diff options
Diffstat (limited to 'tools/node_modules/expresso/deps/jscoverage/js/jsarray.cpp')
-rw-r--r-- | tools/node_modules/expresso/deps/jscoverage/js/jsarray.cpp | 3426 |
1 files changed, 3426 insertions, 0 deletions
diff --git a/tools/node_modules/expresso/deps/jscoverage/js/jsarray.cpp b/tools/node_modules/expresso/deps/jscoverage/js/jsarray.cpp new file mode 100644 index 0000000..d6a2d83 --- /dev/null +++ b/tools/node_modules/expresso/deps/jscoverage/js/jsarray.cpp @@ -0,0 +1,3426 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- + * vim: set sw=4 ts=8 et tw=78: + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is Mozilla Communicator client code, released + * March 31, 1998. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1998 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either of the GNU General Public License Version 2 or later (the "GPL"), + * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +/* + * JS array class. + * + * Array objects begin as "dense" arrays, optimized for numeric-only property + * access over a vector of slots (obj->dslots) with high load factor. Array + * methods optimize for denseness by testing that the object's class is + * &js_ArrayClass, and can then directly manipulate the slots for efficiency. + * + * We track these pieces of metadata for arrays in dense mode: + * - the array's length property as a uint32, in JSSLOT_ARRAY_LENGTH, + * - the number of indices that are filled (non-holes), in JSSLOT_ARRAY_COUNT, + * - the net number of slots starting at dslots (DENSELEN), in dslots[-1] if + * dslots is non-NULL. + * + * In dense mode, holes in the array are represented by JSVAL_HOLE. The final + * slot in fslots (JSSLOT_ARRAY_LOOKUP_HOLDER) is used to store the single jsid + * "in use" by a lookupProperty caller. + * + * Arrays are converted to use js_SlowArrayClass when any of these conditions + * are met: + * - the load factor (COUNT / DENSELEN) is less than 0.25, and there are + * more than MIN_SPARSE_INDEX slots total + * - a property is set that is non-numeric (and not "length"); or + * - a hole is filled below DENSELEN (possibly implicitly through methods like + * |reverse| or |splice|). + * + * In the latter two cases, property creation order is no longer index order, + * which necessitates use of a structure that keeps track of property creation + * order. (ES4, due to expectations baked into web script, requires that + * enumeration order be the order in which properties were created.) + * + * An alternative in the latter case (out-of-order index set) would be to + * maintain the scope to track property enumeration order, but still use + * the fast slot access. That would have the same memory cost as just using + * a js_SlowArrayClass, but have the same performance characteristics as + * a dense array for slot accesses, at some cost in code complexity. + */ +#include "jsstddef.h" +#include <stdlib.h> +#include <string.h> +#include "jstypes.h" +#include "jsutil.h" /* Added by JSIFY */ +#include "jsapi.h" +#include "jsarray.h" +#include "jsatom.h" +#include "jsbit.h" +#include "jsbool.h" +#include "jsbuiltins.h" +#include "jscntxt.h" +#include "jsversion.h" +#include "jsdbgapi.h" /* for js_TraceWatchPoints */ +#include "jsdtoa.h" +#include "jsfun.h" +#include "jsgc.h" +#include "jsinterp.h" +#include "jslock.h" +#include "jsnum.h" +#include "jsobj.h" +#include "jsscope.h" +#include "jsstr.h" +#include "jsstaticcheck.h" + +/* 2^32 - 1 as a number and a string */ +#define MAXINDEX 4294967295u +#define MAXSTR "4294967295" + +/* Small arrays are dense, no matter what. */ +#define MIN_SPARSE_INDEX 32 + +#define INDEX_TOO_BIG(index) ((index) > JS_BIT(29) - 1) +#define INDEX_TOO_SPARSE(array, index) \ + (INDEX_TOO_BIG(index) || \ + ((index) > ARRAY_DENSE_LENGTH(array) && (index) >= MIN_SPARSE_INDEX && \ + (index) > (uint32)((array)->fslots[JSSLOT_ARRAY_COUNT] + 1) * 4)) + +JS_STATIC_ASSERT(sizeof(JSScopeProperty) > 4 * sizeof(jsval)); + +#define ENSURE_SLOW_ARRAY(cx, obj) \ + (OBJ_GET_CLASS(cx, obj) == &js_SlowArrayClass || js_MakeArraySlow(cx, obj)) + +/* + * Determine if the id represents an array index or an XML property index. + * + * An id is an array index according to ECMA by (15.4): + * + * "Array objects give special treatment to a certain class of property names. + * A property name P (in the form of a string value) is an array index if and + * only if ToString(ToUint32(P)) is equal to P and ToUint32(P) is not equal + * to 2^32-1." + * + * In our implementation, it would be sufficient to check for JSVAL_IS_INT(id) + * except that by using signed 32-bit integers we miss the top half of the + * valid range. This function checks the string representation itself; note + * that calling a standard conversion routine might allow strings such as + * "08" or "4.0" as array indices, which they are not. + */ +JSBool +js_IdIsIndex(jsval id, jsuint *indexp) +{ + JSString *str; + jschar *cp; + + if (JSVAL_IS_INT(id)) { + jsint i; + i = JSVAL_TO_INT(id); + if (i < 0) + return JS_FALSE; + *indexp = (jsuint)i; + return JS_TRUE; + } + + /* NB: id should be a string, but jsxml.c may call us with an object id. */ + if (!JSVAL_IS_STRING(id)) + return JS_FALSE; + + str = JSVAL_TO_STRING(id); + cp = JSSTRING_CHARS(str); + if (JS7_ISDEC(*cp) && JSSTRING_LENGTH(str) < sizeof(MAXSTR)) { + jsuint index = JS7_UNDEC(*cp++); + jsuint oldIndex = 0; + jsuint c = 0; + if (index != 0) { + while (JS7_ISDEC(*cp)) { + oldIndex = index; + c = JS7_UNDEC(*cp); + index = 10*index + c; + cp++; + } + } + + /* Ensure that all characters were consumed and we didn't overflow. */ + if (*cp == 0 && + (oldIndex < (MAXINDEX / 10) || + (oldIndex == (MAXINDEX / 10) && c < (MAXINDEX % 10)))) + { + *indexp = index; + return JS_TRUE; + } + } + return JS_FALSE; +} + +static jsuint +ValueIsLength(JSContext *cx, jsval* vp) +{ + jsint i; + jsdouble d; + jsuint length; + + if (JSVAL_IS_INT(*vp)) { + i = JSVAL_TO_INT(*vp); + if (i < 0) + goto error; + return (jsuint) i; + } + + d = js_ValueToNumber(cx, vp); + if (JSVAL_IS_NULL(*vp)) + goto error; + + if (JSDOUBLE_IS_NaN(d)) + goto error; + length = (jsuint) d; + if (d != (jsdouble) length) + goto error; + return length; + + error: + JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, + JSMSG_BAD_ARRAY_LENGTH); + *vp = JSVAL_NULL; + return 0; +} + +JSBool +js_GetLengthProperty(JSContext *cx, JSObject *obj, jsuint *lengthp) +{ + JSTempValueRooter tvr; + jsid id; + JSBool ok; + jsint i; + + if (OBJ_IS_ARRAY(cx, obj)) { + *lengthp = obj->fslots[JSSLOT_ARRAY_LENGTH]; + return JS_TRUE; + } + + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom); + ok = OBJ_GET_PROPERTY(cx, obj, id, &tvr.u.value); + if (ok) { + if (JSVAL_IS_INT(tvr.u.value)) { + i = JSVAL_TO_INT(tvr.u.value); + *lengthp = (jsuint)i; /* jsuint cast does ToUint32 */ + } else { + *lengthp = js_ValueToECMAUint32(cx, &tvr.u.value); + ok = !JSVAL_IS_NULL(tvr.u.value); + } + } + JS_POP_TEMP_ROOT(cx, &tvr); + return ok; +} + +static JSBool +IndexToValue(JSContext *cx, jsuint index, jsval *vp) +{ + if (index <= JSVAL_INT_MAX) { + *vp = INT_TO_JSVAL(index); + return JS_TRUE; + } + return JS_NewDoubleValue(cx, (jsdouble)index, vp); +} + +JSBool JS_FASTCALL +js_IndexToId(JSContext *cx, jsuint index, jsid *idp) +{ + JSString *str; + + if (index <= JSVAL_INT_MAX) { + *idp = INT_TO_JSID(index); + return JS_TRUE; + } + str = js_NumberToString(cx, index); + if (!str) + return JS_FALSE; + return js_ValueToStringId(cx, STRING_TO_JSVAL(str), idp); +} + +static JSBool +BigIndexToId(JSContext *cx, JSObject *obj, jsuint index, JSBool createAtom, + jsid *idp) +{ + jschar buf[10], *start; + JSClass *clasp; + JSAtom *atom; + JS_STATIC_ASSERT((jsuint)-1 == 4294967295U); + + JS_ASSERT(index > JSVAL_INT_MAX); + + start = JS_ARRAY_END(buf); + do { + --start; + *start = (jschar)('0' + index % 10); + index /= 10; + } while (index != 0); + + /* + * Skip the atomization if the class is known to store atoms corresponding + * to big indexes together with elements. In such case we know that the + * array does not have an element at the given index if its atom does not + * exist. Fast arrays (clasp == &js_ArrayClass) don't use atoms for + * any indexes, though it would be rare to see them have a big index + * in any case. + */ + if (!createAtom && + ((clasp = OBJ_GET_CLASS(cx, obj)) == &js_SlowArrayClass || + clasp == &js_ArgumentsClass || + clasp == &js_ObjectClass)) { + atom = js_GetExistingStringAtom(cx, start, JS_ARRAY_END(buf) - start); + if (!atom) { + *idp = JSVAL_VOID; + return JS_TRUE; + } + } else { + atom = js_AtomizeChars(cx, start, JS_ARRAY_END(buf) - start, 0); + if (!atom) + return JS_FALSE; + } + + *idp = ATOM_TO_JSID(atom); + return JS_TRUE; +} + +static JSBool +ResizeSlots(JSContext *cx, JSObject *obj, uint32 oldlen, uint32 len) +{ + jsval *slots, *newslots; + + if (len == 0) { + if (obj->dslots) { + JS_free(cx, obj->dslots - 1); + obj->dslots = NULL; + } + return JS_TRUE; + } + + if (len > ~(uint32)0 / sizeof(jsval)) { + js_ReportAllocationOverflow(cx); + return JS_FALSE; + } + + slots = obj->dslots ? obj->dslots - 1 : NULL; + newslots = (jsval *) JS_realloc(cx, slots, sizeof (jsval) * (len + 1)); + if (!newslots) + return JS_FALSE; + + obj->dslots = newslots + 1; + ARRAY_SET_DENSE_LENGTH(obj, len); + + for (slots = obj->dslots + oldlen; slots < obj->dslots + len; slots++) + *slots = JSVAL_HOLE; + + return JS_TRUE; +} + +static JSBool +EnsureLength(JSContext *cx, JSObject *obj, uint32 len) +{ + uint32 oldlen = ARRAY_DENSE_LENGTH(obj); + + if (len > oldlen) { + return ResizeSlots(cx, obj, oldlen, + len + ARRAY_GROWBY - (len % ARRAY_GROWBY)); + } + return JS_TRUE; +} + +/* + * If the property at the given index exists, get its value into location + * pointed by vp and set *hole to false. Otherwise set *hole to true and *vp + * to JSVAL_VOID. This function assumes that the location pointed by vp is + * properly rooted and can be used as GC-protected storage for temporaries. + */ +static JSBool +GetArrayElement(JSContext *cx, JSObject *obj, jsuint index, JSBool *hole, + jsval *vp) +{ + jsid id; + JSObject *obj2; + JSProperty *prop; + + if (OBJ_IS_DENSE_ARRAY(cx, obj) && index < ARRAY_DENSE_LENGTH(obj) && + (*vp = obj->dslots[index]) != JSVAL_HOLE) { + *hole = JS_FALSE; + return JS_TRUE; + } + + if (index <= JSVAL_INT_MAX) { + id = INT_TO_JSID(index); + } else { + if (!BigIndexToId(cx, obj, index, JS_FALSE, &id)) + return JS_FALSE; + if (JSVAL_IS_VOID(id)) { + *hole = JS_TRUE; + *vp = JSVAL_VOID; + return JS_TRUE; + } + } + + if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop)) + return