The Tor Browser: js/src/jsobj.cpp@129ffea94266 (annotated)

js/src/jsobj.cpp@129ffea94266 (annotated)

js/src/jsobj.cpp

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * JS object implementation.
  */
 #include "jsobjinlines.h"
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/MathAlgorithms.h"
 #include "mozilla/MemoryReporting.h"
 #include "mozilla/TemplateLib.h"
 #include <string.h>
 #include "jsapi.h"
 #include "jsarray.h"
 #include "jsatom.h"
 #include "jscntxt.h"
 #include "jsfriendapi.h"
 #include "jsfun.h"
 #include "jsgc.h"
 #include "jsiter.h"
 #include "jsnum.h"
 #include "jsopcode.h"
 #include "jsprf.h"
 #include "jsproxy.h"
 #include "jsscript.h"
 #include "jsstr.h"
 #include "jstypes.h"
 #include "jsutil.h"
 #include "jswatchpoint.h"
 #include "jswrapper.h"
 #include "builtin/Object.h"
 #include "frontend/BytecodeCompiler.h"
 #include "gc/Marking.h"
 #include "jit/AsmJSModule.h"
 #include "jit/BaselineJIT.h"
 #include "js/MemoryMetrics.h"
 #include "js/OldDebugAPI.h"
 #include "vm/ArgumentsObject.h"
 #include "vm/Interpreter.h"
 #include "vm/ProxyObject.h"
 #include "vm/RegExpStaticsObject.h"
 #include "vm/Shape.h"
 #include "jsatominlines.h"
 #include "jsboolinlines.h"
 #include "jscntxtinlines.h"
 #include "jscompartmentinlines.h"
 #include "vm/ArrayObject-inl.h"
 #include "vm/BooleanObject-inl.h"
 #include "vm/NumberObject-inl.h"
 #include "vm/ObjectImpl-inl.h"
 #include "vm/Runtime-inl.h"
 #include "vm/Shape-inl.h"
 #include "vm/StringObject-inl.h"
 using namespace js;
 using namespace js::gc;
 using namespace js::types;
 using mozilla::Maybe;
 using mozilla::RoundUpPow2;
 JS_STATIC_ASSERT(int32_t((JSObject::NELEMENTS_LIMIT - 1) * sizeof(Value)) == int64_t((JSObject::NELEMENTS_LIMIT - 1) * sizeof(Value)));
 const Class JSObject::class_ = {
     js_Object_str,
     JSCLASS_HAS_CACHED_PROTO(JSProto_Object),
     JS_PropertyStub,         /* addProperty */
     JS_DeletePropertyStub,   /* delProperty */
     JS_PropertyStub,         /* getProperty */
     JS_StrictPropertyStub,   /* setProperty */
     JS_EnumerateStub,
     JS_ResolveStub,
     JS_ConvertStub
 };
 const Class* const js::ObjectClassPtr = &JSObject::class_;
 JS_FRIEND_API(JSObject *)
 JS_ObjectToInnerObject(JSContext *cx, HandleObject obj)
 {
     if (!obj) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_INACTIVE);
         return nullptr;
     }
     return GetInnerObject(cx, obj);
 }
 JS_FRIEND_API(JSObject *)
 JS_ObjectToOuterObject(JSContext *cx, HandleObject obj)
 {
     assertSameCompartment(cx, obj);
     return GetOuterObject(cx, obj);
 }
 JSObject *
 js::NonNullObject(JSContext *cx, const Value &v)
 {
     if (v.isPrimitive()) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_NOT_NONNULL_OBJECT);
         return nullptr;
     }
     return &v.toObject();
 }
 const char *
 js::InformalValueTypeName(const Value &v)
 {
     if (v.isObject())
         return v.toObject().getClass()->name;
     if (v.isString())
         return "string";
     if (v.isNumber())
         return "number";
     if (v.isBoolean())
         return "boolean";
     if (v.isNull())
         return "null";
     if (v.isUndefined())
         return "undefined";
     return "value";
 }
 bool
 js::NewPropertyDescriptorObject(JSContext *cx, Handle<PropertyDescriptor> desc,
                                 MutableHandleValue vp)
 {
     if (!desc.object()) {
         vp.setUndefined();
         return true;
     }
     /* We have our own property, so start creating the descriptor. */
     AutoPropDescRooter d(cx);
     d.initFromPropertyDescriptor(desc);
     if (!d.makeObject(cx))
         return false;
     vp.set(d.pd());
     return true;
 }
 void
 PropDesc::initFromPropertyDescriptor(Handle<PropertyDescriptor> desc)
 {
     isUndefined_ = false;
     pd_.setUndefined();
     attrs = uint8_t(desc.attributes());
     JS_ASSERT_IF(attrs & JSPROP_READONLY, !(attrs & (JSPROP_GETTER | JSPROP_SETTER)));
     if (desc.hasGetterOrSetterObject()) {
         hasGet_ = true;
         get_ = desc.hasGetterObject() && desc.getterObject()
                ? ObjectValue(*desc.getterObject())
                : UndefinedValue();
         hasSet_ = true;
         set_ = desc.hasSetterObject() && desc.setterObject()
                ? ObjectValue(*desc.setterObject())
                : UndefinedValue();
         hasValue_ = false;
         value_.setUndefined();
         hasWritable_ = false;
     } else {
         hasGet_ = false;
         get_.setUndefined();
         hasSet_ = false;
         set_.setUndefined();
         hasValue_ = true;
         value_ = desc.value();
         hasWritable_ = true;
     }
     hasEnumerable_ = true;
     hasConfigurable_ = true;
 }
 bool
 PropDesc::makeObject(JSContext *cx)
 {
     MOZ_ASSERT(!isUndefined());
     RootedObject obj(cx, NewBuiltinClassInstance(cx, &JSObject::class_));
     if (!obj)
         return false;
     const JSAtomState &names = cx->names();
     RootedValue configurableVal(cx, BooleanValue((attrs & JSPROP_PERMANENT) == 0));
     RootedValue enumerableVal(cx, BooleanValue((attrs & JSPROP_ENUMERATE) != 0));
     RootedValue writableVal(cx, BooleanValue((attrs & JSPROP_READONLY) == 0));
     if ((hasConfigurable() &&
          !JSObject::defineProperty(cx, obj, names.configurable, configurableVal)) ||
         (hasEnumerable() &&
          !JSObject::defineProperty(cx, obj, names.enumerable, enumerableVal)) ||
         (hasGet() &&
          !JSObject::defineProperty(cx, obj, names.get, getterValue())) ||
         (hasSet() &&
          !JSObject::defineProperty(cx, obj, names.set, setterValue())) ||
         (hasValue() &&
          !JSObject::defineProperty(cx, obj, names.value, value())) ||
         (hasWritable() &&
          !JSObject::defineProperty(cx, obj, names.writable, writableVal)))
     {
         return false;
     }
     pd_.setObject(*obj);
     return true;
 }
 bool
 js::GetOwnPropertyDescriptor(JSContext *cx, HandleObject obj, HandleId id,
                              MutableHandle<PropertyDescriptor> desc)
 {
     // FIXME: Call TrapGetOwnProperty directly once ScriptedIndirectProxies is removed
     if (obj->is<ProxyObject>())
         return Proxy::getOwnPropertyDescriptor(cx, obj, id, desc);
     RootedObject pobj(cx);
     RootedShape shape(cx);
     if (!HasOwnProperty<CanGC>(cx, obj->getOps()->lookupGeneric, obj, id, &pobj, &shape))
         return false;
     if (!shape) {
         desc.object().set(nullptr);
         return true;
     }
     bool doGet = true;
     if (pobj->isNative()) {
         desc.setAttributes(GetShapeAttributes(pobj, shape));
         if (desc.hasGetterOrSetterObject()) {
             MOZ_ASSERT(desc.isShared());
             doGet = false;
             if (desc.hasGetterObject())
                 desc.setGetterObject(shape->getterObject());
             if (desc.hasSetterObject())
                 desc.setSetterObject(shape->setterObject());
         } else {
             // This is either a straight-up data property or (rarely) a
             // property with a JSPropertyOp getter/setter. The latter must be
             // reported to the caller as a plain data property, so don't
             // populate desc.getter/setter, and mask away the SHARED bit.
             desc.attributesRef() &= ~JSPROP_SHARED;
         }
     } else {
         if (!JSObject::getGenericAttributes(cx, pobj, id, &desc.attributesRef()))
             return false;
     }
     RootedValue value(cx);
     if (doGet && !JSObject::getGeneric(cx, obj, obj, id, &value))
         return false;
     desc.value().set(value);
     desc.object().set(obj);
     return true;
 }
 bool
 js::GetOwnPropertyDescriptor(JSContext *cx, HandleObject obj, HandleId id, MutableHandleValue vp)
 {
     Rooted<PropertyDescriptor> desc(cx);
     return GetOwnPropertyDescriptor(cx, obj, id, &desc) &&
            NewPropertyDescriptorObject(cx, desc, vp);
 }
 bool
 js::GetFirstArgumentAsObject(JSContext *cx, const CallArgs &args, const char *method,
                              MutableHandleObject objp)
 {
     if (args.length() == 0) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_MORE_ARGS_NEEDED,
                              method, "0", "s");
         return false;
     }
     HandleValue v = args[0];
     if (!v.isObject()) {
         char *bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, v, NullPtr());
         if (!bytes)
             return false;
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_UNEXPECTED_TYPE,
                              bytes, "not an object");
         js_free(bytes);
         return false;
     }
     objp.set(&v.toObject());
     return true;
 }
 static bool
 HasProperty(JSContext *cx, HandleObject obj, HandleId id, MutableHandleValue vp, bool *foundp)
 {
     if (!JSObject::hasProperty(cx, obj, id, foundp))
         return false;
     if (!*foundp) {
         vp.setUndefined();
         return true;
     }
     /*
      * We must go through the method read barrier in case id is 'get' or 'set'.
