Auto merge of #23587 - jdm:smup67, r=asajeffrey

Upgrade to SpiderMonkey 67

<!-- Reviewable:start -->
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/23587)
<!-- Reviewable:end -->

components/script/dom/bindings/codegen/CodegenRust.py

@@ -466,7 +466,7 @@ class CGMethodCall(CGThing):
 
             # Check for vanilla JS objects
             # XXXbz Do we need to worry about security wrappers?
-            pickFirstSignature("%s.get().is_object() && !is_platform_object(%s.get().to_object())" %
+            pickFirstSignature("%s.get().is_object() && !is_platform_object(%s.get().to_object(), cx)" %
                                (distinguishingArg, distinguishingArg),
                                lambda s: (s[1][distinguishingIndex].type.isCallback() or
                                           s[1][distinguishingIndex].type.isCallbackInterface() or
@@ -798,7 +798,7 @@ def getJSToNativeConversionInfo(type, descriptorProvider, failureCode=None,
             { // Scope for our JSAutoRealm.
 
                 rooted!(in(cx) let globalObj = CurrentGlobalOrNull(cx));
-                let promiseGlobal = GlobalScope::from_object_maybe_wrapped(globalObj.handle().get());
+                let promiseGlobal = GlobalScope::from_object_maybe_wrapped(globalObj.handle().get(), cx);
 
                 rooted!(in(cx) let mut valueToResolve = $${val}.get());
                 if !JS_WrapValue(cx, valueToResolve.handle_mut()) {
@@ -866,7 +866,7 @@ def getJSToNativeConversionInfo(type, descriptorProvider, failureCode=None,
 
         templateBody = fill(
             """
-            match ${function}($${val}) {
+            match ${function}($${val}, cx) {
                 Ok(val) => val,
                 Err(()) => {
                     $*{failureCode}
@@ -2158,8 +2158,8 @@ class CGDOMJSClass(CGThing):
 static CLASS_OPS: js::jsapi::JSClassOps = js::jsapi::JSClassOps {
     addProperty: None,
     delProperty: None,
-    enumerate: %(enumerateHook)s,
-    newEnumerate: None,
+    enumerate: None,
+    newEnumerate: %(enumerateHook)s,
     resolve: %(resolveHook)s,
     mayResolve: None,
     finalize: Some(%(finalizeHook)s),
@@ -3223,7 +3223,6 @@ let traps = ProxyTraps {
     set: None,
     call: None,
     construct: None,
-    getPropertyDescriptor: Some(get_property_descriptor),
     hasOwn: Some(hasOwn),
     getOwnEnumerablePropertyKeys: Some(%(getOwnEnumerablePropertyKeys)s),
     nativeCall: None,
@@ -4980,10 +4979,6 @@ class CGProxyUnwrap(CGAbstractMethod):
 
     def definition_body(self):
         return CGGeneric("""\
-/*if (xpc::WrapperFactory::IsXrayWrapper(obj)) {
-    obj = js::UnwrapObject(obj);
-}*/
-//MOZ_ASSERT(IsProxy(obj));
         let mut slot = UndefinedValue();
         GetProxyReservedSlot(obj.get(), 0, &mut slot);
         let box_ = slot.to_private() as *const %s;
@@ -5430,7 +5425,7 @@ class CGAbstractClassHook(CGAbstractExternMethod):
 
     def definition_body_prologue(self):
         return CGGeneric("""
-let this = native_from_object::<%s>(obj).unwrap();
+let this = native_from_object_static::<%s>(obj).unwrap();
 """ % self.descriptor.concreteType)
 
     def definition_body(self):
@@ -5530,7 +5525,7 @@ let global = DomRoot::downcast::<dom::types::%s>(global).unwrap();
 
