded into. If a scheme is provided, only pages whose URL has the given
353 // scheme will match. If extensionGroup is provided, the extension will
354 // only be loaded into scripts run via evaluateInNewWorld with the
355 // matching group. Will only affect v8 contexts initialized after this
356 // call. Takes ownership of the v8::Extension object passed.
357 static void registerExtension(v8::Extension*, const String& schemeRestriction);
358 static void registerExtension(v8::Extension*, int extensionGroup);
360 // FIXME: Separate these concerns from V8Proxy?
361 v8::Persistent<v8::Context> createNewContext(v8::Handle<v8::Object> global, int extensionGroup);
362 static bool installDOMWindow(v8::Handle<v8::Context> context, DOMWindow* window);
364 void initContextIfNeeded();
365 void updateDocumentWrapper(v8::Handle<v8::Value> wrapper);
368 void setSecurityToken();
369 void clearDocumentWrapper();
371 // The JavaScript wrapper for the document object is cached on the global
372 // object for fast access. UpdateDocumentWrapperCache sets the wrapper
373 // for the current document on the global object. ClearDocumentWrapperCache
374 // deletes the document wrapper from the global object.
375 void updateDocumentWrapperCache();
376 void clearDocumentWrapperCache();
378 // Dispose global handles of m_contexts and friends.
379 void disposeContextHandles();
381 // If m_recursionCount is 0, let LocalStorage know so we can release
382 // the storage mutex.
383 void releaseStorageMutex();
385 void resetIsolatedWorlds();
387 // Returns false when we're out of memory in V8.
388 bool setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext);
390 static bool canAccessPrivate(DOMWindow*);
392 static const char* rangeExceptionName(int exceptionCode);
393 static const char* eventExceptionName(int exceptionCode);
394 static const char* xmlHttpRequestExceptionName(int exceptionCode);
395 static const char* domExceptionName(int exceptionCode);
398 static const char* xpathExceptionName(int exceptionCode);
402 static const char* svgExceptionName(int exceptionCode);
405 static void createUtilityContext();
407 // Returns a local handle of the utility context.
408 static v8::Local<v8::Context> utilityContext()
410 if (m_utilityContext.IsEmpty())
411 createUtilityContext();
412 return v8::Local<v8::Context>::New(m_utilityContext);
415 v8::Local<v8::Object> createWrapperFromCacheSlowCase(V8ClassIndex::V8WrapperType);
417 static void registerExtensionWithV8(v8::Extension*);
418 static bool registeredExtensionWithV8(v8::Extension*);
422 v8::Persistent<v8::Context> m_context;
424 // For each possible type of wrapper, we keep a boilerplate object.
425 // The boilerplate is used to create additional wrappers of the same
426 // type. We keep a single persistent handle to an array of the
427 // activated boilerplates.
428 v8::Persistent<v8::Array> m_wrapperBoilerplates;
430 v8::Persistent<v8::Object> m_global;
431 v8::Persistent<v8::Value> m_document;
433 // Utility context holding JavaScript functions used internally.
434 static v8::Persistent<v8::Context> m_utilityContext;
436 int m_handlerLineNumber;
438 // True for <a href="javascript:foo()"> and false for <script>foo()</script>.
439 // Only valid during execution.
442 // True when executing from within a timer callback. Only valid during
444 bool m_timerCallback;
446 // Track the recursion depth to be able to avoid too deep recursion. The V8
447 // engine allows much more recursion than KJS does so we need to guard against
448 // excessive recursion in the binding layer.
451 // All of the extensions registered with the context.
452 static V8Extensions m_extensions;
454 // The isolated worlds we are tracking for this frame. We hold them alive
455 // here so that they can be used again by future calls to
456 // evaluateInIsolatedWorld().
458 // Note: although the pointer is raw, the instance is kept alive by a strong
459 // reference to the v8 context it contains, which is not made weak until we
460 // call world->destroy().
461 typedef HashMap<int, V8IsolatedWorld*> IsolatedWorldMap;
462 IsolatedWorldMap m_isolatedWorlds;
465 template <int tag, typename T>
466 v8::Handle<v8::Value> V8Proxy::constructDOMObject(const v8::Arguments& args)
468 if (!args.IsConstructCall())
469 return throwError(V8Proxy::TypeError, "DOM object constructor cannot be called as a function.");
471 // Note: it's OK to let this RefPtr go out of scope because we also call
472 // SetDOMWrapper(), which effectively holds a reference to obj.
473 RefPtr<T> obj = T::create();
474 V8DOMWrapper::setDOMWrapper(args.Holder(), tag, obj.get());
476 V8DOMWrapper::setJSWrapperForDOMObject(obj.get(), v8::Persistent<v8::Object>::New(args.Holder()));
477 return args.Holder();
481 v8::Local<v8::Context> toV8Context(ScriptExecutionContext*);
483 // Used by an interceptor callback that it hasn't found anything to
485 inline static v8::Local<v8::Object> notHandledByInterceptor()
487 return v8::Local<v8::Object>();
490 inline static v8::Local<v8::Boolean> deletionNotHandledByInterceptor()
492 return v8::Local<v8::Boolean>();
494 inline v8::Handle<v8::Primitive> throwError(const char* message, V8Proxy::ErrorType type = V8Proxy::TypeError)
496 V8Proxy::throwError(type, message);
497 return v8::Undefined();
500 inline v8::Handle<v8::Primitive> throwError(ExceptionCode ec)
502 V8Proxy::setDOMException(ec);
503 return v8::Undefined();
506 inline v8::Handle<v8::Primitive> throwError(v8::Local<v8::Value> exception)
508 v8::ThrowException(exception);
509 return v8::Undefined();
512 template <class T> inline v8::Handle<v8::Object> toV8(PassRefPtr<T> object, v8::Local<v8::Object> holder)
515 V8DOMWrapper::setJSWrapperForDOMObject(object.get(), v8::Persistent<v8::Object>::New(holder));