      * There is no obvious way to defer cloning a joined function object whose
      * identity will be used by DefinePropertyOnObject, e.g., or reflected via
      * js::GetOwnPropertyDescriptor, as the getter or setter callable object.
      */
     return !!JSObject::getGeneric(cx, obj, obj, id, vp);
 }
 bool
 PropDesc::initialize(JSContext *cx, const Value &origval, bool checkAccessors)
 {
     RootedValue v(cx, origval);
     /* 8.10.5 step 1 */
     if (v.isPrimitive()) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_NOT_NONNULL_OBJECT);
         return false;
     }
     RootedObject desc(cx, &v.toObject());
     /* Make a copy of the descriptor. We might need it later. */
     pd_ = v;
     isUndefined_ = false;
     /*
      * Start with the proper defaults.  XXX shouldn't be necessary when we get
      * rid of PropDesc::attributes()
      */
     attrs = JSPROP_PERMANENT | JSPROP_READONLY;
     bool found = false;
     RootedId id(cx);
     /* 8.10.5 step 3 */
     id = NameToId(cx->names().enumerable);
     if (!HasProperty(cx, desc, id, &v, &found))
         return false;
     if (found) {
         hasEnumerable_ = true;
         if (ToBoolean(v))
             attrs |= JSPROP_ENUMERATE;
     }
     /* 8.10.5 step 4 */
     id = NameToId(cx->names().configurable);
     if (!HasProperty(cx, desc, id, &v, &found))
         return false;
     if (found) {
         hasConfigurable_ = true;
         if (ToBoolean(v))
             attrs &= ~JSPROP_PERMANENT;
     }
     /* 8.10.5 step 5 */
     id = NameToId(cx->names().value);
     if (!HasProperty(cx, desc, id, &v, &found))
         return false;
     if (found) {
         hasValue_ = true;
         value_ = v;
     }
     /* 8.10.6 step 6 */
     id = NameToId(cx->names().writable);
     if (!HasProperty(cx, desc, id, &v, &found))
         return false;
     if (found) {
         hasWritable_ = true;
         if (ToBoolean(v))
             attrs &= ~JSPROP_READONLY;
     }
     /* 8.10.7 step 7 */
     id = NameToId(cx->names().get);
     if (!HasProperty(cx, desc, id, &v, &found))
         return false;
     if (found) {
         hasGet_ = true;
         get_ = v;
         attrs |= JSPROP_GETTER | JSPROP_SHARED;
         attrs &= ~JSPROP_READONLY;
         if (checkAccessors && !checkGetter(cx))
             return false;
     }
     /* 8.10.7 step 8 */
     id = NameToId(cx->names().set);
     if (!HasProperty(cx, desc, id, &v, &found))
         return false;
     if (found) {
         hasSet_ = true;
         set_ = v;
         attrs |= JSPROP_SETTER | JSPROP_SHARED;
         attrs &= ~JSPROP_READONLY;
         if (checkAccessors && !checkSetter(cx))
             return false;
     }
     /* 8.10.7 step 9 */
     if ((hasGet() || hasSet()) && (hasValue() || hasWritable())) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_INVALID_DESCRIPTOR);
         return false;
     }
     JS_ASSERT_IF(attrs & JSPROP_READONLY, !(attrs & (JSPROP_GETTER | JSPROP_SETTER)));
     return true;
 }
 void
 PropDesc::complete()
 {
     if (isGenericDescriptor() || isDataDescriptor()) {
         if (!hasValue_) {
             hasValue_ = true;
             value_.setUndefined();
         }
         if (!hasWritable_) {
             hasWritable_ = true;
             attrs |= JSPROP_READONLY;
         }
     } else {
         if (!hasGet_) {
             hasGet_ = true;
             get_.setUndefined();
         }
         if (!hasSet_) {
             hasSet_ = true;
             set_.setUndefined();
         }
     }
     if (!hasEnumerable_) {
         hasEnumerable_ = true;
         attrs &= ~JSPROP_ENUMERATE;
     }
     if (!hasConfigurable_) {
         hasConfigurable_ = true;
         attrs |= JSPROP_PERMANENT;
     }
 }
 bool
 js::Throw(JSContext *cx, jsid id, unsigned errorNumber)
 {
     JS_ASSERT(js_ErrorFormatString[errorNumber].argCount == 1);
     JSString *idstr = IdToString(cx, id);
     if (!idstr)
        return false;
     JSAutoByteString bytes(cx, idstr);
     if (!bytes)
         return false;
     JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, errorNumber, bytes.ptr());
     return false;
 }
 bool
 js::Throw(JSContext *cx, JSObject *obj, unsigned errorNumber)
 {
     if (js_ErrorFormatString[errorNumber].argCount == 1) {
         RootedValue val(cx, ObjectValue(*obj));
         js_ReportValueErrorFlags(cx, JSREPORT_ERROR, errorNumber,
                                  JSDVG_IGNORE_STACK, val, NullPtr(),
                                  nullptr, nullptr);
     } else {
         JS_ASSERT(js_ErrorFormatString[errorNumber].argCount == 0);
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, errorNumber);
     }
     return false;
 }
 static bool
 Reject(JSContext *cx, unsigned errorNumber, bool throwError, jsid id, bool *rval)
 {
     if (throwError)
         return Throw(cx, id, errorNumber);
     *rval = false;
     return true;
 }
 static bool
 Reject(JSContext *cx, JSObject *obj, unsigned errorNumber, bool throwError, bool *rval)
 {
     if (throwError)
         return Throw(cx, obj, errorNumber);
     *rval = false;
     return true;
 }
 static bool
 Reject(JSContext *cx, HandleId id, unsigned errorNumber, bool throwError, bool *rval)
 {
     if (throwError)
         return Throw(cx, id, errorNumber);
     *rval = false;
     return true;
 }
 // See comments on CheckDefineProperty in jsobj.h.
 //
 // DefinePropertyOnObject has its own implementation of these checks.
 //
 JS_FRIEND_API(bool)
 js::CheckDefineProperty(JSContext *cx, HandleObject obj, HandleId id, HandleValue value,
                         PropertyOp getter, StrictPropertyOp setter, unsigned attrs)
 {
     if (!obj->isNative())
         return true;
     // ES5 8.12.9 Step 1. Even though we know obj is native, we use generic
     // APIs for shorter, more readable code.
     Rooted<PropertyDescriptor> desc(cx);
     if (!GetOwnPropertyDescriptor(cx, obj, id, &desc))
         return false;
     // This does not have to check obj's extensibility when !desc.obj (steps
     // 2-3) because the low-level methods JSObject::{add,put}Property check
     // for that.
     if (desc.object() && desc.isPermanent()) {
         // Steps 6-11, skipping step 10.a.ii. Prohibit redefining a permanent
         // property with different metadata, except to make a writable property
         // non-writable.
         if (getter != desc.getter() ||
             setter != desc.setter() ||
             (attrs != desc.attributes() && attrs != (desc.attributes() | JSPROP_READONLY)))
         {
             return Throw(cx, id, JSMSG_CANT_REDEFINE_PROP);
         }
         // Step 10.a.ii. Prohibit changing the value of a non-configurable,
         // non-writable data property.