 // The new_target might be a cross-compartment wrapper. Get the underlying object
 // so we can do the spec's object-identity checks.
-rooted!(in(cx) let new_target = UnwrapObject(args.new_target().to_object(), 1));
+rooted!(in(cx) let new_target = UnwrapObjectDynamic(args.new_target().to_object(), cx, 1));
 if new_target.is_null() {
     throw_dom_exception(cx, global.upcast::<GlobalScope>(), Error::Type("new.target is null".to_owned()));
     return false;
@@ -5877,7 +5872,7 @@ def generate_imports(config, cgthings, descriptors, callbacks=None, dictionaries
         'js::glue::RUST_JSID_IS_STRING',
         'js::glue::RUST_SYMBOL_TO_JSID',
         'js::glue::int_to_jsid',
-        'js::glue::UnwrapObject',
+        'js::glue::UnwrapObjectDynamic',
         'js::panic::maybe_resume_unwind',
         'js::panic::wrap_panic',
         'js::rust::GCMethods',
@@ -5959,6 +5954,7 @@ def generate_imports(config, cgthings, descriptors, callbacks=None, dictionaries
         'crate::dom::bindings::conversions::is_array_like',
         'crate::dom::bindings::conversions::native_from_handlevalue',
         'crate::dom::bindings::conversions::native_from_object',
+        'crate::dom::bindings::conversions::native_from_object_static',
         'crate::dom::bindings::conversions::private_from_object',
         'crate::dom::bindings::conversions::root_from_handleobject',
         'crate::dom::bindings::conversions::root_from_handlevalue',
@@ -5979,7 +5975,6 @@ def generate_imports(config, cgthings, descriptors, callbacks=None, dictionaries
         'crate::dom::bindings::proxyhandler::ensure_expando_object',
         'crate::dom::bindings::proxyhandler::fill_property_descriptor',
         'crate::dom::bindings::proxyhandler::get_expando_object',
-        'crate::dom::bindings::proxyhandler::get_property_descriptor',
         'crate::dom::bindings::mozmap::MozMap',
         'std::ptr::NonNull',
         'crate::dom::bindings::num::Finite',

components/script/dom/bindings/conversions.rs

@@ -46,7 +46,7 @@ pub use js::conversions::{ConversionResult, FromJSValConvertible, ToJSValConvert
 use js::error::throw_type_error;
 use js::glue::GetProxyReservedSlot;
 use js::glue::JS_GetReservedSlot;
-use js::glue::{IsWrapper, UnwrapObject};
+use js::glue::{IsWrapper, UnwrapObjectDynamic};
 use js::glue::{RUST_JSID_IS_INT, RUST_JSID_TO_INT};
 use js::glue::{RUST_JSID_IS_STRING, RUST_JSID_TO_STRING};
 use js::jsapi::{Heap, JSContext, JSObject, JSString};
@@ -113,11 +113,11 @@ impl<T: DomObject + IDLInterface> FromJSValConvertible for DomRoot<T> {
     type Config = ();
 
     unsafe fn from_jsval(
-        _cx: *mut JSContext,
+        cx: *mut JSContext,
         value: HandleValue,
         _config: Self::Config,
     ) -> Result<ConversionResult<DomRoot<T>>, ()> {
-        Ok(match root_from_handlevalue(value) {
+        Ok(match root_from_handlevalue(value, cx) {
             Ok(result) => ConversionResult::Success(result),
             Err(()) => ConversionResult::Failure("value is not an object".into()),
         })
@@ -411,6 +411,7 @@ pub unsafe fn get_dom_class(obj: *mut JSObject) -> Result<&'static DOMClass, ()>
 #[inline]
 pub unsafe fn private_from_proto_check<F>(
     mut obj: *mut JSObject,
+    cx: *mut JSContext,
     proto_check: F,
 ) -> Result<*const libc::c_void, ()>
 where
@@ -419,7 +420,7 @@ where
     let dom_class = get_dom_class(obj).or_else(|_| {
         if IsWrapper(obj) {
             trace!("found wrapper");
-            obj = UnwrapObject(obj, /* stopAtWindowProxy = */ 0);
+            obj = UnwrapObjectDynamic(obj, cx, /* stopAtWindowProxy = */ 0);
             if obj.is_null() {
                 trace!("unwrapping security wrapper failed");
                 Err(())
@@ -443,12 +444,44 @@ where
     }
 }
 