JS_FALSE; + if (!prop) { + *hole = JS_TRUE; + *vp = JSVAL_VOID; + } else { + OBJ_DROP_PROPERTY(cx, obj2, prop); + if (!OBJ_GET_PROPERTY(cx, obj, id, vp)) + return JS_FALSE; + *hole = JS_FALSE; + } + return JS_TRUE; +} + +/* + * Set the value of the property at the given index to v assuming v is rooted. + */ +static JSBool +SetArrayElement(JSContext *cx, JSObject *obj, jsuint index, jsval v) +{ + jsid id; + + if (OBJ_IS_DENSE_ARRAY(cx, obj)) { + /* Predicted/prefeched code should favor the remains-dense case. */ + if (!INDEX_TOO_SPARSE(obj, index)) { + if (!EnsureLength(cx, obj, index + 1)) + return JS_FALSE; + if (index >= (uint32)obj->fslots[JSSLOT_ARRAY_LENGTH]) + obj->fslots[JSSLOT_ARRAY_LENGTH] = index + 1; + if (obj->dslots[index] == JSVAL_HOLE) + obj->fslots[JSSLOT_ARRAY_COUNT]++; + obj->dslots[index] = v; + return JS_TRUE; + } + + if (!js_MakeArraySlow(cx, obj)) + return JS_FALSE; + } + + if (index <= JSVAL_INT_MAX) { + id = INT_TO_JSID(index); + } else { + if (!BigIndexToId(cx, obj, index, JS_TRUE, &id)) + return JS_FALSE; + JS_ASSERT(!JSVAL_IS_VOID(id)); + } + return OBJ_SET_PROPERTY(cx, obj, id, &v); +} + +static JSBool +DeleteArrayElement(JSContext *cx, JSObject *obj, jsuint index) +{ + jsid id; + jsval junk; + + if (OBJ_IS_DENSE_ARRAY(cx, obj)) { + if (index < ARRAY_DENSE_LENGTH(obj)) { + if (obj->dslots[index] != JSVAL_HOLE) + obj->fslots[JSSLOT_ARRAY_COUNT]--; + obj->dslots[index] = JSVAL_HOLE; + } + return JS_TRUE; + } + + if (index <= JSVAL_INT_MAX) { + id = INT_TO_JSID(index); + } else { + if (!BigIndexToId(cx, obj, index, JS_FALSE, &id)) + return JS_FALSE; + if (JSVAL_IS_VOID(id)) + return JS_TRUE; + } + return OBJ_DELETE_PROPERTY(cx, obj, id, &junk); +} + +/* + * When hole is true, delete the property at the given index. Otherwise set + * its value to v assuming v is rooted. + */ +static JSBool +SetOrDeleteArrayElement(JSContext *cx, JSObject *obj, jsuint index, + JSBool hole, jsval v) +{ + if (hole) { + JS_ASSERT(JSVAL_IS_VOID(v)); + return DeleteArrayElement(cx, obj, index); + } + return SetArrayElement(cx, obj, index, v); +} + +JSBool +js_SetLengthProperty(JSContext *cx, JSObject *obj, jsuint length) +{ + jsval v; + jsid id; + + if (!IndexToValue(cx, length, &v)) + return JS_FALSE; + id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom); + return OBJ_SET_PROPERTY(cx, obj, id, &v); +} + +JSBool +js_HasLengthProperty(JSContext *cx, JSObject *obj, jsuint *lengthp) +{ + JSErrorReporter older; + JSTempValueRooter tvr; + jsid id; + JSBool ok; + + older = JS_SetErrorReporter(cx, NULL); + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom); + ok = OBJ_GET_PROPERTY(cx, obj, id, &tvr.u.value); + JS_SetErrorReporter(cx, older); + if (ok) { + *lengthp = ValueIsLength(cx, &tvr.u.value); + ok = !JSVAL_IS_NULL(tvr.u.value); + } + JS_POP_TEMP_ROOT(cx, &tvr); + return ok; +} + +JSBool +js_IsArrayLike(JSContext *cx, JSObject *obj, JSBool *answerp, jsuint *lengthp) +{ + JSClass *clasp; + + clasp = OBJ_GET_CLASS(cx, obj); + *answerp = (clasp == &js_ArgumentsClass || clasp == &js_ArrayClass || + clasp == &js_SlowArrayClass); + if (!*answerp) { + *lengthp = 0; + return JS_TRUE; + } + return js_GetLengthProperty(cx, obj, lengthp); +} + +/* + * The 'length' property of all native Array instances is a shared permanent + * property of Array.prototype, so it appears to be a direct property of each + * array instance delegating to that Array.prototype. It accesses the private + * slot reserved by js_ArrayClass. + * + * Since SpiderMonkey supports cross-class prototype-based delegation, we have + * to be careful about the length getter and setter being called on an object + * not of Array class. For the getter, we search obj's prototype chain for the + * array that caused this getter to be invoked. In the setter case to overcome + * the JSPROP_SHARED attribute, we must define a shadowing length property. + */ +static JSBool +array_length_getter(JSContext *cx, JSObject *obj, jsval id, jsval *vp) +{ + do { + if (OBJ_IS_ARRAY(cx, obj)) + return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], vp); + } while ((obj = OBJ_GET_PROTO(cx, obj)) != NULL); + return JS_TRUE; +} + +static JSBool +array_length_setter(JSContext *cx, JSObject *obj, jsval id, jsval *vp) +{ + jsuint newlen, oldlen, gap, index; + jsval junk; + JSObject *iter; + JSTempValueRooter tvr; + JSBool ok; + + if (!OBJ_IS_ARRAY(cx, obj)) { + jsid lengthId = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom); + + return OBJ_DEFINE_PROPERTY(cx, obj, lengthId, *vp, NULL, NULL, + JSPROP_ENUMERATE, NULL); + } + + newlen = ValueIsLength(cx, vp); + if (JSVAL_IS_NULL(*vp)) + return JS_FALSE; + oldlen = obj->fslots[JSSLOT_ARRAY_LENGTH]; + + if (oldlen == newlen) + return JS_TRUE; + + if (!IndexToValue(cx, newlen, vp)) + return JS_FALSE; + + if (oldlen < newlen) { + obj->fslots[JSSLOT_ARRAY_LENGTH] = newlen; + return JS_TRUE; + } + + if (OBJ_IS_DENSE_ARRAY(cx, obj)) { + if (ARRAY_DENSE_LENGTH(obj) && !ResizeSlots(cx, obj, oldlen, newlen)) + return JS_FALSE; + } else if (oldlen - newlen < (1 << 24)) { + do { + --oldlen; + if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) || + !DeleteArrayElement(cx, obj, oldlen)) { + return JS_FALSE; + } + } while (oldlen != newlen); + } else { + /* + * We are going to remove a lot of indexes in a presumably sparse + * array. So instead of looping through indexes between newlen and + * oldlen, we iterate through all properties and remove those that + * correspond to indexes in the half-open range [newlen, oldlen). See + * bug 322135. + */ + iter = JS_NewPropertyIterator(cx, obj); + if (!iter) + return JS_FALSE; + + /* Protect iter against GC in OBJ_DELETE_PROPERTY. */ + JS_PUSH_TEMP_ROOT_OBJECT(cx, iter, &tvr); + gap = oldlen - newlen; + for (;;) { + ok = (JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + JS_NextProperty(cx, iter, &id)); + if (!ok) + break; + if (JSVAL_IS_VOID(id)) + break; + if (js_IdIsIndex(id, &index) && index - newlen < gap) { + ok = OBJ_DELETE_PROPERTY(cx, obj, id, &junk); + if (!ok) + break; + } + } + JS_POP_TEMP_ROOT(cx, &tvr); + if (!ok) + return JS_FALSE; + } + + obj->fslots[JSSLOT_ARRAY_LENGTH] = newlen; + return JS_TRUE; +} + +static JSBool +array_lookupProperty(JSContext *cx, JSObject *obj, jsid id, JSObject **objp, + JSProperty **propp) +{ + uint32 i; + union { JSProperty *p; jsval *v; } u; + + if (!OBJ_IS_DENSE_ARRAY(cx, obj)) + return js_LookupProperty(cx, obj, id, objp, propp); + + /* + * We have only indexed properties up to DENSELEN (excepting holes), plus + * the length property. For all else, we delegate to the prototype. + */ + if (id != ATOM_TO_JSID(cx->runtime->atomState.lengthAtom) && + (!js_IdIsIndex(id, &i) || + obj->fslots[JSSLOT_ARRAY_LENGTH] == 0 || + i >= ARRAY_DENSE_LENGTH(obj) || + obj->dslots[i] == JSVAL_HOLE)) + { + JSObject *proto = STOBJ_GET_PROTO(obj); + + if (!proto) { + *objp = NULL; + *propp = NULL; + return JS_TRUE; + } + + return OBJ_LOOKUP_PROPERTY(cx, proto, id, objp, propp); + } + + /* FIXME 417501: threadsafety: could race with a lookup on another thread. + * If we can only have a single lookup active per context, we could + * pigeonhole this on the context instead. */ + JS_ASSERT(JSVAL_IS_VOID(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER])); + obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER] = (jsval) id; + u.v = &(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER]); + *propp = u.p; + *objp = obj; + return JS_TRUE; +} + +static void +array_dropProperty(JSContext *cx, JSObject *obj, JSProperty *prop) +{ + JS_ASSERT_IF(OBJ_IS_DENSE_ARRAY(cx, obj), + !JSVAL_IS_VOID(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER])); +#ifdef DEBUG + obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER] = JSVAL_VOID; +#endif +} + +static JSBool +array_getProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp) +{ + uint32 i; + + if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) + return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], vp); + + if (id == ATOM_TO_JSID(cx->runtime->atomState.protoAtom)) { + *vp = STOBJ_GET_SLOT(obj, JSSLOT_PROTO); + return JS_TRUE; + } + + if (!OBJ_IS_DENSE_ARRAY(cx, obj)) + return js_GetProperty(cx, obj, id, vp); + + if (!js_IdIsIndex(ID_TO_VALUE(id), &i) || i >= ARRAY_DENSE_LENGTH(obj) || + obj->dslots[i] == JSVAL_HOLE) { + JSObject *obj2; + JSProperty *prop; + JSScopeProperty *sprop; + + JSObject *proto = STOBJ_GET_PROTO(obj); + if (!proto) { + *vp = JSVAL_VOID; + return JS_TRUE; + } + + *vp = JSVAL_VOID; + if (js_LookupPropertyWithFlags(cx, proto, id, cx->resolveFlags, + &obj2, &prop) < 0) + return JS_FALSE; + + if (prop) { + if (OBJ_IS_NATIVE(obj2)) { + sprop = (JSScopeProperty *) prop; + if (!js_NativeGet(cx, obj, obj2, sprop, vp)) + return JS_FALSE; + } + OBJ_DROP_PROPERTY(cx, obj2, prop); + } + return JS_TRUE; + } + + *vp = obj->dslots[i]; + return JS_TRUE; +} + +static JSBool +slowarray_addProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp) +{ + jsuint index, length; + + if (!js_IdIsIndex(id, &index)) + return JS_TRUE; + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (index >= length) + obj->fslots[JSSLOT_ARRAY_LENGTH] = index + 1; + return JS_TRUE; +} + +static void +slowarray_trace(JSTracer *trc, JSObject *obj) +{ + uint32 length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + + JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_SlowArrayClass); + + /* + * Move JSSLOT_ARRAY_LENGTH aside to prevent the GC from treating + * untagged integer values as objects or strings. + */ + obj->fslots[JSSLOT_ARRAY_LENGTH] = JSVAL_VOID; + js_TraceObject(trc, obj); + obj->fslots[JSSLOT_ARRAY_LENGTH] = length; +} + +static JSObjectOps js_SlowArrayObjectOps; + +static JSObjectOps * +slowarray_getObjectOps(JSContext *cx, JSClass *clasp) +{ + return &js_SlowArrayObjectOps; +} + +static JSBool +array_setProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp) +{ + uint32 i; + + if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) + return array_length_setter(cx, obj, id, vp); + + if (!OBJ_IS_DENSE_ARRAY(cx, obj)) + return js_SetProperty(cx, obj, id, vp); + + if (!js_IdIsIndex(id, &i) || INDEX_TOO_SPARSE(obj, i)) { + if (!js_MakeArraySlow(cx, obj)) + return JS_FALSE; + return js_SetProperty(cx, obj, id, vp); + } + + if (!EnsureLength(cx, obj, i + 1)) + return JS_FALSE; + + if (i >= (uint32)obj->fslots[JSSLOT_ARRAY_LENGTH]) + obj->fslots[JSSLOT_ARRAY_LENGTH] = i + 1; + if (obj->dslots[i] == JSVAL_HOLE) + obj->fslots[JSSLOT_ARRAY_COUNT]++; + obj->dslots[i] = *vp; + return JS_TRUE; +} + +#ifdef