         if ((desc.attributes() & (JSPROP_GETTER | JSPROP_SETTER | JSPROP_READONLY)) == JSPROP_READONLY) {
             bool same;
             if (!SameValue(cx, value, desc.value(), &same))
                 return false;
             if (!same)
                 return JSObject::reportReadOnly(cx, id);
         }
     }
     return true;
 }
 static bool
 DefinePropertyOnObject(JSContext *cx, HandleObject obj, HandleId id, const PropDesc &desc,
                        bool throwError, bool *rval)
 {
     /* 8.12.9 step 1. */
     RootedShape shape(cx);
     RootedObject obj2(cx);
     JS_ASSERT(!obj->getOps()->lookupGeneric);
     if (!HasOwnProperty<CanGC>(cx, nullptr, obj, id, &obj2, &shape))
         return false;
     JS_ASSERT(!obj->getOps()->defineProperty);
     /* 8.12.9 steps 2-4. */
     if (!shape) {
         bool extensible;
         if (!JSObject::isExtensible(cx, obj, &extensible))
             return false;
         if (!extensible)
             return Reject(cx, obj, JSMSG_OBJECT_NOT_EXTENSIBLE, throwError, rval);
         *rval = true;
         if (desc.isGenericDescriptor() || desc.isDataDescriptor()) {
             JS_ASSERT(!obj->getOps()->defineProperty);
             RootedValue v(cx, desc.hasValue() ? desc.value() : UndefinedValue());
             return baseops::DefineGeneric(cx, obj, id, v,
                                           JS_PropertyStub, JS_StrictPropertyStub,
                                           desc.attributes());
         }
         JS_ASSERT(desc.isAccessorDescriptor());
         return baseops::DefineGeneric(cx, obj, id, UndefinedHandleValue,
                                       desc.getter(), desc.setter(), desc.attributes());
     }
     /* 8.12.9 steps 5-6 (note 5 is merely a special case of 6). */
     RootedValue v(cx);
     JS_ASSERT(obj == obj2);
     bool shapeDataDescriptor = true,
          shapeAccessorDescriptor = false,
          shapeWritable = true,
          shapeConfigurable = true,
          shapeEnumerable = true,
          shapeHasDefaultGetter = true,
          shapeHasDefaultSetter = true,
          shapeHasGetterValue = false,
          shapeHasSetterValue = false;
     uint8_t shapeAttributes = GetShapeAttributes(obj, shape);
     if (!IsImplicitDenseOrTypedArrayElement(shape)) {
         shapeDataDescriptor = shape->isDataDescriptor();
         shapeAccessorDescriptor = shape->isAccessorDescriptor();
         shapeWritable = shape->writable();
         shapeConfigurable = shape->configurable();
         shapeEnumerable = shape->enumerable();
         shapeHasDefaultGetter = shape->hasDefaultGetter();
         shapeHasDefaultSetter = shape->hasDefaultSetter();
         shapeHasGetterValue = shape->hasGetterValue();
         shapeHasSetterValue = shape->hasSetterValue();
         shapeAttributes = shape->attributes();
     }
     do {
         if (desc.isAccessorDescriptor()) {
             if (!shapeAccessorDescriptor)
                 break;
             if (desc.hasGet()) {
                 bool same;
                 if (!SameValue(cx, desc.getterValue(), shape->getterOrUndefined(), &same))
                     return false;
                 if (!same)
                     break;
             }
             if (desc.hasSet()) {
                 bool same;
                 if (!SameValue(cx, desc.setterValue(), shape->setterOrUndefined(), &same))
                     return false;
                 if (!same)
                     break;
             }
         } else {
             /*
              * Determine the current value of the property once, if the current
              * value might actually need to be used or preserved later.  NB: we
              * guard on whether the current property is a data descriptor to
              * avoid calling a getter; we won't need the value if it's not a
              * data descriptor.
              */
             if (IsImplicitDenseOrTypedArrayElement(shape)) {
                 v = obj->getDenseOrTypedArrayElement(JSID_TO_INT(id));
             } else if (shape->isDataDescriptor()) {
                 /*
                  * We must rule out a non-configurable js::PropertyOp-guarded
                  * property becoming a writable unguarded data property, since
                  * such a property can have its value changed to one the getter
                  * and setter preclude.
                  *
                  * A desc lacking writable but with value is a data descriptor
                  * and we must reject it as if it had writable: true if current
                  * is writable.
                  */
                 if (!shape->configurable() &&
                     (!shape->hasDefaultGetter() || !shape->hasDefaultSetter()) &&
                     desc.isDataDescriptor() &&
                     (desc.hasWritable() ? desc.writable() : shape->writable()))
                 {
                     return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
                 }
                 if (!NativeGet(cx, obj, obj2, shape, &v))
                     return false;
             }
             if (desc.isDataDescriptor()) {
                 if (!shapeDataDescriptor)
                     break;
                 bool same;
                 if (desc.hasValue()) {
                     if (!SameValue(cx, desc.value(), v, &same))
                         return false;
                     if (!same) {
                         /*
                          * Insist that a non-configurable js::PropertyOp data
                          * property is frozen at exactly the last-got value.
                          *
                          * Duplicate the first part of the big conjunction that
                          * we tested above, rather than add a local bool flag.
                          * Likewise, don't try to keep shape->writable() in a
                          * flag we veto from true to false for non-configurable
                          * PropertyOp-based data properties and test before the
                          * SameValue check later on in order to re-use that "if
                          * (!SameValue) Reject" logic.
                          *
                          * This function is large and complex enough that it
                          * seems best to repeat a small bit of code and return
                          * Reject(...) ASAP, instead of being clever.
                          */
                         if (!shapeConfigurable &&
                             (!shape->hasDefaultGetter() || !shape->hasDefaultSetter()))
                         {
                             return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
                         }
                         break;
                     }
                 }
                 if (desc.hasWritable() && desc.writable() != shapeWritable)
                     break;
             } else {
                 /* The only fields in desc will be handled below. */
                 JS_ASSERT(desc.isGenericDescriptor());
             }
         }
         if (desc.hasConfigurable() && desc.configurable() != shapeConfigurable)
             break;
         if (desc.hasEnumerable() && desc.enumerable() != shapeEnumerable)
             break;
         /* The conditions imposed by step 5 or step 6 apply. */
         *rval = true;
         return true;
     } while (0);
     /* 8.12.9 step 7. */
     if (!shapeConfigurable) {
         if ((desc.hasConfigurable() && desc.configurable()) ||
             (desc.hasEnumerable() && desc.enumerable() != shape->enumerable())) {
             return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
         }
     }
     bool callDelProperty = false;
     if (desc.isGenericDescriptor()) {
         /* 8.12.9 step 8, no validation required */
     } else if (desc.isDataDescriptor() != shapeDataDescriptor) {
         /* 8.12.9 step 9. */
         if (!shapeConfigurable)
             return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
     } else if (desc.isDataDescriptor()) {
         /* 8.12.9 step 10. */
         JS_ASSERT(shapeDataDescriptor);
         if (!shapeConfigurable && !shape->writable()) {
             if (desc.hasWritable() && desc.writable())
                 return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
             if (desc.hasValue()) {
                 bool same;
                 if (!SameValue(cx, desc.value(), v, &same))
                     return false;
                 if (!same)
                     return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
             }
         }
         callDelProperty = !shapeHasDefaultGetter || !shapeHasDefaultSetter;
     } else {
         /* 8.12.9 step 11. */
         JS_ASSERT(desc.isAccessorDescriptor() && shape->isAccessorDescriptor());
         if (!shape->configurable()) {
             if (desc.hasSet()) {
                 bool same;
                 if (!SameValue(cx, desc.setterValue(), shape->setterOrUndefined(), &same))
                     return false;
                 if (!same)
                     return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
             }
             if (desc.hasGet()) {
                 bool same;
                 if (!SameValue(cx, desc.getterValue(), shape->getterOrUndefined(), &same))
                     return false;
                 if (!same)
                     return Reject(cx, JSMSG_CANT_REDEFINE_PROP, throwError, id, rval);
             }
         }
     }
     /* 8.12.9 step 12. */
     unsigned attrs;
     PropertyOp getter;
     StrictPropertyOp setter;
     if (desc.isGenericDescriptor()) {
         unsigned changed = 0;
         if (desc.hasConfigurable())
             changed |= JSPROP_PERMANENT;
         if (desc.hasEnumerable())
             changed |= JSPROP_ENUMERATE;
         attrs = (shapeAttributes & ~changed) | (desc.attributes() & changed);
         getter = IsImplicitDenseOrTypedArrayElement(shape) ? JS_PropertyStub : shape->getter();
         setter = IsImplicitDenseOrTypedArrayElement(shape) ? JS_StrictPropertyStub : shape->setter();
     } else if (desc.isDataDescriptor()) {
         unsigned unchanged = 0;
         if (!desc.hasConfigurable())
             unchanged |= JSPROP_PERMANENT;
         if (!desc.hasEnumerable())
             unchanged |= JSPROP_ENUMERATE;
         /* Watch out for accessor -> data transformations here. */
         if (!desc.hasWritable() && shapeDataDescriptor)
             unchanged |= JSPROP_READONLY;
         if (desc.hasValue())
             v = desc.value();
         attrs = (desc.attributes() & ~unchanged) | (shapeAttributes & unchanged);
         getter = JS_PropertyStub;
         setter = JS_StrictPropertyStub;
     } else {
         JS_ASSERT(desc.isAccessorDescriptor());
         /* 8.12.9 step 12. */
         unsigned changed = 0;
         if (desc.hasConfigurable())
             changed |= JSPROP_PERMANENT;
         if (desc.hasEnumerable())
             changed |= JSPROP_ENUMERATE;
         if (desc.hasGet())
             changed |= JSPROP_GETTER | JSPROP_SHARED | JSPROP_READONLY;
         if (desc.hasSet())
             changed |= JSPROP_SETTER | JSPROP_SHARED | JSPROP_READONLY;
         attrs = (desc.attributes() & changed) | (shapeAttributes & ~changed);
         if (desc.hasGet()) {
             getter = desc.getter();
         } else {
             getter = (shapeHasDefaultGetter && !shapeHasGetterValue)
                      ? JS_PropertyStub
                      : shape->getter();
         }
         if (desc.hasSet()) {
             setter = desc.setter();
         } else {
             setter = (shapeHasDefaultSetter && !shapeHasSetterValue)
                      ? JS_StrictPropertyStub
                      : shape->setter();
         }
     }
     *rval = true;
     /*
      * Since "data" properties implemented using native C functions may rely on
      * side effects during setting, we must make them aware that they have been
      * "assigned"; deleting the property before redefining it does the trick.