+/// Get a `*const libc::c_void` for the given DOM object, unless it is a DOM
+/// wrapper, and checking if the object is of the correct type.
+///
+/// Returns Err(()) if `obj` is a wrapper or if the object is not an object
+/// for a DOM object of the given type (as defined by the proto_id and proto_depth).
+#[inline]
+pub unsafe fn private_from_proto_check_static<F>(
+    obj: *mut JSObject,
+    proto_check: F,
+) -> Result<*const libc::c_void, ()>
+where
+    F: Fn(&'static DOMClass) -> bool,
+{
+    let dom_class = get_dom_class(obj).map_err(|_| ())?;
+    if proto_check(dom_class) {
+        trace!("good prototype");
+        Ok(private_from_object(obj))
+    } else {
+        trace!("bad prototype");
+        Err(())
+    }
+}
+
 /// Get a `*const T` for a DOM object accessible from a `JSObject`.
-pub fn native_from_object<T>(obj: *mut JSObject) -> Result<*const T, ()>
+pub fn native_from_object<T>(obj: *mut JSObject, cx: *mut JSContext) -> Result<*const T, ()>
 where
     T: DomObject + IDLInterface,
 {
-    unsafe { private_from_proto_check(obj, T::derives).map(|ptr| ptr as *const T) }
+    unsafe { private_from_proto_check(obj, cx, T::derives).map(|ptr| ptr as *const T) }
+}
+
+/// Get a `*const T` for a DOM object accessible from a `JSObject`, where the DOM object
+/// is guaranteed not to be a wrapper.
+pub fn native_from_object_static<T>(obj: *mut JSObject) -> Result<*const T, ()>
+where
+    T: DomObject + IDLInterface,
+{
+    unsafe { private_from_proto_check_static(obj, T::derives).map(|ptr| ptr as *const T) }
 }
 
 /// Get a `DomRoot<T>` for the given DOM object, unwrapping any wrapper
@@ -457,43 +490,56 @@ where
 /// Returns Err(()) if `obj` is an opaque security wrapper or if the object is
 /// not a reflector for a DOM object of the given type (as defined by the
 /// proto_id and proto_depth).
-pub fn root_from_object<T>(obj: *mut JSObject) -> Result<DomRoot<T>, ()>
+pub fn root_from_object<T>(obj: *mut JSObject, cx: *mut JSContext) -> Result<DomRoot<T>, ()>
 where
     T: DomObject + IDLInterface,
 {
-    native_from_object(obj).map(|ptr| unsafe { DomRoot::from_ref(&*ptr) })
+    native_from_object(obj, cx).map(|ptr| unsafe { DomRoot::from_ref(&*ptr) })
+}
+
+/// Get a `DomRoot<T>` for the given DOM object, unwrapping any wrapper
+/// around it first, and checking if the object is of the correct type.
+///
+/// Returns Err(()) if `obj` is an opaque security wrapper or if the object is
+/// not a reflector for a DOM object of the given type (as defined by the
+/// proto_id and proto_depth).
+pub fn root_from_object_static<T>(obj: *mut JSObject) -> Result<DomRoot<T>, ()>
+where
+    T: DomObject + IDLInterface,
+{
+    native_from_object_static(obj).map(|ptr| unsafe { DomRoot::from_ref(&*ptr) })
 }
 