JS_TRACER +JSBool FASTCALL +js_Array_dense_setelem(JSContext* cx, JSObject* obj, jsint i, jsval v) +{ + JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj)); + + do { + jsuint length = ARRAY_DENSE_LENGTH(obj); + if ((jsuint)i < length) { + if (obj->dslots[i] == JSVAL_HOLE) { + if (cx->runtime->anyArrayProtoHasElement) + break; + if (i >= obj->fslots[JSSLOT_ARRAY_LENGTH]) + obj->fslots[JSSLOT_ARRAY_LENGTH] = i + 1; + obj->fslots[JSSLOT_ARRAY_COUNT]++; + } + obj->dslots[i] = v; + return JS_TRUE; + } + } while (0); + return OBJ_SET_PROPERTY(cx, obj, INT_TO_JSID(i), &v); +} +#endif + +static JSBool +array_defineProperty(JSContext *cx, JSObject *obj, jsid id, jsval value, + JSPropertyOp getter, JSPropertyOp setter, uintN attrs, + JSProperty **propp) +{ + uint32 i; + JSBool isIndex; + + if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) + return JS_TRUE; + + isIndex = js_IdIsIndex(ID_TO_VALUE(id), &i); + if (!isIndex || attrs != JSPROP_ENUMERATE) { + if (!ENSURE_SLOW_ARRAY(cx, obj)) + return JS_FALSE; + if (isIndex && STOBJ_IS_DELEGATE(obj)) + cx->runtime->anyArrayProtoHasElement = JS_TRUE; + return js_DefineProperty(cx, obj, id, value, getter, setter, attrs, propp); + } + + return array_setProperty(cx, obj, id, &value); +} + +static JSBool +array_getAttributes(JSContext *cx, JSObject *obj, jsid id, JSProperty *prop, + uintN *attrsp) +{ + *attrsp = id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom) + ? JSPROP_PERMANENT : JSPROP_ENUMERATE; + return JS_TRUE; +} + +static JSBool +array_setAttributes(JSContext *cx, JSObject *obj, jsid id, JSProperty *prop, + uintN *attrsp) +{ + JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, + JSMSG_CANT_SET_ARRAY_ATTRS); + return JS_FALSE; +} + +static JSBool +array_deleteProperty(JSContext *cx, JSObject *obj, jsval id, jsval *rval) +{ + uint32 i; + + if (!OBJ_IS_DENSE_ARRAY(cx, obj)) + return js_DeleteProperty(cx, obj, id, rval); + + if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) { + *rval = JSVAL_FALSE; + return JS_TRUE; + } + + if (js_IdIsIndex(id, &i) && i < ARRAY_DENSE_LENGTH(obj) && + obj->dslots[i] != JSVAL_HOLE) { + obj->fslots[JSSLOT_ARRAY_COUNT]--; + obj->dslots[i] = JSVAL_HOLE; + } + + *rval = JSVAL_TRUE; + return JS_TRUE; +} + +/* + * JSObjectOps.enumerate implementation. + * + * For a fast array, JSENUMERATE_INIT captures in the enumeration state both + * the length of the array and the bitmap indicating the positions of holes in + * the array. This ensures that adding or deleting array elements does not + * affect the sequence of indexes JSENUMERATE_NEXT returns. + * + * For a common case of an array without holes, to represent the state we pack + * the (nextEnumerationIndex, arrayLength) pair as a pseudo-boolean jsval. + * This is possible when length <= PACKED_UINT_PAIR_BITS. For arrays with + * greater length or holes we allocate the JSIndexIterState structure and + * store it as an int-tagged private pointer jsval. For a slow array we + * delegate the enumeration implementation to js_Enumerate in + * slowarray_enumerate. + * + * Array mutations can turn a fast array into a slow one after the enumeration + * starts. When this happens, slowarray_enumerate receives a state created + * when the array was fast. To distinguish such fast state from a slow state, + * which is an int-tagged pointer that js_Enumerate creates, we set not one + * but two lowest bits when tagging a JSIndexIterState pointer -- see + * INDEX_ITER_TAG usage below. Thus, when slowarray_enumerate receives a state + * tagged with JSVAL_BOOLEAN or with two lowest bits set, it knows that this + * is a fast state so it calls array_enumerate to continue enumerating the + * indexes present in the original fast array. + */ + +#define PACKED_UINT_PAIR_BITS 14 +#define PACKED_UINT_PAIR_MASK JS_BITMASK(PACKED_UINT_PAIR_BITS) + +#define UINT_PAIR_TO_BOOLEAN_JSVAL(i,j) \ + (JS_ASSERT((uint32) (i) <= PACKED_UINT_PAIR_MASK), \ + JS_ASSERT((uint32) (j) <= PACKED_UINT_PAIR_MASK), \ + ((jsval) (i) << (PACKED_UINT_PAIR_BITS + JSVAL_TAGBITS)) | \ + ((jsval) (j) << (JSVAL_TAGBITS)) | \ + (jsval) JSVAL_BOOLEAN) + +#define BOOLEAN_JSVAL_TO_UINT_PAIR(v,i,j) \ + (JS_ASSERT(JSVAL_TAG(v) == JSVAL_BOOLEAN), \ + (i) = (uint32) ((v) >> (PACKED_UINT_PAIR_BITS + JSVAL_TAGBITS)), \ + (j) = (uint32) ((v) >> JSVAL_TAGBITS) & PACKED_UINT_PAIR_MASK, \ + JS_ASSERT((i) <= PACKED_UINT_PAIR_MASK)) + +JS_STATIC_ASSERT(PACKED_UINT_PAIR_BITS * 2 + JSVAL_TAGBITS <= JS_BITS_PER_WORD); + +typedef struct JSIndexIterState { + uint32 index; + uint32 length; + JSBool hasHoles; + + /* + * Variable-length bitmap representing array's holes. It must not be + * accessed when hasHoles is false. + */ + jsbitmap holes[1]; +} JSIndexIterState; + +#define INDEX_ITER_TAG 3 + +JS_STATIC_ASSERT(JSVAL_INT == 1); + +static JSBool +array_enumerate(JSContext *cx, JSObject *obj, JSIterateOp enum_op, + jsval *statep, jsid *idp) +{ + uint32 length, i; + JSIndexIterState *ii; + + switch (enum_op) { + case JSENUMERATE_INIT: + JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj)); + length = ARRAY_DENSE_LENGTH(obj); + if (idp) + *idp = INT_TO_JSVAL(obj->fslots[JSSLOT_ARRAY_COUNT]); + ii = NULL; + for (i = 0; i != length; ++i) { + if (obj->dslots[i] == JSVAL_HOLE) { + if (!ii) { + ii = (JSIndexIterState *) + JS_malloc(cx, offsetof(JSIndexIterState, holes) + + JS_BITMAP_SIZE(length)); + if (!ii) + return JS_FALSE; + ii->hasHoles = JS_TRUE; + memset(ii->holes, 0, JS_BITMAP_SIZE(length)); + } + JS_SET_BIT(ii->holes, i); + } + } + if (!ii) { + /* Array has no holes. */ + if (length <= PACKED_UINT_PAIR_MASK) { + *statep = UINT_PAIR_TO_BOOLEAN_JSVAL(0, length); + break; + } + ii = (JSIndexIterState *) + JS_malloc(cx, offsetof(JSIndexIterState, holes)); + if (!ii) + return JS_FALSE; + ii->hasHoles = JS_FALSE; + } + ii->index = 0; + ii->length = length; + *statep = (jsval) ii | INDEX_ITER_TAG; + JS_ASSERT(*statep & JSVAL_INT); + break; + + case JSENUMERATE_NEXT: + if (JSVAL_TAG(*statep) == JSVAL_BOOLEAN) { + BOOLEAN_JSVAL_TO_UINT_PAIR(*statep, i, length); + if (i != length) { + *idp = INT_TO_JSID(i); + *statep = UINT_PAIR_TO_BOOLEAN_JSVAL(i + 1, length); + break; + } + } else { + JS_ASSERT((*statep & INDEX_ITER_TAG) == INDEX_ITER_TAG); + ii = (JSIndexIterState *) (*statep & ~INDEX_ITER_TAG); + i = ii->index; + if (i != ii->length) { + /* Skip holes if any. */ + if (ii->hasHoles) { + while (JS_TEST_BIT(ii->holes, i) && ++i != ii->length) + continue; + } + if (i != ii->length) { + ii->index = i + 1; + return js_IndexToId(cx, i, idp); + } + } + } + /* FALL THROUGH */ + + case JSENUMERATE_DESTROY: + if (JSVAL_TAG(*statep) != JSVAL_BOOLEAN) { + JS_ASSERT((*statep & INDEX_ITER_TAG) == INDEX_ITER_TAG); + ii = (JSIndexIterState *) (*statep & ~INDEX_ITER_TAG); + JS_free(cx, ii); + } + *statep = JSVAL_NULL; + break; + } + return JS_TRUE; +} + +static JSBool +slowarray_enumerate(JSContext *cx, JSObject *obj, JSIterateOp enum_op, + jsval *statep, jsid *idp) +{ + JSBool ok; + + /* Are we continuing an enumeration that started when we were dense? */ + if (enum_op != JSENUMERATE_INIT) { + if (JSVAL_TAG(*statep) == JSVAL_BOOLEAN || + (*statep & INDEX_ITER_TAG) == INDEX_ITER_TAG) { + return array_enumerate(cx, obj, enum_op, statep, idp); + } + JS_ASSERT((*statep & INDEX_ITER_TAG) == JSVAL_INT); + } + ok = js_Enumerate(cx, obj, enum_op, statep, idp); + JS_ASSERT(*statep == JSVAL_NULL || (*statep & INDEX_ITER_TAG) == JSVAL_INT); + return ok; +} + +static void +array_finalize(JSContext *cx, JSObject *obj) +{ + if (obj->dslots) + JS_free(cx, obj->dslots - 1); + obj->dslots = NULL; +} + +static void +array_trace(JSTracer *trc, JSObject *obj) +{ + uint32 length; + size_t i; + jsval v; + + JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj)); + + length = ARRAY_DENSE_LENGTH(obj); + for (i = 0; i < length; i++) { + v = obj->dslots[i]; + if (JSVAL_IS_TRACEABLE(v)) { + JS_SET_TRACING_INDEX(trc, "array_dslots", i); + JS_CallTracer(trc, JSVAL_TO_TRACEABLE(v), JSVAL_TRACE_KIND(v)); + } + } + + for (i = JSSLOT_PROTO; i <= JSSLOT_PARENT; ++i) { + v = STOBJ_GET_SLOT(obj, i); + if (JSVAL_IS_TRACEABLE(v)) { + JS_SET_TRACING_DETAILS(trc, js_PrintObjectSlotName, obj, i); + JS_CallTracer(trc, JSVAL_TO_TRACEABLE(v), JSVAL_TRACE_KIND(v)); + } + } +} + +static JSObjectMap * +array_newObjectMap(JSContext *cx, jsrefcount nrefs, JSObjectOps *ops, + JSClass *clasp, JSObject *obj) +{ +#ifdef DEBUG + extern JSClass js_ArrayClass; + extern JSObjectOps js_ArrayObjectOps; +#endif + JSObjectMap *map = (JSObjectMap *) JS_malloc(cx, sizeof(*map)); + if (!map) + return NULL; + + map->nrefs = nrefs; + JS_ASSERT(ops == &js_ArrayObjectOps); + map->ops = ops; + JS_ASSERT(clasp == &js_ArrayClass); + map->freeslot = JSSLOT_FREE(clasp); + + return map; +} + +void +array_destroyObjectMap(JSContext *cx, JSObjectMap *map) +{ + JS_free(cx, map); +} + +JSObjectOps js_ArrayObjectOps = { + array_newObjectMap, array_destroyObjectMap, + array_lookupProperty, array_defineProperty, + array_getProperty, array_setProperty, + array_getAttributes, array_setAttributes, + array_deleteProperty, js_DefaultValue, + array_enumerate, js_CheckAccess, + NULL, array_dropProperty, + NULL, NULL, + NULL, js_HasInstance, + js_SetProtoOrParent, js_SetProtoOrParent, + array_trace, NULL, + NULL, NULL +}; + +static JSObjectOps * +array_getObjectOps(JSContext *cx, JSClass *clasp) +{ + return &js_ArrayObjectOps; +} + +JSClass js_ArrayClass = { + "Array", + JSCLASS_HAS_PRIVATE | JSCLASS_HAS_CACHED_PROTO(JSProto_Array) | + JSCLASS_HAS_RESERVED_SLOTS(1) | JSCLASS_NEW_ENUMERATE, + JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, + JS_EnumerateStub, JS_ResolveStub, js_TryValueOf, array_finalize, + array_getObjectOps, NULL, NULL, NULL, + NULL, NULL, NULL, NULL +}; + +JSClass js_SlowArrayClass = { + "Array", + JSCLASS_HAS_PRIVATE | JSCLASS_HAS_CACHED_PROTO(JSProto_Array), + slowarray_addProperty, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, + JS_EnumerateStub, JS_ResolveStub, js_TryValueOf, JS_FinalizeStub, + slowarray_getObjectOps, NULL, NULL, NULL, + NULL, NULL, NULL, NULL +}; + +/* + * Convert an array object from fast-and-dense to slow-and-flexible. + */ +JSBool +js_MakeArraySlow(JSContext *cx, JSObject *obj) +{ + JSObjectMap *map, *oldmap; + uint32 i, length; + + JS_ASSERT(OBJ_GET_CLASS(cx, obj) == &js_ArrayClass); + + /* Create a native scope. */ + map = js_NewObjectMap(cx, obj->map->nrefs, &js_SlowArrayObjectOps, + &js_SlowArrayClass, obj); + if (!map) + return JS_FALSE; + + length = ARRAY_DENSE_LENGTH(obj); + if (length) { + map->freeslot = STOBJ_NSLOTS(obj) + JS_INITIAL_NSLOTS; + obj->dslots[-1] = JS_INITIAL_NSLOTS + length; + } else { + map->freeslot = STOBJ_NSLOTS(obj); + } + + /* Create new properties pointing to existing values in dslots */ + for (i = 0; i < length; i++) { + jsid id; + JSScopeProperty *sprop; + + if (!JS_ValueToId(cx, INT_TO_JSVAL(i), &id)) + goto out_bad; + + if (obj->dslots[i] == JSVAL_HOLE) { + obj->dslots[i] = JSVAL_VOID; + continue; + } + + sprop = js_AddScopeProperty(cx, (JSScope *)map, id, NULL, NULL, + i + JS_INITIAL_NSLOTS, JSPROP_ENUMERATE, + 0, 0); + if (!sprop) + goto out_bad; + } + + /* + * Render our formerly-reserved count property GC-safe. If length fits in + * a jsval, set our slow/sparse COUNT to the current length as a jsval, so + * we can tell when only named properties have been added to a dense array + * to make it slow-but-not-sparse. + */ + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + obj->fslots[JSSLOT_ARRAY_COUNT] = INT_FITS_IN_JSVAL(length) + ? INT_TO_JSVAL(length) + : JSVAL_VOID; + + /* Make sure we preserve any flags borrowing bits in classword. */ + obj->classword ^= (jsuword) &js_ArrayClass; + obj->classword |= (jsuword) &js_SlowArrayClass; + + /* Swap in our new map. */ + oldmap = obj->map; + obj->map = map; + array_destroyObjectMap(cx, oldmap); + + return JS_TRUE; + +out_bad: + js_DestroyObjectMap(cx, map); + return JS_FALSE; +} + +enum ArrayToStringOp { + TO_STRING, + TO_LOCALE_STRING, + TO_SOURCE +}; + +/* + * When op is TO_STRING or TO_LOCALE_STRING sep indicates a separator to use + * or "," when sep is NULL. + * When op is TO_SOURCE sep must be NULL. + */ +static JSBool +array_join_sub(JSContext *cx, JSObject *obj, enum ArrayToStringOp op, + JSString *sep, jsval *rval) +{ + JSBool ok, hole; + jsuint length, index; + jschar *chars, *ochars; + size_t nchars, growth, seplen, tmplen, extratail; + const jschar *sepstr; + JSString *str; + JSHashEntry *he; + JSAtom *atom; + + JS_CHECK_RECURSION(cx, return JS_FALSE); + + ok = js_GetLengthProperty(cx, obj, &length); + if (!ok) + return JS_FALSE; + + he = js_EnterSharpObject(cx, obj, NULL, &chars); + if (!he) + return JS_FALSE; +#ifdef DEBUG + growth = (size_t) -1; +#endif + + if (op == TO_SOURCE) { + if (IS_SHARP(he)) { +#if JS_HAS_SHARP_VARS + nchars = js_strlen(chars); +#else + chars[0] = '['; + chars[1] = ']'; + chars[2] = 0; + nchars = 2; +#endif + goto make_string; + } + + /* + * Always allocate 2 extra chars for closing ']' and terminating 0 + * and then preallocate 1 + extratail to include starting '['. + */ + extratail = 2; + growth = (1 + extratail) * sizeof(jschar); + if (!chars) { + nchars = 0; + chars = (jschar *) malloc(growth); + if (!chars) + goto done; + } else { + MAKE_SHARP(he); + nchars = js_strlen(chars); + growth += nchars * sizeof(jschar); + chars = (jschar *)realloc((ochars = chars), growth); + if (!chars) { + free(ochars); + goto done; + } + } + chars[nchars++] = '['; + JS_ASSERT(sep == NULL); + sepstr = NULL; /* indicates to use ", " as separator */ + seplen = 2; + } else { + /* + * Free any sharp variable definition in chars. Normally, we would + * MAKE_SHARP(he) so that only the first sharp variable annotation is + * a definition, and all the rest are references, but in the current + * case of (op != TO_SOURCE), we don't need chars at all. + */ + if (chars) + JS_free(cx, chars); + chars = NULL; + nchars = 0; + extratail = 1; /* allocate extra char for terminating 0 */ + + /* Return the empty string on a cycle as well as on empty join. */ + if (IS_BUSY(he) || length == 0) { + js_LeaveSharpObject(cx, NULL); + *rval = JS_GetEmptyStringValue(cx); + return ok; + } + + /* Flag he as BUSY so we can distinguish a cycle from a join-point. */ + MAKE_BUSY(he); + + if (sep) { + JSSTRING_CHARS_AND_LENGTH(sep, sepstr, seplen); + } else { + sepstr = NULL; /* indicates to use "," as separator */ + seplen = 1; + } + } + + /* Use rval to locally root each element value as we loop and convert. */ + for (index = 0; index < length; index++) { + ok = (JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, index, &hole, rval)); + if (!ok) + goto done; + if (hole || + (op != TO_SOURCE && + (JSVAL_IS_VOID(*rval) || JSVAL_IS_NULL(*rval)))) { + str = cx->runtime->emptyString; + } else { + if (op == TO_LOCALE_STRING) { + JSObject *robj; + + atom = cx->runtime->atomState.toLocaleStringAtom; + ok = js_ValueToObject(cx, *rval, &robj); + if (ok) { + /* Re-use *rval to protect robj temporarily. */ + *rval = OBJECT_TO_JSVAL(robj); + ok = js_TryMethod(cx, robj, atom, 0, NULL, rval); + } + if (!ok) + goto done; + str = js_ValueToString(cx, *rval); + } else if (op == TO_STRING) { + str = js_ValueToString(cx, *rval); + } else { + JS_ASSERT(op == TO_SOURCE); + str = js_ValueToSource(cx, *rval); + } + if (!str) { + ok = JS_FALSE; + goto done; + } + } + + /* + * Do not append separator after the last element unless it is a hole + * and we are in toSource. In that case we append single ",". + */ + if (index + 1 == length) + seplen = (hole && op == TO_SOURCE) ? 1 : 0; + + /* Allocate 1 at end for closing bracket and zero. */ + tmplen = JSSTRING_LENGTH(str); + growth = nchars + tmplen + seplen + extratail; + if (nchars > growth || tmplen > growth || + growth > (size_t)-1 / sizeof(jschar)) { + if (chars) { + free(chars); + chars = NULL; + } + goto done; + } + growth *= sizeof(jschar); + JS_COUNT_OPERATION(cx, JSOW_ALLOCATION); + if (!chars) { + chars = (jschar *) malloc(growth); + if (!chars) + goto done; + } else { + chars = (jschar *) realloc((ochars = chars), growth); + if (!chars) { + free(ochars); + goto done; + } + } + + js_strncpy(&chars[nchars], JSSTRING_CHARS(str), tmplen); + nchars += tmplen; + + if (seplen) { + if (sepstr) { + js_strncpy(&chars[nchars], sepstr, seplen); + } else { + JS_ASSERT(seplen == 1 || seplen == 2); + chars[nchars] = ','; + if (seplen == 2) + chars[nchars + 1] = ' '; + } + nchars += seplen; + } + } + + done: + if (op == TO_SOURCE) { + if (chars) + chars[nchars++] = ']'; + } else { + CLEAR_BUSY(he); + } + js_LeaveSharpObject(cx, NULL); + if (!ok) { + if (chars) + free(chars); + return ok; + } + + make_string: + if (!chars) { + JS_ReportOutOfMemory(cx); + return JS_FALSE; + } + chars[nchars] = 0; + JS_ASSERT(growth == (size_t)-1 || (nchars + 1) * sizeof(jschar) == growth); + str = js_NewString(cx, chars, nchars); + if (!str) { + free(chars); + return JS_FALSE; + } + *rval = STRING_TO_JSVAL(str); + return JS_TRUE; +} + +#if JS_HAS_TOSOURCE +static JSBool +array_toSource(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + + obj = JS_THIS_OBJECT(cx, vp); + if (OBJ_GET_CLASS(cx, obj) != &js_SlowArrayClass && + !JS_InstanceOf(cx, obj, &js_ArrayClass, vp + 2)) { + return JS_FALSE; + } + return array_join_sub(cx, obj, TO_SOURCE, NULL, vp); +} +#endif + +static JSBool +array_toString(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + + obj = JS_THIS_OBJECT(cx, vp); + if (OBJ_GET_CLASS(cx, obj) != &js_SlowArrayClass && + !JS_InstanceOf(cx, obj, &js_ArrayClass, vp + 2)) { + return JS_FALSE; + } + return array_join_sub(cx, obj, TO_STRING, NULL, vp); +} + +static JSBool +array_toLocaleString(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + + obj = JS_THIS_OBJECT(cx, vp); + if (OBJ_GET_CLASS(cx, obj) != &js_SlowArrayClass && + !JS_InstanceOf(cx, obj, &js_ArrayClass, vp + 2)) { + return JS_FALSE; + } + + /* + * Passing comma here as the separator. Need a way to get a + * locale-specific version. + */ + return array_join_sub(cx, obj, TO_LOCALE_STRING, NULL, vp); +} + +static JSBool +InitArrayElements(JSContext *cx, JSObject *obj, jsuint start, jsuint end, + jsval *vector) +{ + if (OBJ_IS_DENSE_ARRAY(cx, obj)) { + if (!EnsureLength(cx, obj, end)) + return JS_FALSE; + + if (end > (uint32)obj->fslots[JSSLOT_ARRAY_LENGTH]) + obj->fslots[JSSLOT_ARRAY_LENGTH] = end; + + memcpy(obj->dslots + start, vector, sizeof(jsval) * (end - start)); + return JS_TRUE; + } + + while (start != end) { + if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) || + !SetArrayElement(cx, obj, start++, *vector++)) { + return JS_FALSE; + } + } + return JS_TRUE; +} + +static JSBool +InitArrayObject(JSContext *cx, JSObject *obj, jsuint length, jsval *vector, + JSBool holey = JS_FALSE) +{ + JS_ASSERT(OBJ_IS_ARRAY(cx, obj)); + + obj->fslots[JSSLOT_ARRAY_LENGTH] = length; + + if (vector) { + if (!EnsureLength(cx, obj, length)) + return JS_FALSE; + + jsuint count = length; + if (!holey) { + memcpy(obj->dslots, vector, length * sizeof (jsval)); + } else { + for (jsuint i = 0; i < length; i++) { + if (vector[i] == JSVAL_HOLE) + --count; + obj->dslots[i] = vector[i]; + } + } + obj->fslots[JSSLOT_ARRAY_COUNT] = count; + } else { + obj->fslots[JSSLOT_ARRAY_COUNT] = 0; + } + return JS_TRUE; +} + +#ifdef JS_TRACER +static JSString* FASTCALL +Array_p_join(JSContext* cx, JSObject* obj, JSString *str) +{ + jsval v; + if (!array_join_sub(cx, obj, TO_STRING, str, &v)) + return NULL; + JS_ASSERT(JSVAL_IS_STRING(v)); + return JSVAL_TO_STRING(v); +} + +static JSString* FASTCALL +Array_p_toString(JSContext* cx, JSObject* obj) +{ + jsval v; + if (!array_join_sub(cx, obj, TO_STRING, NULL, &v)) + return NULL; + JS_ASSERT(JSVAL_IS_STRING(v)); + return JSVAL_TO_STRING(v); +} +#endif + +/* + * Perl-inspired join, reverse, and sort. + */ +static JSBool +array_join(JSContext *cx, uintN argc, jsval *vp) +{ + JSString *str; + JSObject *obj; + + if (argc == 0 || JSVAL_IS_VOID(vp[2])) { + str = NULL; + } else { + str = js_ValueToString(cx, vp[2]); + if (!str) + return JS_FALSE; + vp[2] = STRING_TO_JSVAL(str); + } + obj = JS_THIS_OBJECT(cx, vp); + return obj && array_join_sub(cx, obj, TO_STRING, str, vp); +} + +static JSBool +array_reverse(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + JSTempValueRooter tvr; + jsuint len, half, i; + JSBool ok, hole, hole2; + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &len)) + return JS_FALSE; + + ok = JS_TRUE; + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + half = len / 2; + for (i = 0; i < half; i++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, i, &hole, &tvr.u.value) && + GetArrayElement(cx, obj, len - i - 1, &hole2, vp) && + SetOrDeleteArrayElement(cx, obj, len - i - 1, hole, tvr.u.value) && + SetOrDeleteArrayElement(cx, obj, i, hole2, *vp); + if (!ok) + break; + } + JS_POP_TEMP_ROOT(cx, &tvr); + + *vp = OBJECT_TO_JSVAL(obj); + return ok; +} + +typedef struct MSortArgs { + size_t elsize; + JSComparator cmp; + void *arg; + JSBool fastcopy; +} MSortArgs; + +/* Helper function for js_MergeSort. */ +static JSBool +MergeArrays(MSortArgs *msa, void *src, void *dest, size_t run1, size_t run2) +{ + void *arg, *a, *b, *c; + size_t elsize, runtotal; + int cmp_result; + JSComparator cmp; + JSBool fastcopy; + + runtotal = run1 + run2; + + elsize = msa->elsize; + cmp = msa->cmp; + arg = msa->arg; + fastcopy = msa->fastcopy; + +#define CALL_CMP(a, b) \ + if (!cmp(arg, (a), (b), &cmp_result)) return JS_FALSE; + + /* Copy runs already in sorted order. */ + b = (char *)src + run1 * elsize; + a = (char *)b - elsize; + CALL_CMP(a, b); + if (cmp_result <= 0) { + memcpy(dest, src, runtotal * elsize); + return JS_TRUE; + } + +#define COPY_ONE(p,q,n) \ + (fastcopy ? (void)(*(jsval*)(p) = *(jsval*)(q)) : (void)memcpy(p, q, n)) + + a = src; + c = dest; + for (; runtotal != 0; runtotal--) { + JSBool from_a = run2 == 0; + if (!from_a && run1 != 0) { + CALL_CMP(a,b); + from_a = cmp_result <= 0; + } + + if (from_a) { + COPY_ONE(c, a, elsize); + run1--; + a = (char *)a + elsize; + } else { + COPY_ONE(c, b, elsize); + run2--; + b = (char *)b + elsize; + } + c = (char *)c + elsize; + } +#undef COPY_ONE +#undef CALL_CMP + + return JS_TRUE; +} + +/* + * This sort is stable, i.e. sequence of equal elements is preserved. + * See also bug #224128. + */ +JSBool +js_MergeSort(void *src, size_t nel, size_t elsize, + JSComparator cmp, void *arg, void *tmp) +{ + void *swap, *vec1, *vec2; + MSortArgs msa; + size_t i, j, lo, hi, run; + JSBool fastcopy; + int cmp_result; + + /* Avoid memcpy overhead for word-sized and word-aligned elements. */ + fastcopy = (elsize == sizeof(jsval) && + (((jsuword) src | (jsuword) tmp) & JSVAL_ALIGN) == 0); +#define COPY_ONE(p,q,n) \ + (fastcopy ? (void)(*(jsval*)(p) = *(jsval*)(q)) : (void)memcpy(p, q, n)) +#define CALL_CMP(a, b) \ + if (!cmp(arg, (a), (b), &cmp_result)) return JS_FALSE; +#define INS_SORT_INT 4 + + /* + * Apply insertion sort to small chunks to reduce the number of merge + * passes needed. + */ + for (lo = 0; lo < nel; lo += INS_SORT_INT) { + hi = lo + INS_SORT_INT; + if (hi >= nel) + hi = nel; + for (i = lo + 1; i < hi; i++) { + vec1 = (char *)src + i * elsize; + vec2 = (char *)vec1 - elsize; + for (j = i; j > lo; j--) { + CALL_CMP(vec2, vec1); + /* "<=" instead of "<" insures the sort is stable */ + if (cmp_result <= 0) { + break; + } + + /* Swap elements, using "tmp" as tmp storage */ + COPY_ONE(tmp, vec2, elsize); + COPY_ONE(vec2, vec1, elsize); + COPY_ONE(vec1, tmp, elsize); + vec1 = vec2; + vec2 = (char *)vec1 - elsize; + } + } + } +#undef CALL_CMP +#undef COPY_ONE + + msa.elsize = elsize; + msa.cmp = cmp; + msa.arg = arg; + msa.fastcopy = fastcopy; + + vec1 = src; + vec2 = tmp; + for (run = INS_SORT_INT; run < nel; run *= 2) { + for (lo = 0; lo < nel; lo += 2 * run) { + hi = lo + run; + if (hi >= nel) { + memcpy((char *)vec2 + lo * elsize, (char *)vec1 + lo * elsize, + (nel - lo) * elsize); + break; + } + if (!MergeArrays(&msa, (char *)vec1 + lo * elsize, + (char *)vec2 + lo * elsize, run, + hi + run > nel ? nel - hi : run)) { + return JS_FALSE; + } + } + swap = vec1; + vec1 = vec2; + vec2 = swap; + } + if (src != vec1) + memcpy(src, tmp, nel * elsize); + + return JS_TRUE; +} + +typedef struct CompareArgs { + JSContext *context; + jsval fval; + jsval *elemroot; /* stack needed for js_Invoke */ +} CompareArgs; + +static JSBool +sort_compare(void *arg, const void *a, const void *b, int *result) +{ + jsval av = *(const jsval *)a, bv = *(const jsval *)b; + CompareArgs *ca = (CompareArgs *) arg; + JSContext *cx = ca->context; + jsval *invokevp, *sp; + jsdouble cmp; + + /** + * array_sort deals with holes and undefs on its own and they should not + * come here. + */ + JS_ASSERT(!JSVAL_IS_VOID(av)); + JS_ASSERT(!JSVAL_IS_VOID(bv)); + + if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP)) + return JS_FALSE; + + invokevp = ca->elemroot; + sp = invokevp; + *sp++ = ca->fval; + *sp++ = JSVAL_NULL; + *sp++ = av; + *sp++ = bv; + + if (!js_Invoke(cx, 2, invokevp, 0)) + return JS_FALSE; + + cmp = js_ValueToNumber(cx, invokevp); + if (JSVAL_IS_NULL(*invokevp)) + return JS_FALSE; + + /* Clamp cmp to -1, 0, 1. */ + *result = 0; + if (!JSDOUBLE_IS_NaN(cmp) && cmp != 0) + *result = cmp > 0 ? 1 : -1; + + /* + * XXX else report some kind of error here? ECMA talks about 'consistent + * compare functions' that don't return NaN, but is silent about what the + * result should be. So we currently ignore it. + */ + + return JS_TRUE; +} + +static int +sort_compare_strings(void *arg, const void *a, const void *b, int *result) +{ + jsval av = *(const jsval *)a, bv = *(const jsval *)b; + + JS_ASSERT(JSVAL_IS_STRING(av)); + JS_ASSERT(JSVAL_IS_STRING(bv)); + if (!JS_CHECK_OPERATION_LIMIT((JSContext *)arg, JSOW_JUMP)) + return JS_FALSE; + + *result = (int) js_CompareStrings(JSVAL_TO_STRING(av), JSVAL_TO_STRING(bv)); + return JS_TRUE; +} + +/* + * The array_sort function below assumes JSVAL_NULL is zero in order to + * perform initialization using memset. Other parts of SpiderMonkey likewise + * "know" that JSVAL_NULL is zero; this static assertion covers all cases. + */ +JS_STATIC_ASSERT(JSVAL_NULL == 0); + +static JSBool +array_sort(JSContext *cx, uintN argc, jsval *vp) +{ + jsval *argv, fval, *vec, *mergesort_tmp, v; + JSObject *obj; + CompareArgs ca; + jsuint len, newlen, i, undefs; + JSTempValueRooter tvr; + JSBool hole; + bool ok; + size_t elemsize; + JSString *str; + + /* + * Optimize the default compare function case if all of obj's elements + * have values of type string. + */ + JSBool all_strings; + + argv = JS_ARGV(cx, vp); + if (argc > 0) { + if (JSVAL_IS_PRIMITIVE(argv[0])) { + JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, + JSMSG_BAD_SORT_ARG); + return JS_FALSE; + } + fval = argv[0]; /* non-default compare function */ + } else { + fval = JSVAL_NULL; + } + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &len)) + return JS_FALSE; + if (len == 0) { + *vp = OBJECT_TO_JSVAL(obj); + return JS_TRUE; + } + + /* + * We need a temporary array of 2 * len jsvals to hold the array elements + * and the scratch space for merge sort. Check that its size does not + * overflow size_t, which would allow for indexing beyond the end of the + * malloc'd vector. + */ +#if JS_BITS_PER_WORD == 32 + if ((size_t)len > ~(size_t)0 / (2 * sizeof(jsval))) { + js_ReportAllocationOverflow(cx); + return JS_FALSE; + } +#endif + vec = (jsval *) JS_malloc(cx, 2 * (size_t) len * sizeof(jsval)); + if (!vec) + return JS_FALSE; + + /* + * Initialize vec as a root. We will clear elements of vec one by + * one while increasing tvr.count when we know that the property at + * the corresponding index exists and its value must be rooted. + * + * In this way when sorting a huge mostly sparse array we will not + * access the tail of vec corresponding to properties that do not + * exist, allowing OS to avoiding committing RAM. See bug 330812. + * + * After this point control must flow through label out: to exit. + */ + JS_PUSH_TEMP_ROOT(cx, 0, vec, &tvr); + + /* + * By ECMA 262, 15.4.4.11, a property that does not exist (which we + * call a "hole") is always greater than an existing property with + * value undefined and that is always greater than any other property. + * Thus to sort holes and undefs we simply count them, sort the rest + * of elements, append undefs after them and then make holes after + * undefs. + */ + undefs = 0; + newlen = 0; + all_strings = JS_TRUE; + for (i = 0; i < len; i++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP); + if (!ok) + goto out; + + /* Clear vec[newlen] before including it in the rooted set. */ + vec[newlen] = JSVAL_NULL; + tvr.count = newlen + 1; + ok = GetArrayElement(cx, obj, i, &hole, &vec[newlen]); + if (!ok) + goto out; + + if (hole) + continue; + + if (JSVAL_IS_VOID(vec[newlen])) { + ++undefs; + continue; + } + + /* We know JSVAL_IS_STRING yields 0 or 1, so avoid a branch via &=. */ + all_strings &= JSVAL_IS_STRING(vec[newlen]); + + ++newlen; + } + + if (newlen == 0) { + /* The array has only holes and undefs. */ + ok = JS_TRUE; + goto out; + } + + /* + * The first newlen elements of vec are copied from the array object + * (above). The remaining newlen positions are used as GC-rooted scratch + * space for mergesort. We must clear the space before including it to + * the root set covered by tvr.count. We assume JSVAL_NULL==0 to optimize + * initialization using memset. + */ + mergesort_tmp = vec + newlen; + memset(mergesort_tmp, 0, newlen * sizeof(jsval)); + tvr.count = newlen * 2; + + /* Here len == 2 * (newlen + undefs + number_of_holes). */ + if (fval == JSVAL_NULL) { + /* + * Sort using the default comparator converting all elements to + * strings. + */ + if (all_strings) { + elemsize = sizeof(jsval); + } else { + /* + * To avoid string conversion on each compare we do it only once + * prior to sorting. But we also need the space for the original + * values to recover the sorting result. To reuse + * sort_compare_strings we move the original values to the odd + * indexes in vec, put the string conversion results in the even + * indexes and pass 2 * sizeof(jsval) as an element size to the + * sorting function. In this way sort_compare_strings will only + * see the string values when it casts the compare arguments as + * pointers to jsval. + * + * This requires doubling the temporary storage including the + * scratch space for the merge sort. Since vec already contains + * the rooted scratch space for newlen elements at the tail, we + * can use it to rearrange and convert to strings first and try + * realloc only when we know that we successfully converted all + * the elements. + */ +#if JS_BITS_PER_WORD == 32 + if ((size_t)newlen > ~(size_t)0 / (4 * sizeof(jsval))) { + js_ReportAllocationOverflow(cx); + ok = JS_FALSE; + goto out; + } +#endif + + /* + * Rearrange and string-convert the elements of the vector from + * the tail here and, after sorting, move the results back + * starting from the start to prevent overwrite the existing + * elements. + */ + i = newlen; + do { + --i; + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP); + if (!ok) + goto out; + v = vec[i]; + str = js_ValueToString(cx, v); + if (!str) { + ok = JS_FALSE; + goto out; + } + vec[2 * i] = STRING_TO_JSVAL(str); + vec[2 * i + 1] = v; + } while (i != 0); + + JS_ASSERT(tvr.u.array == vec); + vec = (jsval *) JS_realloc(cx, vec, + 4 * (size_t) newlen * sizeof(jsval)); + if (!vec) { + vec = tvr.u.array; + ok = JS_FALSE; + goto out; + } + tvr.u.array = vec; + mergesort_tmp = vec + 2 * newlen; + memset(mergesort_tmp, 0, newlen * 2 * sizeof(jsval)); + tvr.count = newlen * 4; + elemsize = 2 * sizeof(jsval); + } + ok = js_MergeSort(vec, (size_t) newlen, elemsize, + sort_compare_strings, cx, mergesort_tmp); + if (!ok) + goto out; + if (!all_strings) { + /* + * We want to make the following loop fast and to unroot the + * cached results of toString invocations before the operation + * callback has a chance to run the GC. For this reason we do + * not call JS_CHECK_OPERATION_LIMIT in the loop. + */ + i = 0; + do { + vec[i] = vec[2 * i + 1]; + } while (++i != newlen); + } + } else { + void *mark; + + ca.context = cx; + ca.fval = fval; + ca.elemroot = js_AllocStack(cx, 2 + 2, &mark); + if (!ca.elemroot) { + ok = JS_FALSE; + goto out; + } + ok = js_MergeSort(vec, (size_t) newlen, sizeof(jsval), + sort_compare, &ca, mergesort_tmp); + js_FreeStack(cx, mark); + if (!ok) + goto out; + } + + /* + * We no longer need to root the scratch space for the merge sort, so + * unroot it now to make the job of a potential GC under InitArrayElements + * easier. + */ + tvr.count = newlen; + ok = InitArrayElements(cx, obj, 0, newlen, vec); + if (!ok) + goto out; + + out: + JS_POP_TEMP_ROOT(cx, &tvr); + JS_free(cx, vec); + if (!ok) + return JS_FALSE; + + /* Set undefs that sorted after the rest of elements. */ + while (undefs != 0) { + --undefs; + if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) || + !SetArrayElement(cx, obj, newlen++, JSVAL_VOID)) { + return JS_FALSE; + } + } + + /* Re-create any holes that sorted to the end of the array. */ + while (len > newlen) { + if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) || + !DeleteArrayElement(cx, obj, --len)) { + return JS_FALSE; + } + } + *vp = OBJECT_TO_JSVAL(obj); + return JS_TRUE; +} + +/* + * Perl-inspired push, pop, shift, unshift, and splice methods. + */ +static JSBool +array_push_slowly(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) +{ + jsuint length, newlength; + + if (!js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + newlength = length + argc; + if (!InitArrayElements(cx, obj, length, newlength, argv)) + return JS_FALSE; + + /* Per ECMA-262, return the new array length. */ + if (!IndexToValue(cx, newlength, rval)) + return JS_FALSE; + return js_SetLengthProperty(cx, obj, newlength); +} + +static JSBool +array_push1_dense(JSContext* cx, JSObject* obj, jsval v, jsval *rval) +{ + uint32 length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (INDEX_TOO_SPARSE(obj, length)) { + if (!js_MakeArraySlow(cx, obj)) + return JS_FALSE; + return array_push_slowly(cx, obj, 1, &v, rval); + } + + if (!EnsureLength(cx, obj, length + 1)) + return JS_FALSE; + obj->fslots[JSSLOT_ARRAY_LENGTH] = length + 1; + + JS_ASSERT(obj->dslots[length] == JSVAL_HOLE); + obj->fslots[JSSLOT_ARRAY_COUNT]++; + obj->dslots[length] = v; + return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], rval); +} + +#ifdef JS_TRACER +static jsval FASTCALL +Array_p_push1(JSContext* cx, JSObject* obj, jsval v) +{ + if (OBJ_IS_DENSE_ARRAY(cx, obj) + ? array_push1_dense(cx, obj, v, &v) + : array_push_slowly(cx, obj, 1, &v, &v)) { + return v; + } + return JSVAL_ERROR_COOKIE; +} +#endif + +static JSBool +array_push(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + + /* Insist on one argument and obj of the expected class. */ + obj = JS_THIS_OBJECT(cx, vp); + if (!obj) + return JS_FALSE; + if (argc != 1 || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return array_push_slowly(cx, obj, argc, vp + 2, vp); + + return array_push1_dense(cx, obj, vp[2], vp); +} + +static JSBool +array_pop_slowly(JSContext *cx, JSObject* obj, jsval *vp) +{ + jsuint index; + JSBool hole; + + if (!js_GetLengthProperty(cx, obj, &index)) + return JS_FALSE; + if (index == 0) { + *vp = JSVAL_VOID; + } else { + index--; + + /* Get the to-be-deleted property's value into vp. */ + if (!GetArrayElement(cx, obj, index, &hole, vp)) + return JS_FALSE; + if (!hole && !DeleteArrayElement(cx, obj, index)) + return JS_FALSE; + } + return js_SetLengthProperty(cx, obj, index); +} + +static JSBool +array_pop_dense(JSContext *cx, JSObject* obj, jsval *vp) +{ + jsuint index; + JSBool hole; + + index = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (index == 0) { + *vp = JSVAL_VOID; + return JS_TRUE; + } + index--; + if (!GetArrayElement(cx, obj, index, &hole, vp)) + return JS_FALSE; + if (!hole && !DeleteArrayElement(cx, obj, index)) + return JS_FALSE; + obj->fslots[JSSLOT_ARRAY_LENGTH] = index; + return JS_TRUE; + +} + +#ifdef JS_TRACER +static jsval FASTCALL +Array_p_pop(JSContext* cx, JSObject* obj) +{ + jsval v; + if (OBJ_IS_DENSE_ARRAY(cx, obj) + ? array_pop_dense(cx, obj, &v) + : array_pop_slowly(cx, obj, &v)) { + return v; + } + return JSVAL_ERROR_COOKIE; +} +#endif + +static JSBool +array_pop(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj) + return JS_FALSE; + if (OBJ_IS_DENSE_ARRAY(cx, obj)) + return array_pop_dense(cx, obj, vp); + return array_pop_slowly(cx, obj, vp); +} + +static JSBool +array_shift(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + jsuint length, i; + JSBool hole, ok; + JSTempValueRooter tvr; + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + if (length == 0) { + *vp = JSVAL_VOID; + } else { + length--; + + /* Get the to-be-deleted property's value into vp ASAP. */ + if (!GetArrayElement(cx, obj, 0, &hole, vp)) + return JS_FALSE; + + /* Slide down the array above the first element. */ + ok = JS_TRUE; + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + for (i = 0; i != length; i++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, i + 1, &hole, &tvr.u.value) && + SetOrDeleteArrayElement(cx, obj, i, hole, tvr.u.value); + if (!ok) + break; + } + JS_POP_TEMP_ROOT(cx, &tvr); + if (!ok) + return JS_FALSE; + + /* Delete the only or last element when it exist. */ + if (!hole && !DeleteArrayElement(cx, obj, length)) + return JS_FALSE; + } + return js_SetLengthProperty(cx, obj, length); +} + +static JSBool +array_unshift(JSContext *cx, uintN argc, jsval *vp) +{ + JSObject *obj; + jsval *argv; + jsuint length, last; + JSBool hole, ok; + JSTempValueRooter tvr; + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + if (argc > 0) { + /* Slide up the array to make room for argc at the bottom. */ + argv = JS_ARGV(cx, vp); + if (length > 0) { + last = length; + ok = JS_TRUE; + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + do { + --last; + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, last, &hole, &tvr.u.value) && + SetOrDeleteArrayElement(cx, obj, last + argc, hole, + tvr.u.value); + if (!ok) + break; + } while (last != 0); + JS_POP_TEMP_ROOT(cx, &tvr); + if (!ok) + return JS_FALSE; + } + + /* Copy from argv to the bottom of the array. */ + if (!InitArrayElements(cx, obj, 0, argc, argv)) + return JS_FALSE; + + length += argc; + if (!js_SetLengthProperty(cx, obj, length)) + return JS_FALSE; + } + + /* Follow Perl by returning the new array length. */ + return IndexToValue(cx, length, vp); +} + +static JSBool +array_splice(JSContext *cx, uintN argc, jsval *vp) +{ + jsval *argv; + JSObject *obj; + jsuint length, begin, end, count, delta, last; + jsdouble d; + JSBool hole, ok; + JSObject *obj2; + JSTempValueRooter tvr; + + /* + * Create a new array value to return. Our ECMA v2 proposal specs + * that splice always returns an array value, even when given no + * arguments. We think this is best because it eliminates the need + * for callers to do an extra test to handle the empty splice case. + */ + obj2 = js_NewArrayObject(cx, 0, NULL); + if (!obj2) + return JS_FALSE; + *vp = OBJECT_TO_JSVAL(obj2); + + /* Nothing to do if no args. Otherwise get length. */ + if (argc == 0) + return JS_TRUE; + argv = JS_ARGV(cx, vp); + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + + /* Convert the first argument into a starting index. */ + d = js_ValueToNumber(cx, argv); + if (JSVAL_IS_NULL(*argv)) + return JS_FALSE; + d = js_DoubleToInteger(d); + if (d < 0) { + d += length; + if (d < 0) + d = 0; + } else if (d > length) { + d = length; + } + begin = (jsuint)d; /* d has been clamped to uint32 */ + argc--; + argv++; + + /* Convert the second argument from a count into a fencepost index. */ + delta = length - begin; + if (argc == 0) { + count = delta; + end = length; + } else { + d = js_ValueToNumber(cx, argv); + if (JSVAL_IS_NULL(*argv)) + return JS_FALSE; + d = js_DoubleToInteger(d); + if (d < 0) + d = 0; + else if (d > delta) + d = delta; + count = (jsuint)d; + end = begin + count; + argc--; + argv++; + } + + MUST_FLOW_THROUGH("out"); + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + + /* If there are elements to remove, put them into the return value. */ + if (count > 0) { + for (last = begin; last < end; last++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, last, &hole, &tvr.u.value); + if (!ok) + goto out; + + /* Copy tvr.u.value to new array unless it's a hole. */ + if (!hole) { + ok = SetArrayElement(cx, obj2, last - begin, tvr.u.value); + if (!ok) + goto out; + } + } + + ok = js_SetLengthProperty(cx, obj2, end - begin); + if (!ok) + goto out; + } + + /* Find the direction (up or down) to copy and make way for argv. */ + if (argc > count) { + delta = (jsuint)argc - count; + last = length; + /* (uint) end could be 0, so can't use vanilla >= test */ + while (last-- > end) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, last, &hole, &tvr.u.value) && + SetOrDeleteArrayElement(cx, obj, last + delta, hole, + tvr.u.value); + if (!ok) + goto out; + } + length += delta; + } else if (argc < count) { + delta = count - (jsuint)argc; + for (last = end; last < length; last++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, last, &hole, &tvr.u.value) && + SetOrDeleteArrayElement(cx, obj, last - delta, hole, + tvr.u.value); + if (!ok) + goto out; + } + length -= delta; + } + + /* Copy from argv into the hole to complete the splice. */ + ok = InitArrayElements(cx, obj, begin, begin + argc, argv); + if (!ok) + goto out; + + /* Update length in case we deleted elements from the end. */ + ok = js_SetLengthProperty(cx, obj, length); + +out: + JS_POP_TEMP_ROOT(cx, &tvr); + return ok; +} + +/* + * Python-esque sequence operations. + */ +static JSBool +array_concat(JSContext *cx, uintN argc, jsval *vp) +{ + jsval *argv, v; + JSObject *aobj, *nobj; + jsuint length, alength, slot; + uintN i; + JSBool hole, ok; + JSTempValueRooter tvr; + + /* Treat our |this| object as the first argument; see ECMA 15.4.4.4. */ + argv = JS_ARGV(cx, vp) - 1; + JS_ASSERT(JS_THIS_OBJECT(cx, vp) == JSVAL_TO_OBJECT(argv[0])); + + /* Create a new Array object and root it using *vp. */ + aobj = JS_THIS_OBJECT(cx, vp); + if (OBJ_IS_DENSE_ARRAY(cx, aobj)) { + /* + * Clone aobj but pass the minimum of its length and capacity (aka + * "dense length"), to handle a = [1,2,3]; a.length = 10000 "dense" + * cases efficiently. In such a case we'll pass 8 (not 3) due to the + * ARRAY_GROWBY over-allocation policy, which will cause nobj to be + * over-allocated to 16. But in the normal case where length is <= + * capacity, nobj and aobj will have the same dense length. + */ + length = aobj->fslots[JSSLOT_ARRAY_LENGTH]; + jsuint capacity = ARRAY_DENSE_LENGTH(aobj); + nobj = js_NewArrayObject(cx, JS_MIN(length, capacity), aobj->dslots, + aobj->fslots[JSSLOT_ARRAY_COUNT] != + (jsval) length); + if (!nobj) + return JS_FALSE; + nobj->fslots[JSSLOT_ARRAY_LENGTH] = length; + *vp = OBJECT_TO_JSVAL(nobj); + if (argc == 0) + return JS_TRUE; + argc--; + argv++; + } else { + nobj = js_NewArrayObject(cx, 0, NULL); + if (!nobj) + return JS_FALSE; + *vp = OBJECT_TO_JSVAL(nobj); + length = 0; + } + + MUST_FLOW_THROUGH("out"); + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + + /* Loop over [0, argc] to concat args into nobj, expanding all Arrays. */ + for (i = 0; i <= argc; i++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP); + if (!ok) + goto out; + v = argv[i]; + if (!JSVAL_IS_PRIMITIVE(v)) { + JSObject *wobj; + + aobj = JSVAL_TO_OBJECT(v); + wobj = js_GetWrappedObject(cx, aobj); + if (OBJ_IS_ARRAY(cx, wobj)) { + ok = OBJ_GET_PROPERTY(cx, aobj, + ATOM_TO_JSID(cx->runtime->atomState + .lengthAtom), + &tvr.u.value); + if (!ok) + goto out; + alength = ValueIsLength(cx, &tvr.u.value); + ok = !JSVAL_IS_NULL(tvr.u.value); + if (!ok) + goto out; + for (slot = 0; slot < alength; slot++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, aobj, slot, &hole, + &tvr.u.value); + if (!ok) + goto out; + + /* + * Per ECMA 262, 15.4.4.4, step 9, ignore non-existent + * properties. + */ + if (!hole) { + ok = SetArrayElement(cx, nobj, length + slot, + tvr.u.value); + if (!ok) + goto out; + } + } + length += alength; + continue; + } + } + + ok = SetArrayElement(cx, nobj, length, v); + if (!ok) + goto out; + length++; + } + + ok = js_SetLengthProperty(cx, nobj, length); + +out: + JS_POP_TEMP_ROOT(cx, &tvr); + return ok; +} + +static JSBool +array_slice(JSContext *cx, uintN argc, jsval *vp) +{ + jsval *argv; + JSObject *nobj, *obj; + jsuint length, begin, end, slot; + jsdouble d; + JSBool hole, ok; + JSTempValueRooter tvr; + + argv = JS_ARGV(cx, vp); + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + begin = 0; + end = length; + + if (argc > 0) { + d = js_ValueToNumber(cx, &argv[0]); + if (JSVAL_IS_NULL(argv[0])) + return JS_FALSE; + d = js_DoubleToInteger(d); + if (d < 0) { + d += length; + if (d < 0) + d = 0; + } else if (d > length) { + d = length; + } + begin = (jsuint)d; + + if (argc > 1) { + d = js_ValueToNumber(cx, &argv[1]); + if (JSVAL_IS_NULL(argv[1])) + return JS_FALSE; + d = js_DoubleToInteger(d); + if (d < 0) { + d += length; + if (d < 0) + d = 0; + } else if (d > length) { + d = length; + } + end = (jsuint)d; + } + } + + if (begin > end) + begin = end; + + if (OBJ_IS_DENSE_ARRAY(cx, obj) && end <= ARRAY_DENSE_LENGTH(obj)) { + nobj = js_NewArrayObject(cx, end - begin, obj->dslots + begin, + obj->fslots[JSSLOT_ARRAY_COUNT] != + obj->fslots[JSSLOT_ARRAY_LENGTH]); + if (!nobj) + return JS_FALSE; + *vp = OBJECT_TO_JSVAL(nobj); + return JS_TRUE; + } + + /* Create a new Array object and root it using *vp. */ + nobj = js_NewArrayObject(cx, 0, NULL); + if (!nobj) + return JS_FALSE; + *vp = OBJECT_TO_JSVAL(nobj); + + MUST_FLOW_THROUGH("out"); + JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr); + + for (slot = begin; slot < end; slot++) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, slot, &hole, &tvr.u.value); + if (!ok) + goto out; + if (!hole) { + ok = SetArrayElement(cx, nobj, slot - begin, tvr.u.value); + if (!ok) + goto out; + } + } + ok = js_SetLengthProperty(cx, nobj, end - begin); + +out: + JS_POP_TEMP_ROOT(cx, &tvr); + return ok; +} + +#if JS_HAS_ARRAY_EXTRAS + +static JSBool +array_indexOfHelper(JSContext *cx, JSBool isLast, uintN argc, jsval *vp) +{ + JSObject *obj; + jsuint length, i, stop; + jsval tosearch; + jsint direction; + JSBool hole; + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + if (length == 0) + goto not_found; + + if (argc <= 1) { + i = isLast ? length - 1 : 0; + tosearch = (argc != 0) ? vp[2] : JSVAL_VOID; + } else { + jsdouble start; + + tosearch = vp[2]; + start = js_ValueToNumber(cx, &vp[3]); + if (JSVAL_IS_NULL(vp[3])) + return JS_FALSE; + start = js_DoubleToInteger(start); + if (start < 0) { + start += length; + if (start < 0) { + if (isLast) + goto not_found; + i = 0; + } else { + i = (jsuint)start; + } + } else if (start >= length) { + if (!isLast) + goto not_found; + i = length - 1; + } else { + i = (jsuint)start; + } + } + + if (isLast) { + stop = 0; + direction = -1; + } else { + stop = length - 1; + direction = 1; + } + + for (;;) { + if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) || + !GetArrayElement(cx, obj, (jsuint)i, &hole, vp)) { + return JS_FALSE; + } + if (!hole && js_StrictlyEqual(cx, *vp, tosearch)) + return js_NewNumberInRootedValue(cx, i, vp); + if (i == stop) + goto not_found; + i += direction; + } + + not_found: + *vp = INT_TO_JSVAL(-1); + return JS_TRUE; +} + +static JSBool +array_indexOf(JSContext *cx, uintN argc, jsval *vp) +{ + return array_indexOfHelper(cx, JS_FALSE, argc, vp); +} + +static JSBool +array_lastIndexOf(JSContext *cx, uintN argc, jsval *vp) +{ + return array_indexOfHelper(cx, JS_TRUE, argc, vp); +} + +/* Order is important; extras that take a predicate funarg must follow MAP. */ +typedef enum ArrayExtraMode { + FOREACH, + REDUCE, + REDUCE_RIGHT, + MAP, + FILTER, + SOME, + EVERY +} ArrayExtraMode; + +#define REDUCE_MODE(mode) ((mode) == REDUCE || (mode) == REDUCE_RIGHT) + +static JSBool +array_extra(JSContext *cx, ArrayExtraMode mode, uintN argc, jsval *vp) +{ + JSObject *obj; + jsuint length, newlen; + jsval *argv, *elemroot, *invokevp, *sp; + JSBool ok, cond, hole; + JSObject *callable, *thisp, *newarr; + jsint start, end, step, i; + void *mark; + + obj = JS_THIS_OBJECT(cx, vp); + if (!obj || !js_GetLengthProperty(cx, obj, &length)) + return JS_FALSE; + + /* + * First, get or compute our callee, so that we error out consistently + * when passed a non-callable object. + */ + if (argc == 0) { + js_ReportMissingArg(cx, vp, 0); + return JS_FALSE; + } + argv = vp + 2; + callable = js_ValueToCallableObject(cx, &argv[0], JSV2F_SEARCH_STACK); + if (!callable) + return JS_FALSE; + + /* + * Set our initial return condition, used for zero-length array cases + * (and pre-size our map return to match our known length, for all cases). + */ +#ifdef __GNUC__ /* quell GCC overwarning */ + newlen = 0; + newarr = NULL; +#endif + start = 0, end = length, step = 1; + + switch (mode) { + case REDUCE_RIGHT: + start = length - 1, end = -1, step = -1; + /* FALL THROUGH */ + case REDUCE: + if (length == 0 && argc == 1) { + JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, + JSMSG_EMPTY_ARRAY_REDUCE); + return JS_FALSE; + } + if (argc >= 2) { + *vp = argv[1]; + } else { + do { + if (!GetArrayElement(cx, obj, start, &hole, vp)) + return JS_FALSE; + start += step; + } while (hole && start != end); + + if (hole && start == end) { + JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, + JSMSG_EMPTY_ARRAY_REDUCE); + return JS_FALSE; + } + } + break; + case MAP: + case FILTER: + newlen = (mode == MAP) ? length : 0; + newarr = js_NewArrayObject(cx, newlen, NULL); + if (!newarr) + return JS_FALSE; + *vp = OBJECT_TO_JSVAL(newarr); + break; + case SOME: + *vp = JSVAL_FALSE; + break; + case EVERY: + *vp = JSVAL_TRUE; + break; + case FOREACH: + *vp = JSVAL_VOID; + break; + } + + if (length == 0) + return JS_TRUE; + + if (argc > 1 && !REDUCE_MODE(mode)) { + if (!js_ValueToObject(cx, argv[1], &thisp)) + return JS_FALSE; + argv[1] = OBJECT_TO_JSVAL(thisp); + } else { + thisp = NULL; + } + + /* + * For all but REDUCE, we call with 3 args (value, index, array). REDUCE + * requires 4 args (accum, value, index, array). + */ + argc = 3 + REDUCE_MODE(mode); + elemroot = js_AllocStack(cx, 1 + 2 + argc, &mark); + if (!elemroot) + return JS_FALSE; + + MUST_FLOW_THROUGH("out"); + ok = JS_TRUE; + invokevp = elemroot + 1; + + for (i = start; i != end; i += step) { + ok = JS_CHECK_OPERATION_LIMIT(cx, JSOW_JUMP) && + GetArrayElement(cx, obj, i, &hole, elemroot); + if (!ok) + goto out; + if (hole) + continue; + + /* + * Push callable and 'this', then args. We must do this for every + * iteration around the loop since js_Invoke uses spbase[0] for return + * value storage, while some native functions use spbase[1] for local + * rooting. + */ + sp = invokevp; + *sp++ = OBJECT_TO_JSVAL(callable); + *sp++ = OBJECT_TO_JSVAL(thisp); + if (REDUCE_MODE(mode)) + *sp++ = *vp; + *sp++ = *elemroot; + *sp++ = INT_TO_JSVAL(i); + *sp++ = OBJECT_TO_JSVAL(obj); + + /* Do the call. */ + ok = js_Invoke(cx, argc, invokevp, 0); + if (!ok) + break; + + if (mode > MAP) + cond = js_ValueToBoolean(*invokevp); +#ifdef __GNUC__ /* quell GCC overwarning */ + else + cond = JS_FALSE; +#endif + + switch (mode) { + case FOREACH: + break; + case REDUCE: + case REDUCE_RIGHT: + *vp = *invokevp; + break; + case MAP: + ok = SetArrayElement(cx, newarr, i, *invokevp); + if (!ok) + goto out; + break; + case FILTER: + if (!cond) + break; + /* The filter passed *elemroot, so push it onto our result. */ + ok = SetArrayElement(cx, newarr, newlen++, *elemroot); + if (!ok) + goto out; + break; + case SOME: + if (cond) { + *vp = JSVAL_TRUE; + goto out; + } + break; + case EVERY: + if (!cond) { + *vp = JSVAL_FALSE; + goto out; + } + break; + } + } + + out: + js_FreeStack(cx, mark); + if (ok && mode == FILTER) + ok = js_SetLengthProperty(cx, newarr, newlen); + return ok; +} + +static JSBool +array_forEach(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, FOREACH, argc, vp); +} + +static JSBool +array_map(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, MAP, argc, vp); +} + +static JSBool +array_reduce(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, REDUCE, argc, vp); +} + +static JSBool +array_reduceRight(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, REDUCE_RIGHT, argc, vp); +} + +static JSBool +array_filter(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, FILTER, argc, vp); +} + +static JSBool +array_some(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, SOME, argc, vp); +} + +static JSBool +array_every(JSContext *cx, uintN argc, jsval *vp) +{ + return array_extra(cx, EVERY, argc, vp); +} +#endif + +static JSPropertySpec array_props[] = { + {js_length_str, -1, JSPROP_SHARED | JSPROP_PERMANENT, + array_length_getter, array_length_setter}, + {0,0,0,0,0} +}; + +JS_DEFINE_TRCINFO_1(array_toString, + (2, (static, STRING_FAIL, Array_p_toString, CONTEXT, THIS, 0, 0))) +JS_DEFINE_TRCINFO_1(array_join, + (3, (static, STRING_FAIL, Array_p_join, CONTEXT, THIS, STRING, 0, 0))) +JS_DEFINE_TRCINFO_1(array_push, + (3, (static, JSVAL_FAIL, Array_p_push1, CONTEXT, THIS, JSVAL, 0, 0))) +JS_DEFINE_TRCINFO_1(array_pop, + (2, (static, JSVAL_FAIL, Array_p_pop, CONTEXT, THIS, 0, 0))) + +static JSFunctionSpec array_methods[] = { +#if JS_HAS_TOSOURCE + JS_FN(js_toSource_str, array_toSource, 0,0), +#endif + JS_TN(js_toString_str, array_toString, 0,0, array_toString_trcinfo), + JS_FN(js_toLocaleString_str,array_toLocaleString,0,0), + + /* Perl-ish methods. */ + JS_TN("join", array_join, 1,JSFUN_GENERIC_NATIVE, array_join_trcinfo), + JS_FN("reverse", array_reverse, 0,JSFUN_GENERIC_NATIVE), + JS_FN("sort", array_sort, 1,JSFUN_GENERIC_NATIVE), + JS_TN("push", array_push, 1,JSFUN_GENERIC_NATIVE, array_push_trcinfo), + JS_TN("pop", array_pop, 0,JSFUN_GENERIC_NATIVE, array_pop_trcinfo), + JS_FN("shift", array_shift, 0,JSFUN_GENERIC_NATIVE), + JS_FN("unshift", array_unshift, 1,JSFUN_GENERIC_NATIVE), + JS_FN("splice", array_splice, 2,JSFUN_GENERIC_NATIVE), + + /* Pythonic sequence methods. */ + JS_FN("concat", array_concat, 1,JSFUN_GENERIC_NATIVE), + JS_FN("slice", array_slice, 2,JSFUN_GENERIC_NATIVE), + +#if JS_HAS_ARRAY_EXTRAS + JS_FN("indexOf", array_indexOf, 1,JSFUN_GENERIC_NATIVE), + JS_FN("lastIndexOf", array_lastIndexOf, 1,JSFUN_GENERIC_NATIVE), + JS_FN("forEach", array_forEach, 1,JSFUN_GENERIC_NATIVE), + JS_FN("map", array_map, 1,JSFUN_GENERIC_NATIVE), + JS_FN("reduce", array_reduce, 1,JSFUN_GENERIC_NATIVE), + JS_FN("reduceRight", array_reduceRight, 1,JSFUN_GENERIC_NATIVE), + JS_FN("filter", array_filter, 1,JSFUN_GENERIC_NATIVE), + JS_FN("some", array_some, 1,JSFUN_GENERIC_NATIVE), + JS_FN("every", array_every, 1,JSFUN_GENERIC_NATIVE), +#endif + + JS_FS_END +}; + +JSBool +js_Array(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) +{ + jsuint length; + jsval *vector; + + /* If called without new, replace obj with a new Array object. */ + if (!(cx->fp->flags & JSFRAME_CONSTRUCTING)) { + obj = js_NewObject(cx, &js_ArrayClass, NULL, NULL, 0); + if (!obj) + return JS_FALSE; + *rval = OBJECT_TO_JSVAL(obj); + } + + if (argc == 0) { + length = 0; + vector = NULL; + } else if (argc > 1) { + length = (jsuint) argc; + vector = argv; + } else if (!JSVAL_IS_NUMBER(argv[0])) { + length = 1; + vector = argv; + } else { + length = ValueIsLength(cx, &argv[0]); + if (JSVAL_IS_NULL(argv[0])) + return JS_FALSE; + vector = NULL; + } + return InitArrayObject(cx, obj, length, vector); +} + +JS_STATIC_ASSERT(JSSLOT_PRIVATE == JSSLOT_ARRAY_LENGTH); +JS_STATIC_ASSERT(JSSLOT_ARRAY_LENGTH + 1 == JSSLOT_ARRAY_COUNT); + +#ifdef JS_TRACER + +JSObject* FASTCALL +js_FastNewArray(JSContext* cx, JSObject* proto) +{ + JS_ASSERT(OBJ_IS_ARRAY(cx, proto)); + + JS_ASSERT(JS_ON_TRACE(cx)); + JSObject* obj = (JSObject*) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject)); + if (!obj) + return NULL; + + JSClass* clasp = &js_ArrayClass; + obj->classword = jsuword(clasp); + + obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto); + obj->fslots[JSSLOT_PARENT] = proto->fslots[JSSLOT_PARENT]; + + obj->fslots[JSSLOT_ARRAY_LENGTH] = 0; + obj->fslots[JSSLOT_ARRAY_COUNT] = 0; + for (unsigned i = JSSLOT_ARRAY_COUNT + 1; i != JS_INITIAL_NSLOTS; ++i) + obj->fslots[i] = JSVAL_VOID; + + JSObjectOps* ops = clasp->getObjectOps(cx, clasp); + obj->map = ops->newObjectMap(cx, 1, ops, clasp, obj); + if (!obj->map) + return NULL; + obj->dslots = NULL; + return obj; +} + +JSObject* FASTCALL +js_Array_1int(JSContext* cx, JSObject* proto, int32 i) +{ + JS_ASSERT(JS_ON_TRACE(cx)); + JSObject* obj = js_FastNewArray(cx, proto); + if (obj) + obj->fslots[JSSLOT_ARRAY_LENGTH] = i; + return obj; +} + +#define ARRAY_CTOR_GUTS(exact_len, newslots_code) \ + JS_ASSERT(JS_ON_TRACE(cx)); \ + JSObject* obj = js_FastNewArray(cx, proto); \ + if (obj) { \ + const uint32 len = ARRAY_GROWBY; \ + jsval* newslots = (jsval*) JS_malloc(cx, sizeof (jsval) * (len + 1)); \ + if (newslots) { \ + obj->dslots = newslots + 1; \ + ARRAY_SET_DENSE_LENGTH(obj, len); \ + {newslots_code} \ + while (++newslots < obj->dslots + len) \ + *newslots = JSVAL_HOLE; \ + obj->fslots[JSSLOT_ARRAY_LENGTH] = (exact_len); \ + return obj; \ + } \ + } \ + return NULL; + +JSObject* FASTCALL +js_Array_1str(JSContext* cx, JSObject* proto, JSString *str) +{ + ARRAY_CTOR_GUTS(1, *++newslots = STRING_TO_JSVAL(str);) +} + +JSObject* FASTCALL +js_Array_2obj(JSContext* cx, JSObject* proto, JSObject *obj1, JSObject* obj2) +{ + ARRAY_CTOR_GUTS(2, + *++newslots = OBJECT_TO_JSVAL(obj1); + *++newslots = OBJECT_TO_JSVAL(obj2);) +} + +JSObject* FASTCALL +js_Array_3num(JSContext* cx, JSObject* proto, jsdouble n1, jsdouble n2, jsdouble n3) +{ + ARRAY_CTOR_GUTS(3, + if (!js_NewDoubleInRootedValue(cx, n1, ++newslots)) + return NULL; + if (!js_NewDoubleInRootedValue(cx, n2, ++newslots)) + return NULL; + if (!js_NewDoubleInRootedValue(cx, n3, ++newslots)) + return NULL;) +} + +#endif /* JS_TRACER */ + +JSObject * +js_InitArrayClass(JSContext *cx, JSObject *obj) +{ + JSObject *proto; + + /* Initialize the ops structure used by slow arrays */ + memcpy(&js_SlowArrayObjectOps, &js_ObjectOps, sizeof(JSObjectOps)); + js_SlowArrayObjectOps.trace = slowarray_trace; + js_SlowArrayObjectOps.enumerate = slowarray_enumerate; + js_SlowArrayObjectOps.call = NULL; + + proto = JS_InitClass(cx, obj, NULL, &js_ArrayClass, js_Array, 1, + array_props, array_methods, NULL, NULL); + + /* Initialize the Array prototype object so it gets a length property. */ + if (!proto || !InitArrayObject(cx, proto, 0, NULL)) + return NULL; + return proto; +} + +JSObject * +js_NewArrayObject(JSContext *cx, jsuint length, jsval *vector, JSBool holey) +{ + JSTempValueRooter tvr; + JSObject *obj; + + obj = js_NewObject(cx, &js_ArrayClass, NULL, NULL, 0); + if (!obj) + return NULL; + + JS_PUSH_TEMP_ROOT_OBJECT(cx, obj, &tvr); + if (!InitArrayObject(cx, obj, length, vector, holey)) + obj = NULL; + JS_POP_TEMP_ROOT(cx, &tvr); + + /* Set/clear newborn root, in case we lost it. */ + cx->weakRoots.newborn[GCX_OBJECT] = obj; + return obj; +} + +JSObject * +js_NewSlowArrayObject(JSContext *cx) +{ + JSObject *obj = js_NewObject(cx, &js_SlowArrayClass, NULL, NULL, 0); + if (obj) + obj->fslots[JSSLOT_ARRAY_LENGTH] = 0; + return obj; +} + +#ifdef DEBUG_ARRAYS +JSBool +js_ArrayInfo(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) +{ + uintN i; + JSObject *array; + + for (i = 0; i < argc; i++) { + char *bytes; + + bytes = js_DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, argv[i], + NULL); + if (!bytes) + return JS_FALSE; + if (JSVAL_IS_PRIMITIVE(argv[i]) || + !OBJ_IS_ARRAY(cx, (array = JSVAL_TO_OBJECT(argv[i])))) { + fprintf(stderr, "%s: not array\n", bytes); + JS_free(cx, bytes); + continue; + } + fprintf(stderr, "%s: %s (len %lu", bytes, + OBJ_IS_DENSE_ARRAY(cx, array) ? "dense" : "sparse", + array->fslots[JSSLOT_ARRAY_LENGTH]); + if (OBJ_IS_DENSE_ARRAY(cx, array)) { + fprintf(stderr, ", count %lu, denselen %lu", + array->fslots[JSSLOT_ARRAY_COUNT], + ARRAY_DENSE_LENGTH(array)); + } + fputs(")\n", stderr); + JS_free(cx, bytes); + } + return JS_TRUE; +} +#endif + +JS_FRIEND_API(JSBool) +js_ArrayToJSUint8Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + JSUint8 *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + jsint vi; + + JSUint8 *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (!JSVAL_IS_INT(v) || (vi = JSVAL_TO_INT(v)) < 0) + return JS_FALSE; + + *dp++ = (JSUint8) vi; + } + + return JS_TRUE; +} + +JS_FRIEND_API(JSBool) +js_ArrayToJSUint16Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + JSUint16 *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + jsint vi; + + JSUint16 *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (!JSVAL_IS_INT(v) || (vi = JSVAL_TO_INT(v)) < 0) + return JS_FALSE; + + *dp++ = (JSUint16) vi; + } + + return JS_TRUE; +} + +JS_FRIEND_API(JSBool) +js_ArrayToJSUint32Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + JSUint32 *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + jsint vi; + + JSUint32 *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (!JSVAL_IS_INT(v) || (vi = JSVAL_TO_INT(v)) < 0) + return JS_FALSE; + + *dp++ = (JSUint32) vi; + } + + return JS_TRUE; +} + +JS_FRIEND_API(JSBool) +js_ArrayToJSInt8Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + JSInt8 *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + JSInt8 *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (!JSVAL_IS_INT(v)) + return JS_FALSE; + + *dp++ = (JSInt8) JSVAL_TO_INT(v); + } + + return JS_TRUE; +} + +JS_FRIEND_API(JSBool) +js_ArrayToJSInt16Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + JSInt16 *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + JSInt16 *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (!JSVAL_IS_INT(v)) + return JS_FALSE; + + *dp++ = (JSInt16) JSVAL_TO_INT(v); + } + + return JS_TRUE; +} + +JS_FRIEND_API(JSBool) +js_ArrayToJSInt32Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + JSInt32 *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + JSInt32 *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (!JSVAL_IS_INT(v)) + return JS_FALSE; + + *dp++ = (JSInt32) JSVAL_TO_INT(v); + } + + return JS_TRUE; +} + +JS_FRIEND_API(JSBool) +js_ArrayToJSDoubleBuffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count, + jsdouble *dest) +{ + uint32 length; + + if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj)) + return JS_FALSE; + + length = obj->fslots[JSSLOT_ARRAY_LENGTH]; + if (length < offset + count) + return JS_FALSE; + + jsval v; + jsdouble *dp = dest; + for (uintN i = offset; i < offset+count; i++) { + v = obj->dslots[i]; + if (JSVAL_IS_INT(v)) + *dp++ = (jsdouble) JSVAL_TO_INT(v); + else if (JSVAL_IS_DOUBLE(v)) + *dp++ = *(JSVAL_TO_DOUBLE(v)); + else + return JS_FALSE; + } + + return JS_TRUE; +} + +JS_DEFINE_CALLINFO_4(extern, BOOL, js_Array_dense_setelem, CONTEXT, OBJECT, INT32, JSVAL, 0, 0) +JS_DEFINE_CALLINFO_2(extern, OBJECT, js_FastNewArray, CONTEXT, OBJECT, 0, 0) +JS_DEFINE_CALLINFO_3(extern, OBJECT, js_Array_1int, CONTEXT, OBJECT, INT32, 0, 0) +JS_DEFINE_CALLINFO_3(extern, OBJECT, js_Array_1str, CONTEXT, OBJECT, STRING, 0, 0) +JS_DEFINE_CALLINFO_4(extern, OBJECT, js_Array_2obj, CONTEXT, OBJECT, OBJECT, OBJECT, 0, 0) +JS_DEFINE_CALLINFO_5(extern, OBJECT, js_Array_3num, CONTEXT, OBJECT, DOUBLE, DOUBLE, DOUBLE, 0, 0) |