      * See bug 539766, where we ran into problems when we redefined
      * arguments.length without making the property aware that its value had
      * been changed (which would have happened if we had deleted it before
      * redefining it or we had invoked its setter to change its value).
      */
     if (callDelProperty) {
         bool succeeded;
         if (!CallJSDeletePropertyOp(cx, obj2->getClass()->delProperty, obj2, id, &succeeded))
             return false;
     }
     return baseops::DefineGeneric(cx, obj, id, v, getter, setter, attrs);
 }
 /* ES6 20130308 draft 8.4.2.1 [[DefineOwnProperty]] */
 static bool
 DefinePropertyOnArray(JSContext *cx, Handle<ArrayObject*> arr, HandleId id, const PropDesc &desc,
                       bool throwError, bool *rval)
 {
     /* Step 2. */
     if (id == NameToId(cx->names().length)) {
         // Canonicalize value, if necessary, before proceeding any further.  It
         // would be better if this were always/only done by ArraySetLength.
         // But canonicalization may throw a RangeError (or other exception, if
         // the value is an object with user-defined conversion semantics)
         // before other attributes are checked.  So as long as our internal
         // defineProperty hook doesn't match the ECMA one, this duplicate
         // checking can't be helped.
         RootedValue v(cx);
         if (desc.hasValue()) {
             uint32_t newLen;
             if (!CanonicalizeArrayLengthValue<SequentialExecution>(cx, desc.value(), &newLen))
                 return false;
             v.setNumber(newLen);
         } else {
             v.setNumber(arr->length());
         }
         if (desc.hasConfigurable() && desc.configurable())
             return Reject(cx, id, JSMSG_CANT_REDEFINE_PROP, throwError, rval);
         if (desc.hasEnumerable() && desc.enumerable())
             return Reject(cx, id, JSMSG_CANT_REDEFINE_PROP, throwError, rval);
         if (desc.isAccessorDescriptor())
             return Reject(cx, id, JSMSG_CANT_REDEFINE_PROP, throwError, rval);
         unsigned attrs = arr->nativeLookup(cx, id)->attributes();
         if (!arr->lengthIsWritable()) {
             if (desc.hasWritable() && desc.writable())
                 return Reject(cx, id, JSMSG_CANT_REDEFINE_PROP, throwError, rval);
         } else {
             if (desc.hasWritable() && !desc.writable())
                 attrs = attrs | JSPROP_READONLY;
         }
         return ArraySetLength<SequentialExecution>(cx, arr, id, attrs, v, throwError);
     }
     /* Step 3. */
     uint32_t index;
     if (js_IdIsIndex(id, &index)) {
         /* Step 3b. */
         uint32_t oldLen = arr->length();
         /* Steps 3a, 3e. */
         if (index >= oldLen && !arr->lengthIsWritable())
             return Reject(cx, arr, JSMSG_CANT_APPEND_TO_ARRAY, throwError, rval);
         /* Steps 3f-j. */
         return DefinePropertyOnObject(cx, arr, id, desc, throwError, rval);
     }
     /* Step 4. */
     return DefinePropertyOnObject(cx, arr, id, desc, throwError, rval);
 }
 bool
 js::DefineProperty(JSContext *cx, HandleObject obj, HandleId id, const PropDesc &desc,
                    bool throwError, bool *rval)
 {
     if (obj->is<ArrayObject>()) {
         Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
         return DefinePropertyOnArray(cx, arr, id, desc, throwError, rval);
     }
     if (obj->getOps()->lookupGeneric) {
         /*
          * FIXME: Once ScriptedIndirectProxies are removed, this code should call
          * TrapDefineOwnProperty directly
          */
         if (obj->is<ProxyObject>()) {
             RootedValue pd(cx, desc.pd());
             return Proxy::defineProperty(cx, obj, id, pd);
         }
         return Reject(cx, obj, JSMSG_OBJECT_NOT_EXTENSIBLE, throwError, rval);
     }
     return DefinePropertyOnObject(cx, obj, id, desc, throwError, rval);
 }
 bool
 js::DefineOwnProperty(JSContext *cx, HandleObject obj, HandleId id, HandleValue descriptor,
                       bool *bp)
 {
     AutoPropDescArrayRooter descs(cx);
     PropDesc *desc = descs.append();
     if (!desc || !desc->initialize(cx, descriptor))
         return false;
     bool rval;
     if (!DefineProperty(cx, obj, id, *desc, true, &rval))
         return false;
     *bp = !!rval;
     return true;
 }
 bool
 js::DefineOwnProperty(JSContext *cx, HandleObject obj, HandleId id,
                       Handle<PropertyDescriptor> descriptor, bool *bp)
 {
     AutoPropDescArrayRooter descs(cx);
     PropDesc *desc = descs.append();
     if (!desc)
         return false;
     desc->initFromPropertyDescriptor(descriptor);
     bool rval;
     if (!DefineProperty(cx, obj, id, *desc, true, &rval))
         return false;
     *bp = !!rval;
     return true;
 }
 bool
 js::ReadPropertyDescriptors(JSContext *cx, HandleObject props, bool checkAccessors,
                             AutoIdVector *ids, AutoPropDescArrayRooter *descs)
 {
     if (!GetPropertyNames(cx, props, JSITER_OWNONLY, ids))
         return false;
     RootedId id(cx);
     for (size_t i = 0, len = ids->length(); i < len; i++) {
         id = (*ids)[i];
         PropDesc* desc = descs->append();
         RootedValue v(cx);
         if (!desc ||
             !JSObject::getGeneric(cx, props, props, id, &v) ||
             !desc->initialize(cx, v, checkAccessors))
         {
             return false;
         }
     }
     return true;
 }
 bool
 js::DefineProperties(JSContext *cx, HandleObject obj, HandleObject props)
 {
     AutoIdVector ids(cx);
     AutoPropDescArrayRooter descs(cx);
     if (!ReadPropertyDescriptors(cx, props, true, &ids, &descs))
         return false;
     if (obj->is<ArrayObject>()) {
         bool dummy;
         Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
         for (size_t i = 0, len = ids.length(); i < len; i++) {
             if (!DefinePropertyOnArray(cx, arr, ids.handleAt(i), descs[i], true, &dummy))
                 return false;
         }
         return true;
     }
     if (obj->getOps()->lookupGeneric) {
         /*
          * FIXME: Once ScriptedIndirectProxies are removed, this code should call
          * TrapDefineOwnProperty directly
          */
         if (obj->is<ProxyObject>()) {
             for (size_t i = 0, len = ids.length(); i < len; i++) {
                 RootedValue pd(cx, descs[i].pd());
                 if (!Proxy::defineProperty(cx, obj, ids.handleAt(i), pd))
                     return false;
             }
             return true;
         }
         bool dummy;
         return Reject(cx, obj, JSMSG_OBJECT_NOT_EXTENSIBLE, true, &dummy);
     }
     bool dummy;
     for (size_t i = 0, len = ids.length(); i < len; i++) {
         if (!DefinePropertyOnObject(cx, obj, ids.handleAt(i), descs[i], true, &dummy))
             return false;
     }
     return true;
 }
 extern bool
 js_PopulateObject(JSContext *cx, HandleObject newborn, HandleObject props)
 {
     return DefineProperties(cx, newborn, props);
 }
 js::types::TypeObject*
 JSObject::uninlinedGetType(JSContext *cx)
 {
     return getType(cx);
 }
 void
 JSObject::uninlinedSetType(js::types::TypeObject *newType)
 {
     setType(newType);
 }
 /* static */ inline unsigned
 JSObject::getSealedOrFrozenAttributes(unsigned attrs, ImmutabilityType it)
 {
     /* Make all attributes permanent; if freezing, make data attributes read-only. */
     if (it == FREEZE && !(attrs & (JSPROP_GETTER | JSPROP_SETTER)))
         return JSPROP_PERMANENT | JSPROP_READONLY;
     return JSPROP_PERMANENT;
 }
 /* static */ bool
 JSObject::sealOrFreeze(JSContext *cx, HandleObject obj, ImmutabilityType it)
 {
     assertSameCompartment(cx, obj);
     JS_ASSERT(it == SEAL || it == FREEZE);
     bool extensible;
     if (!JSObject::isExtensible(cx, obj, &extensible))
         return false;
     if (extensible && !JSObject::preventExtensions(cx, obj))
         return false;
     AutoIdVector props(cx);
     if (!GetPropertyNames(cx, obj, JSITER_HIDDEN | JSITER_OWNONLY, &props))
         return false;
     /* preventExtensions must sparsify dense objects, so we can assign to holes without checks. */
     JS_ASSERT_IF(obj->isNative(), obj->getDenseCapacity() == 0);
     if (obj->isNative() && !obj->inDictionaryMode() && !obj->is<TypedArrayObject>()) {
         /*
          * Seal/freeze non-dictionary objects by constructing a new shape
          * hierarchy mirroring the original one, which can be shared if many
          * objects with the same structure are sealed/frozen. If we use the
          * generic path below then any non-empty object will be converted to
          * dictionary mode.