 /// Get a `*const T` for a DOM object accessible from a `HandleValue`.
 /// Caller is responsible for throwing a JS exception if needed in case of error.
-pub fn native_from_handlevalue<T>(v: HandleValue) -> Result<*const T, ()>
+pub fn native_from_handlevalue<T>(v: HandleValue, cx: *mut JSContext) -> Result<*const T, ()>
 where
     T: DomObject + IDLInterface,
 {
     if !v.get().is_object() {
         return Err(());
     }
-    native_from_object(v.get().to_object())
+    native_from_object(v.get().to_object(), cx)
 }
 
 /// Get a `DomRoot<T>` for a DOM object accessible from a `HandleValue`.
 /// Caller is responsible for throwing a JS exception if needed in case of error.
-pub fn root_from_handlevalue<T>(v: HandleValue) -> Result<DomRoot<T>, ()>
+pub fn root_from_handlevalue<T>(v: HandleValue, cx: *mut JSContext) -> Result<DomRoot<T>, ()>
 where
     T: DomObject + IDLInterface,
 {
     if !v.get().is_object() {
         return Err(());
     }
-    root_from_object(v.get().to_object())
+    root_from_object(v.get().to_object(), cx)
 }
 
 /// Get a `DomRoot<T>` for a DOM object accessible from a `HandleObject`.
-pub fn root_from_handleobject<T>(obj: HandleObject) -> Result<DomRoot<T>, ()>
+pub fn root_from_handleobject<T>(obj: HandleObject, cx: *mut JSContext) -> Result<DomRoot<T>, ()>
 where
     T: DomObject + IDLInterface,
 {
-    root_from_object(obj.get())
+    root_from_object(obj.get(), cx)
 }
 
 impl<T: DomObject> ToJSValConvertible for DomRoot<T> {

components/script/dom/bindings/error.rs

@@ -207,8 +207,8 @@ impl ErrorInfo {
         })
     }
 
-    fn from_dom_exception(object: HandleObject) -> Option<ErrorInfo> {
-        let exception = match root_from_object::<DOMException>(object.get()) {
+    fn from_dom_exception(object: HandleObject, cx: *mut JSContext) -> Option<ErrorInfo> {
+        let exception = match root_from_object::<DOMException>(object.get(), cx) {
             Ok(exception) => exception,
             Err(_) => return None,
         };
@@ -242,7 +242,7 @@ pub unsafe fn report_pending_exception(cx: *mut JSContext, dispatch_event: bool)
     let error_info = if value.is_object() {
         rooted!(in(cx) let object = value.to_object());
         ErrorInfo::from_native_error(cx, object.handle())
-            .or_else(|| ErrorInfo::from_dom_exception(object.handle()))
+            .or_else(|| ErrorInfo::from_dom_exception(object.handle(), cx))
             .unwrap_or_else(|| ErrorInfo {
                 message: format!("uncaught exception: unknown (can't convert to string)"),
                 filename: String::new(),

components/script/dom/bindings/htmlconstructor.rs

@@ -79,7 +79,7 @@ use crate::dom::window::Window;
 use crate::script_thread::ScriptThread;
 use html5ever::interface::QualName;
 use html5ever::LocalName;
-use js::glue::UnwrapObject;
+use js::glue::UnwrapObjectStatic;
 use js::jsapi::{CallArgs, CurrentGlobalOrNull};
 use js::jsapi::{JSAutoRealm, JSContext, JSObject};
 use js::rust::HandleObject;
@@ -109,7 +109,7 @@ where
         },
     };
 
-    rooted!(in(window.get_cx()) let callee = UnwrapObject(call_args.callee(), 1));
+    rooted!(in(window.get_cx()) let callee = UnwrapObjectStatic(call_args.callee()));
     if callee.is_null() {
         return Err(Error::Security);
     }