          */
         RootedShape last(cx, EmptyShape::getInitialShape(cx, obj->getClass(),
                                                          obj->getTaggedProto(),
                                                          obj->getParent(),
                                                          obj->getMetadata(),
                                                          obj->numFixedSlots(),
                                                          obj->lastProperty()->getObjectFlags()));
         if (!last)
             return false;
         /* Get an in order list of the shapes in this object. */
         AutoShapeVector shapes(cx);
         for (Shape::Range<NoGC> r(obj->lastProperty()); !r.empty(); r.popFront()) {
             if (!shapes.append(&r.front()))
                 return false;
         }
         Reverse(shapes.begin(), shapes.end());
         for (size_t i = 0; i < shapes.length(); i++) {
             StackShape unrootedChild(shapes[i]);
             RootedGeneric<StackShape*> child(cx, &unrootedChild);
             child->attrs |= getSealedOrFrozenAttributes(child->attrs, it);
             if (!JSID_IS_EMPTY(child->propid) && it == FREEZE)
                 MarkTypePropertyNonWritable(cx, obj, child->propid);
             last = cx->compartment()->propertyTree.getChild(cx, last, *child);
             if (!last)
                 return false;
         }
         JS_ASSERT(obj->lastProperty()->slotSpan() == last->slotSpan());
         JS_ALWAYS_TRUE(setLastProperty(cx, obj, last));
     } else {
         RootedId id(cx);
         for (size_t i = 0; i < props.length(); i++) {
             id = props[i];
             unsigned attrs;
             if (!getGenericAttributes(cx, obj, id, &attrs))
                 return false;
             unsigned new_attrs = getSealedOrFrozenAttributes(attrs, it);
             /* If we already have the attributes we need, skip the setAttributes call. */
             if ((attrs | new_attrs) == attrs)
                 continue;
             attrs |= new_attrs;
             if (!setGenericAttributes(cx, obj, id, &attrs))
                 return false;
         }
     }
     // Ordinarily ArraySetLength handles this, but we're going behind its back
     // right now, so we must do this manually.  Neither the custom property
     // tree mutations nor the setGenericAttributes call in the above code will
     // do this for us.
     //
     // ArraySetLength also implements the capacity <= length invariant for
     // arrays with non-writable length.  We don't need to do anything special
     // for that, because capacity was zeroed out by preventExtensions.  (See
     // the assertion before the if-else above.)
     if (it == FREEZE && obj->is<ArrayObject>())
         obj->getElementsHeader()->setNonwritableArrayLength();
     return true;
 }
 /* static */ bool
 JSObject::isSealedOrFrozen(JSContext *cx, HandleObject obj, ImmutabilityType it, bool *resultp)
 {
     bool extensible;
     if (!JSObject::isExtensible(cx, obj, &extensible))
         return false;
     if (extensible) {
         *resultp = false;
         return true;
     }
     if (obj->is<TypedArrayObject>()) {
         if (it == SEAL) {
             // Typed arrays are always sealed.
             *resultp = true;
         } else {
             // Typed arrays cannot be frozen, but an empty typed array is
             // trivially frozen.
             *resultp = (obj->as<TypedArrayObject>().length() == 0);
         }
         return true;
     }
     AutoIdVector props(cx);
     if (!GetPropertyNames(cx, obj, JSITER_HIDDEN | JSITER_OWNONLY, &props))
         return false;
     RootedId id(cx);
     for (size_t i = 0, len = props.length(); i < len; i++) {
         id = props[i];
         unsigned attrs;
         if (!getGenericAttributes(cx, obj, id, &attrs))
             return false;
         /*
          * If the property is configurable, this object is neither sealed nor
          * frozen. If the property is a writable data property, this object is
          * not frozen.
          */
         if (!(attrs & JSPROP_PERMANENT) ||
             (it == FREEZE && !(attrs & (JSPROP_READONLY | JSPROP_GETTER | JSPROP_SETTER))))
         {
             *resultp = false;
             return true;
         }
     }
     /* All properties checked out. This object is sealed/frozen. */
     *resultp = true;
     return true;
 }
 /* static */
 const char *
 JSObject::className(JSContext *cx, HandleObject obj)
 {
     assertSameCompartment(cx, obj);
     if (obj->is<ProxyObject>())
         return Proxy::className(cx, obj);
     return obj->getClass()->name;
 }
 /*
  * Get the GC kind to use for scripted 'new' on the given class.
  * FIXME bug 547327: estimate the size from the allocation site.
  */
 static inline gc::AllocKind
 NewObjectGCKind(const js::Class *clasp)
 {
     if (clasp == &ArrayObject::class_)
         return gc::FINALIZE_OBJECT8;
     if (clasp == &JSFunction::class_)
         return gc::FINALIZE_OBJECT2;
     return gc::FINALIZE_OBJECT4;
 }
 static inline JSObject *
 NewObject(ExclusiveContext *cx, types::TypeObject *type_, JSObject *parent, gc::AllocKind kind,
           NewObjectKind newKind)
 {
     const Class *clasp = type_->clasp();
     JS_ASSERT(clasp != &ArrayObject::class_);
     JS_ASSERT_IF(clasp == &JSFunction::class_,
                  kind == JSFunction::FinalizeKind || kind == JSFunction::ExtendedFinalizeKind);
     JS_ASSERT_IF(parent, &parent->global() == cx->global());
     RootedTypeObject type(cx, type_);
     JSObject *metadata = nullptr;
     if (!NewObjectMetadata(cx, &metadata))
         return nullptr;
     // For objects which can have fixed data following the object, only use
     // enough fixed slots to cover the number of reserved slots in the object,
     // regardless of the allocation kind specified.
     size_t nfixed = ClassCanHaveFixedData(clasp)
                     ? GetGCKindSlots(gc::GetGCObjectKind(clasp), clasp)
                     : GetGCKindSlots(kind, clasp);
     RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, type->proto(),
                                                       parent, metadata, nfixed));
     if (!shape)
         return nullptr;
     gc::InitialHeap heap = GetInitialHeap(newKind, clasp);
     JSObject *obj = JSObject::create(cx, kind, heap, shape, type);
     if (!obj)
         return nullptr;
     if (newKind == SingletonObject) {
         RootedObject nobj(cx, obj);
         if (!JSObject::setSingletonType(cx, nobj))
             return nullptr;
         obj = nobj;
     }
     /*
      * This will cancel an already-running incremental GC from doing any more
      * slices, and it will prevent any future incremental GCs.
      */
     bool globalWithoutCustomTrace = clasp->trace == JS_GlobalObjectTraceHook &&
                                     !cx->compartment()->options().getTrace();
     if (clasp->trace &&
         !globalWithoutCustomTrace &&
         !(clasp->flags & JSCLASS_IMPLEMENTS_BARRIERS))
     {
         if (!cx->shouldBeJSContext())
             return nullptr;
         JSRuntime *rt = cx->asJSContext()->runtime();
         rt->gcIncrementalEnabled = false;
 #ifdef DEBUG
         if (rt->gcMode() == JSGC_MODE_INCREMENTAL) {
             fprintf(stderr,
                     "The class %s has a trace hook but does not declare the\n"
                     "JSCLASS_IMPLEMENTS_BARRIERS flag. Please ensure that it correctly\n"
                     "implements write barriers and then set the flag.\n",
                     clasp->name);
             MOZ_CRASH();
         }
 #endif
     }
     probes::CreateObject(cx, obj);
     return obj;
 }
 void
 NewObjectCache::fillProto(EntryIndex entry, const Class *clasp, js::TaggedProto proto,
                           gc::AllocKind kind, JSObject *obj)
 {
     JS_ASSERT_IF(proto.isObject(), !proto.toObject()->is<GlobalObject>());
     JS_ASSERT(obj->getTaggedProto() == proto);
     return fill(entry, clasp, proto.raw(), kind, obj);
 }
 JSObject *
 js::NewObjectWithGivenProto(ExclusiveContext *cxArg, const js::Class *clasp,
                             js::TaggedProto protoArg, JSObject *parentArg,
                             gc::AllocKind allocKind, NewObjectKind newKind)
 {
     if (CanBeFinalizedInBackground(allocKind, clasp))
         allocKind = GetBackgroundAllocKind(allocKind);
     NewObjectCache::EntryIndex entry = -1;
     if (JSContext *cx = cxArg->maybeJSContext()) {
         NewObjectCache &cache = cx->runtime()->newObjectCache;
         if (protoArg.isObject() &&
             newKind == GenericObject &&
             !cx->compartment()->hasObjectMetadataCallback() &&
             (!parentArg || parentArg == protoArg.toObject()->getParent()) &&
             !protoArg.toObject()->is<GlobalObject>())
         {
             if (cache.lookupProto(clasp, protoArg.toObject(), allocKind, &entry)) {
                 JSObject *obj = cache.newObjectFromHit<NoGC>(cx, entry, GetInitialHeap(newKind, clasp));
                 if (obj) {
                     return obj;
                 } else {
                     Rooted<TaggedProto> proto(cxArg, protoArg);
                     RootedObject parent(cxArg, parentArg);
                     obj = cache.newObjectFromHit<CanGC>(cx, entry, GetInitialHeap(newKind, clasp));
                     JS_ASSERT(!obj);
                     parentArg = parent;
                     protoArg = proto;
                 }
             }
         }
     }
     Rooted<TaggedProto> proto(cxArg, protoArg);
     RootedObject parent(cxArg, parentArg);
     types::TypeObject *type = cxArg->getNewType(clasp, proto, nullptr);
     if (!type)
         return nullptr;
     /*
      * Default parent to the parent of the prototype, which was set from
      * the parent of the prototype's constructor.
      */
     if (!parent && proto.isObject())
         parent = proto.toObject()->getParent();
     RootedObject obj(cxArg, NewObject(cxArg, type, parent, allocKind, newKind));
     if (!obj)
         return nullptr;
     if (entry != -1 && !obj->hasDynamicSlots()) {
         cxArg->asJSContext()->runtime()->newObjectCache.fillProto(entry, clasp,
                                                                   proto, allocKind, obj);
     }
     return obj;
 }
 JSObject *
 js::NewObjectWithClassProtoCommon(ExclusiveContext *cxArg,
                                   const js::Class *clasp, JSObject *protoArg, JSObject *parentArg,
                                   gc::AllocKind allocKind, NewObjectKind newKind)
 {
     if (protoArg)
         return NewObjectWithGivenProto(cxArg, clasp, protoArg, parentArg, allocKind, newKind);
     if (CanBeFinalizedInBackground(allocKind, clasp))
         allocKind = GetBackgroundAllocKind(allocKind);
     if (!parentArg)
         parentArg = cxArg->global();
     /*
      * Use the object cache, except for classes without a cached proto key.
      * On these objects, FindProto will do a dynamic property lookup to get
      * global[className].prototype, where changes to either the className or
      * prototype property would render the cached lookup incorrect. For classes
      * with a proto key, the prototype created during class initialization is
      * stored in an immutable slot on the global (except for ClearScope, which
      * will flush the new object cache).
      */
     JSProtoKey protoKey = GetClassProtoKey(clasp);
     NewObjectCache::EntryIndex entry = -1;
     if (JSContext *cx = cxArg->maybeJSContext()) {
         NewObjectCache &cache = cx->runtime()->newObjectCache;
         if (parentArg->is<GlobalObject>() &&
             protoKey != JSProto_Null &&
             newKind == GenericObject &&
             !cx->compartment()->hasObjectMetadataCallback())
         {
             if (cache.lookupGlobal(clasp, &parentArg->as<GlobalObject>(), allocKind, &entry)) {
                 JSObject *obj = cache.newObjectFromHit<NoGC>(cx, entry, GetInitialHeap(newKind, clasp));
                 if (obj) {
                     return obj;
                 } else {
                     RootedObject parent(cxArg, parentArg);
                     RootedObject proto(cxArg, protoArg);
                     obj = cache.newObjectFromHit<CanGC>(cx, entry, GetInitialHeap(newKind, clasp));
                     JS_ASSERT(!obj);
                     protoArg = proto;
                     parentArg = parent;
                 }
             }
         }
     }
     RootedObject parent(cxArg, parentArg);
     RootedObject proto(cxArg, protoArg);
     if (!FindProto(cxArg, clasp, &proto))
         return nullptr;
     types::TypeObject *type = cxArg->getNewType(clasp, proto.get());
     if (!type)
         return nullptr;
     JSObject *obj = NewObject(cxArg, type, parent, allocKind, newKind);
     if (!obj)
         return nullptr;
     if (entry != -1 && !obj->hasDynamicSlots()) {
         cxArg->asJSContext()->runtime()->newObjectCache.fillGlobal(entry, clasp,
                                                                    &parent->as<GlobalObject>(),
                                                                    allocKind, obj);
     }
     return obj;
 }
 /*
  * Create a plain object with the specified type. This bypasses getNewType to
  * avoid losing creation site information for objects made by scripted 'new'.
  */
 JSObject *
 js::NewObjectWithType(JSContext *cx, HandleTypeObject type, JSObject *parent, gc::AllocKind allocKind,
                       NewObjectKind newKind)
 {
     JS_ASSERT(parent);
     JS_ASSERT(allocKind <= gc::FINALIZE_OBJECT_LAST);
     if (CanBeFinalizedInBackground(allocKind, type->clasp()))
         allocKind = GetBackgroundAllocKind(allocKind);
     NewObjectCache &cache = cx->runtime()->newObjectCache;
     NewObjectCache::EntryIndex entry = -1;
     if (parent == type->proto().toObject()->getParent() &&
         newKind == GenericObject &&
         !cx->compartment()->hasObjectMetadataCallback())
     {
         if (cache.lookupType(type, allocKind, &entry)) {
             JSObject *obj = cache.newObjectFromHit<NoGC>(cx, entry, GetInitialHeap(newKind, type->clasp()));
             if (obj) {
                 return obj;
             } else {
                 obj = cache.newObjectFromHit<CanGC>(cx, entry, GetInitialHeap(newKind, type->clasp()));
                 parent = type->proto().toObject()->getParent();
             }
         }
     }
     JSObject *obj = NewObject(cx, type, parent, allocKind, newKind);
     if (!obj)
         return nullptr;
     if (entry != -1 && !obj->hasDynamicSlots())
         cache.fillType(entry, type, allocKind, obj);
     return obj;
 }
 bool
 js::NewObjectScriptedCall(JSContext *cx, MutableHandleObject pobj)
 {
     jsbytecode *pc;
     RootedScript script(cx, cx->currentScript(&pc));
     gc::AllocKind allocKind = NewObjectGCKind(&JSObject::class_);
     NewObjectKind newKind = script
                             ? UseNewTypeForInitializer(script, pc, &JSObject::class_)
                             : GenericObject;
     RootedObject obj(cx, NewBuiltinClassInstance(cx, &JSObject::class_, allocKind, newKind));
     if (!obj)
         return false;
     if (script) {
         /* Try to specialize the type of the object to the scripted call site. */
         if (!types::SetInitializerObjectType(cx, script, pc, obj, newKind))
             return false;
     }
     pobj.set(obj);
     return true;
 }
 JSObject*
 js::CreateThis(JSContext *cx, const Class *newclasp, HandleObject callee)
 {
     RootedValue protov(cx);
     if (!JSObject::getProperty(cx, callee, callee, cx->names().prototype, &protov))
         return nullptr;
     JSObject *proto = protov.isObjectOrNull() ? protov.toObjectOrNull() : nullptr;
     JSObject *parent = callee->getParent();
     gc::AllocKind kind = NewObjectGCKind(newclasp);
     return NewObjectWithClassProto(cx, newclasp, proto, parent, kind);
 }
 static inline JSObject *
 CreateThisForFunctionWithType(JSContext *cx, HandleTypeObject type, JSObject *parent,
                               NewObjectKind newKind)
 {
     if (type->hasNewScript()) {
         /*
          * Make an object with the type's associated finalize kind and shape,
          * which reflects any properties that will definitely be added to the
          * object before it is read from.