components/script/dom/bindings/proxyhandler.rs

@@ -8,17 +8,13 @@
 
 use crate::dom::bindings::conversions::is_dom_proxy;
 use crate::dom::bindings::utils::delete_property_by_id;
-use js::glue::InvokeGetOwnPropertyDescriptor;
-use js::glue::{GetProxyHandler, GetProxyHandlerFamily};
+use js::glue::GetProxyHandlerFamily;
 use js::glue::{GetProxyPrivate, SetProxyPrivate};
-use js::jsapi::GetObjectProto;
 use js::jsapi::GetStaticPrototype;
 use js::jsapi::Handle as RawHandle;
 use js::jsapi::HandleId as RawHandleId;
 use js::jsapi::HandleObject as RawHandleObject;
 use js::jsapi::JS_DefinePropertyById;
-use js::jsapi::JS_GetPropertyDescriptorById;
-use js::jsapi::MutableHandle as RawMutableHandle;
 use js::jsapi::MutableHandleObject as RawMutableHandleObject;
 use js::jsapi::ObjectOpResult;
 use js::jsapi::{DOMProxyShadowsResult, JSContext, JSObject, PropertyDescriptor};
@@ -62,34 +58,6 @@ pub unsafe fn init() {
     SetDOMProxyInformation(GetProxyHandlerFamily(), Some(shadow_check_callback));
 }
 
-/// Invoke the [[GetOwnProperty]] trap (`getOwnPropertyDescriptor`) on `proxy`,
-/// with argument `id` and return the result, if it is not `undefined`.
-/// Otherwise, walk along the prototype chain to find a property with that
-/// name.
-pub unsafe extern "C" fn get_property_descriptor(
-    cx: *mut JSContext,
-    proxy: RawHandleObject,
-    id: RawHandleId,
-    desc: RawMutableHandle<PropertyDescriptor>,
-) -> bool {
-    let handler = GetProxyHandler(proxy.get());
-    if !InvokeGetOwnPropertyDescriptor(handler, cx, proxy, id, desc) {
-        return false;
-    }
-    if !desc.obj.is_null() {
-        return true;
-    }
-
-    rooted!(in(cx) let mut proto = ptr::null_mut::<JSObject>());
-    if !GetObjectProto(cx, proxy, proto.handle_mut().into()) {
-        // FIXME(#11868) Should assign to desc.obj, desc.get() is a copy.
-        desc.get().obj = ptr::null_mut();
-        return true;
-    }
-
-    JS_GetPropertyDescriptorById(cx, proto.handle().into(), id, desc)
-}
-
 /// Defines an expando on the given `proxy`.
 pub unsafe extern "C" fn define_property(
     cx: *mut JSContext,

components/script/dom/bindings/structuredclone.rs

@@ -176,12 +176,12 @@ unsafe extern "C" fn read_callback(
 }
 
 unsafe extern "C" fn write_callback(
-    _cx: *mut JSContext,
+    cx: *mut JSContext,
     w: *mut JSStructuredCloneWriter,
     obj: RawHandleObject,
     _closure: *mut raw::c_void,
 ) -> bool {
-    if let Ok(blob) = root_from_handleobject::<Blob>(Handle::from_raw(obj)) {
+    if let Ok(blob) = root_from_handleobject::<Blob>(Handle::from_raw(obj), cx) {
         return write_blob(blob, w).is_ok();
     }
     return false;

components/script/dom/bindings/trace.rs

@@ -68,7 +68,7 @@ use hyper::StatusCode;
 use indexmap::IndexMap;
 use ipc_channel::ipc::{IpcReceiver, IpcSender};
 use js::glue::{CallObjectTracer, CallValueTracer};
-use js::jsapi::{GCTraceKindToAscii, Heap, JSObject, JSTracer, TraceKind};
+use js::jsapi::{GCTraceKindToAscii, Heap, JSObject, JSTracer, JobQueue, TraceKind};
 use js::jsval::JSVal;
 use js::rust::{GCMethods, Handle, Runtime};
 use js::typedarray::TypedArray;
@@ -162,6 +162,8 @@ unsafe_no_jsmanaged_fields!(Duration);
 
 unsafe_no_jsmanaged_fields!(TexDataType, TexFormat);
 