          */
         RootedObject templateObject(cx, type->newScript()->templateObject);
         JS_ASSERT(templateObject->type() == type);
         RootedObject res(cx, CopyInitializerObject(cx, templateObject, newKind));
         if (!res)
             return nullptr;
         if (newKind == SingletonObject) {
             Rooted<TaggedProto> proto(cx, templateObject->getProto());
             if (!res->splicePrototype(cx, &JSObject::class_, proto))
                 return nullptr;
         } else {
             res->setType(type);
         }
         return res;
     }
     gc::AllocKind allocKind = NewObjectGCKind(&JSObject::class_);
     return NewObjectWithType(cx, type, parent, allocKind, newKind);
 }
 JSObject *
 js::CreateThisForFunctionWithProto(JSContext *cx, HandleObject callee, JSObject *proto,
                                    NewObjectKind newKind /* = GenericObject */)
 {
     RootedObject res(cx);
     if (proto) {
         RootedTypeObject type(cx, cx->getNewType(&JSObject::class_, proto, &callee->as<JSFunction>()));
         if (!type)
             return nullptr;
         res = CreateThisForFunctionWithType(cx, type, callee->getParent(), newKind);
     } else {
         gc::AllocKind allocKind = NewObjectGCKind(&JSObject::class_);
         res = NewObjectWithClassProto(cx, &JSObject::class_, proto, callee->getParent(), allocKind, newKind);
     }
     if (res) {
         JSScript *script = callee->as<JSFunction>().getOrCreateScript(cx);
         if (!script)
             return nullptr;
         TypeScript::SetThis(cx, script, types::Type::ObjectType(res));
     }
     return res;
 }
 JSObject *
 js::CreateThisForFunction(JSContext *cx, HandleObject callee, NewObjectKind newKind)
 {
     RootedValue protov(cx);
     if (!JSObject::getProperty(cx, callee, callee, cx->names().prototype, &protov))
         return nullptr;
     JSObject *proto;
     if (protov.isObject())
         proto = &protov.toObject();
     else
         proto = nullptr;
     JSObject *obj = CreateThisForFunctionWithProto(cx, callee, proto, newKind);
     if (obj && newKind == SingletonObject) {
         RootedObject nobj(cx, obj);
         /* Reshape the singleton before passing it as the 'this' value. */
         JSObject::clear(cx, nobj);
         JSScript *calleeScript = callee->as<JSFunction>().nonLazyScript();
         TypeScript::SetThis(cx, calleeScript, types::Type::ObjectType(nobj));
         return nobj;
     }
     return obj;
 }
 /*
  * Given pc pointing after a property accessing bytecode, return true if the
  * access is "object-detecting" in the sense used by web scripts, e.g., when
  * checking whether document.all is defined.
  */
 static bool
 Detecting(JSContext *cx, JSScript *script, jsbytecode *pc)
 {
     JS_ASSERT(script->containsPC(pc));
     /* General case: a branch or equality op follows the access. */
     JSOp op = JSOp(*pc);
     if (js_CodeSpec[op].format & JOF_DETECTING)
         return true;
     jsbytecode *endpc = script->codeEnd();
     if (op == JSOP_NULL) {
         /*
          * Special case #1: handle (document.all == null).  Don't sweat
          * about JS1.2's revision of the equality operators here.
          */
         if (++pc < endpc) {
             op = JSOp(*pc);
             return op == JSOP_EQ || op == JSOP_NE;
         }
         return false;
     }
     if (op == JSOP_GETGNAME || op == JSOP_NAME) {
         /*
          * Special case #2: handle (document.all == undefined).  Don't worry
          * about a local variable named |undefined| shadowing the immutable
          * global binding...because, really?
          */
         JSAtom *atom = script->getAtom(GET_UINT32_INDEX(pc));
         if (atom == cx->names().undefined &&
             (pc += js_CodeSpec[op].length) < endpc) {
             op = JSOp(*pc);
             return op == JSOP_EQ || op == JSOP_NE || op == JSOP_STRICTEQ || op == JSOP_STRICTNE;
         }
     }
     return false;
 }
 /* static */ bool
 JSObject::nonNativeSetProperty(JSContext *cx, HandleObject obj,
                                HandleId id, MutableHandleValue vp, bool strict)
 {
     if (MOZ_UNLIKELY(obj->watched())) {
         WatchpointMap *wpmap = cx->compartment()->watchpointMap;
         if (wpmap && !wpmap->triggerWatchpoint(cx, obj, id, vp))
             return false;
     }
     return obj->getOps()->setGeneric(cx, obj, id, vp, strict);
 }
 /* static */ bool
 JSObject::nonNativeSetElement(JSContext *cx, HandleObject obj,
                               uint32_t index, MutableHandleValue vp, bool strict)
 {
     if (MOZ_UNLIKELY(obj->watched())) {
         RootedId id(cx);
         if (!IndexToId(cx, index, &id))
             return false;
         WatchpointMap *wpmap = cx->compartment()->watchpointMap;
         if (wpmap && !wpmap->triggerWatchpoint(cx, obj, id, vp))
             return false;
     }
     return obj->getOps()->setElement(cx, obj, index, vp, strict);
 }
 /* static */ bool
 JSObject::deleteByValue(JSContext *cx, HandleObject obj, const Value &property, bool *succeeded)
 {
     uint32_t index;
     if (IsDefinitelyIndex(property, &index))
         return deleteElement(cx, obj, index, succeeded);
     RootedValue propval(cx, property);
     JSAtom *name = ToAtom<CanGC>(cx, propval);
     if (!name)
         return false;
     if (name->isIndex(&index))
         return deleteElement(cx, obj, index, succeeded);
     Rooted<PropertyName*> propname(cx, name->asPropertyName());
     return deleteProperty(cx, obj, propname, succeeded);
 }
 JS_FRIEND_API(bool)
 JS_CopyPropertyFrom(JSContext *cx, HandleId id, HandleObject target,
                     HandleObject obj)
 {
     // |obj| and |cx| are generally not same-compartment with |target| here.
     assertSameCompartment(cx, obj, id);
     Rooted<JSPropertyDescriptor> desc(cx);
     if (!GetOwnPropertyDescriptor(cx, obj, id, &desc))
         return false;
     MOZ_ASSERT(desc.object());
     // Silently skip JSPropertyOp-implemented accessors.
     if (desc.getter() && !desc.hasGetterObject())
         return true;
     if (desc.setter() && !desc.hasSetterObject())
         return true;
     JSAutoCompartment ac(cx, target);
     RootedId wrappedId(cx, id);
     if (!cx->compartment()->wrap(cx, &desc))
         return false;
     if (!cx->compartment()->wrapId(cx, wrappedId.address()))
         return false;
     bool ignored;
     return DefineOwnProperty(cx, target, wrappedId, desc, &ignored);
 }
 JS_FRIEND_API(bool)
 JS_CopyPropertiesFrom(JSContext *cx, HandleObject target, HandleObject obj)
 {
     JSAutoCompartment ac(cx, obj);
     AutoIdVector props(cx);
     if (!GetPropertyNames(cx, obj, JSITER_OWNONLY | JSITER_HIDDEN, &props))
         return false;
     for (size_t i = 0; i < props.length(); ++i) {
         if (!JS_CopyPropertyFrom(cx, props.handleAt(i), target, obj))
             return false;
     }
     return true;
 }
 static bool
 CopySlots(JSContext *cx, HandleObject from, HandleObject to)
 {
     JS_ASSERT(!from->isNative() && !to->isNative());
     JS_ASSERT(from->getClass() == to->getClass());
     size_t n = 0;
     if (from->is<WrapperObject>() &&
         (Wrapper::wrapperHandler(from)->flags() &
          Wrapper::CROSS_COMPARTMENT)) {
         to->setSlot(0, from->getSlot(0));
         to->setSlot(1, from->getSlot(1));
         n = 2;
     }
     size_t span = JSCLASS_RESERVED_SLOTS(from->getClass());
     RootedValue v(cx);
     for (; n < span; ++n) {
         v = from->getSlot(n);
         if (!cx->compartment()->wrap(cx, &v))
             return false;
         to->setSlot(n, v);
     }
     return true;
 }
 JSObject *
 js::CloneObject(JSContext *cx, HandleObject obj, Handle<js::TaggedProto> proto, HandleObject parent)
 {
     if (!obj->isNative() && !obj->is<ProxyObject>()) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
                              JSMSG_CANT_CLONE_OBJECT);
         return nullptr;
     }
     RootedObject clone(cx, NewObjectWithGivenProto(cx, obj->getClass(), proto, parent));
     if (!clone)
         return nullptr;
     if (obj->isNative()) {
         if (clone->is<JSFunction>() && (obj->compartment() != clone->compartment())) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
                                  JSMSG_CANT_CLONE_OBJECT);
             return nullptr;
         }
         if (obj->hasPrivate())
             clone->setPrivate(obj->getPrivate());
     } else {
         JS_ASSERT(obj->is<ProxyObject>());
         if (!CopySlots(cx, obj, clone))
             return nullptr;
     }
     return clone;
 }
 JSObject *
 js::DeepCloneObjectLiteral(JSContext *cx, HandleObject obj, NewObjectKind newKind)
 {
     /* NB: Keep this in sync with XDRObjectLiteral. */
     JS_ASSERT(JS::CompartmentOptionsRef(cx).getSingletonsAsTemplates());
     JS_ASSERT(obj->is<JSObject>() || obj->is<ArrayObject>());
     // Result of the clone function.