+unsafe_no_jsmanaged_fields!(*mut JobQueue);
+
 /// Trace a `JSVal`.
 pub fn trace_jsval(tracer: *mut JSTracer, description: &str, val: &Heap<JSVal>) {
     unsafe {

components/script/dom/bindings/utils.rs

@@ -15,12 +15,12 @@ use crate::dom::bindings::trace::trace_object;
 use crate::dom::windowproxy;
 use js::glue::{CallJitGetterOp, CallJitMethodOp, CallJitSetterOp, IsWrapper};
 use js::glue::{GetCrossCompartmentWrapper, JS_GetReservedSlot, WrapperNew};
-use js::glue::{UnwrapObject, RUST_JSID_TO_INT, RUST_JSID_TO_STRING};
+use js::glue::{UnwrapObjectDynamic, RUST_JSID_TO_INT, RUST_JSID_TO_STRING};
 use js::glue::{RUST_FUNCTION_VALUE_TO_JITINFO, RUST_JSID_IS_INT, RUST_JSID_IS_STRING};
 use js::jsapi::HandleId as RawHandleId;
 use js::jsapi::HandleObject as RawHandleObject;
 use js::jsapi::MutableHandleObject as RawMutableHandleObject;
-use js::jsapi::{CallArgs, DOMCallbacks, GetNonCCWObjectGlobal};
+use js::jsapi::{AutoIdVector, CallArgs, DOMCallbacks, GetNonCCWObjectGlobal};
 use js::jsapi::{Heap, JSAutoRealm, JSContext};
 use js::jsapi::{JSJitInfo, JSObject, JSTracer, JSWrapObjectCallbacks};
 use js::jsapi::{JS_EnumerateStandardClasses, JS_GetLatin1StringCharsAndLength};
@@ -210,7 +210,7 @@ pub unsafe fn find_enum_value<'a, T>(
 
 /// Returns wether `obj` is a platform object
 /// <https://heycam.github.io/webidl/#dfn-platform-object>
-pub fn is_platform_object(obj: *mut JSObject) -> bool {
+pub fn is_platform_object(obj: *mut JSObject, cx: *mut JSContext) -> bool {
     unsafe {
         // Fast-path the common case
         let mut clasp = get_object_class(obj);
@@ -219,7 +219,7 @@ pub fn is_platform_object(obj: *mut JSObject) -> bool {
         }
         // Now for simplicity check for security wrappers before anything else
         if IsWrapper(obj) {
-            let unwrapped_obj = UnwrapObject(obj, /* stopAtWindowProxy = */ 0);
+            let unwrapped_obj = UnwrapObjectDynamic(obj, cx, /* stopAtWindowProxy = */ 0);
             if unwrapped_obj.is_null() {
                 return false;
             }
@@ -342,7 +342,12 @@ pub unsafe fn trace_global(tracer: *mut JSTracer, obj: *mut JSObject) {
 }
 
 /// Enumerate lazy properties of a global object.
-pub unsafe extern "C" fn enumerate_global(cx: *mut JSContext, obj: RawHandleObject) -> bool {
+pub unsafe extern "C" fn enumerate_global(
+    cx: *mut JSContext,
+    obj: RawHandleObject,
+    _props: *mut AutoIdVector,
+    _enumerable_only: bool,
+) -> bool {
     assert!(JS_IsGlobalObject(obj.get()));
     if !JS_EnumerateStandardClasses(cx, obj) {
         return false;
@@ -463,7 +468,7 @@ unsafe fn generic_call(
     let depth = (*info).depth;
     let proto_check =
         |class: &'static DOMClass| class.interface_chain[depth as usize] as u16 == proto_id;
-    let this = match private_from_proto_check(obj.get(), proto_check) {
+    let this = match private_from_proto_check(obj.get(), cx, proto_check) {
         Ok(val) => val,
         Err(()) => {
             if is_lenient {