     RootedObject clone(cx);
     // Temporary element/slot which would be stored in the cloned object.
     RootedValue v(cx);
     RootedObject deepObj(cx);
     if (obj->getClass() == &ArrayObject::class_) {
         clone = NewDenseUnallocatedArray(cx, obj->as<ArrayObject>().length(), nullptr, newKind);
     } else {
         // Object literals are tenured by default as holded by the JSScript.
         JS_ASSERT(obj->isTenured());
         AllocKind kind = obj->tenuredGetAllocKind();
         Rooted<TypeObject*> typeObj(cx, obj->getType(cx));
         if (!typeObj)
             return nullptr;
         RootedObject parent(cx, obj->getParent());
         clone = NewObjectWithGivenProto(cx, &JSObject::class_, typeObj->proto().toObject(),
                                         parent, kind, newKind);
     }
     // Allocate the same number of slots.
     if (!clone || !clone->ensureElements(cx, obj->getDenseCapacity()))
         return nullptr;
     // Copy the number of initialized elements.
     uint32_t initialized = obj->getDenseInitializedLength();
     if (initialized)
         clone->setDenseInitializedLength(initialized);
     // Recursive copy of dense element.
     for (uint32_t i = 0; i < initialized; ++i) {
         v = obj->getDenseElement(i);
         if (v.isObject()) {
             deepObj = &v.toObject();
             deepObj = js::DeepCloneObjectLiteral(cx, deepObj, newKind);
             if (!deepObj) {
                 JS_ReportOutOfMemory(cx);
                 return nullptr;
             }
             v.setObject(*deepObj);
         }
         clone->initDenseElement(i, v);
     }
     JS_ASSERT(obj->compartment() == clone->compartment());
     JS_ASSERT(!obj->hasPrivate());
     RootedShape shape(cx, obj->lastProperty());
     size_t span = shape->slotSpan();
     clone->setLastProperty(cx, clone, shape);
     for (size_t i = 0; i < span; i++) {
         v = obj->getSlot(i);
         if (v.isObject()) {
             deepObj = &v.toObject();
             deepObj = js::DeepCloneObjectLiteral(cx, deepObj, newKind);
             if (!deepObj)
                 return nullptr;
             v.setObject(*deepObj);
         }
         clone->setSlot(i, v);
     }
     if (obj->getClass() == &ArrayObject::class_)
         FixArrayType(cx, clone);
     else
         FixObjectType(cx, clone);
 #ifdef DEBUG
     Rooted<TypeObject*> typeObj(cx, obj->getType(cx));
     Rooted<TypeObject*> cloneTypeObj(cx, clone->getType(cx));
     if (!typeObj || !cloneTypeObj)
         return nullptr;
     JS_ASSERT(typeObj == cloneTypeObj);
 #endif
     return clone;
 }
 template<XDRMode mode>
 bool
 js::XDRObjectLiteral(XDRState<mode> *xdr, MutableHandleObject obj)
 {
     /* NB: Keep this in sync with DeepCloneObjectLiteral. */
     JSContext *cx = xdr->cx();
     JS_ASSERT_IF(mode == XDR_ENCODE, JS::CompartmentOptionsRef(cx).getSingletonsAsTemplates());
     // Distinguish between objects and array classes.
     uint32_t isArray = 0;
     {
         if (mode == XDR_ENCODE) {
             JS_ASSERT(obj->is<JSObject>() || obj->is<ArrayObject>());
             isArray = obj->getClass() == &ArrayObject::class_ ? 1 : 0;
         }
         if (!xdr->codeUint32(&isArray))
             return false;
     }
     if (isArray) {
         uint32_t length;
         if (mode == XDR_ENCODE)
             length = obj->as<ArrayObject>().length();
         if (!xdr->codeUint32(&length))
             return false;
         if (mode == XDR_DECODE)
             obj.set(NewDenseUnallocatedArray(cx, length, NULL, js::MaybeSingletonObject));
     } else {
         // Code the alloc kind of the object.
         AllocKind kind;
         {
             if (mode == XDR_ENCODE) {
                 JS_ASSERT(obj->getClass() == &JSObject::class_);
                 JS_ASSERT(obj->isTenured());
                 kind = obj->tenuredGetAllocKind();
             }
             if (!xdr->codeEnum32(&kind))
                 return false;
             if (mode == XDR_DECODE)
                 obj.set(NewBuiltinClassInstance(cx, &JSObject::class_, kind, js::MaybeSingletonObject));
         }
     }
     {
         uint32_t capacity;
         if (mode == XDR_ENCODE)
             capacity = obj->getDenseCapacity();
         if (!xdr->codeUint32(&capacity))
             return false;
         if (mode == XDR_DECODE) {
             if (!obj->ensureElements(cx, capacity)) {
                 JS_ReportOutOfMemory(cx);
                 return false;
             }
         }
     }
     uint32_t initialized;
     {
         if (mode == XDR_ENCODE)
             initialized = obj->getDenseInitializedLength();
         if (!xdr->codeUint32(&initialized))
             return false;
         if (mode == XDR_DECODE) {
             if (initialized)
                 obj->setDenseInitializedLength(initialized);
         }
     }
     RootedValue tmpValue(cx);
     // Recursively copy dense elements.
     {
         for (unsigned i = 0; i < initialized; i++) {
             if (mode == XDR_ENCODE)
                 tmpValue = obj->getDenseElement(i);
             if (!xdr->codeConstValue(&tmpValue))
                 return false;
             if (mode == XDR_DECODE)
                 obj->initDenseElement(i, tmpValue);
         }
     }
     JS_ASSERT(!obj->hasPrivate());
     RootedShape shape(cx, obj->lastProperty());
     // Code the number of slots in the vector.
     unsigned nslot = 0;
     // Code ids of the object in order. As opposed to DeepCloneObjectLiteral we
     // cannot just re-use the shape of the original bytecode value and we have
     // to write down the shape as well as the corresponding values.  Ideally we
     // would have a mechanism to serialize the shape too.
     js::AutoIdVector ids(cx);
     {
         if (mode == XDR_ENCODE && !shape->isEmptyShape()) {
             nslot = shape->slotSpan();
             if (!ids.reserve(nslot))
                 return false;
             for (unsigned i = 0; i < nslot; i++)
                 ids.infallibleAppend(JSID_VOID);
             for (Shape::Range<NoGC> it(shape); !it.empty(); it.popFront()) {
                 // If we have reached the native property of the array class, we
                 // exit as the remaining would only be reserved slots.
                 if (!it.front().hasSlot()) {
                     JS_ASSERT(isArray);
                     break;
                 }
                 JS_ASSERT(it.front().hasDefaultGetter());
                 ids[it.front().slot()] = it.front().propid();
             }
         }
         if (!xdr->codeUint32(&nslot))
             return false;
         RootedAtom atom(cx);
         RootedId id(cx);
         uint32_t idType = 0;
         for (unsigned i = 0; i < nslot; i++) {
             if (mode == XDR_ENCODE) {
                 id = ids[i];
                 if (JSID_IS_INT(id))
                     idType = JSID_TYPE_INT;
                 else if (JSID_IS_ATOM(id))
                     idType = JSID_TYPE_STRING;
                 else
                     MOZ_ASSUME_UNREACHABLE("Object property is not yet supported by XDR.");
                 tmpValue = obj->getSlot(i);
             }
             if (!xdr->codeUint32(&idType))
                 return false;
             if (idType == JSID_TYPE_STRING) {
                 if (mode == XDR_ENCODE)
                     atom = JSID_TO_ATOM(id);
                 if (!XDRAtom(xdr, &atom))
                     return false;
                 if (mode == XDR_DECODE)
                     id = AtomToId(atom);
             } else {
                 JS_ASSERT(idType == JSID_TYPE_INT);
                 uint32_t indexVal;
                 if (mode == XDR_ENCODE)
                     indexVal = uint32_t(JSID_TO_INT(id));
                 if (!xdr->codeUint32(&indexVal))
                     return false;
                 if (mode == XDR_DECODE)
                     id = INT_TO_JSID(int32_t(indexVal));
             }
             if (!xdr->codeConstValue(&tmpValue))
                 return false;
             if (mode == XDR_DECODE) {
                 if (!DefineNativeProperty(cx, obj, id, tmpValue, NULL, NULL, JSPROP_ENUMERATE))
                     return false;
             }
         }
         JS_ASSERT_IF(mode == XDR_DECODE, !obj->inDictionaryMode());
     }
     if (mode == XDR_DECODE) {
         if (isArray)
             FixArrayType(cx, obj);
         else
             FixObjectType(cx, obj);
     }
     return true;
 }
 template bool
 js::XDRObjectLiteral(XDRState<XDR_ENCODE> *xdr, MutableHandleObject obj);
 template bool
 js::XDRObjectLiteral(XDRState<XDR_DECODE> *xdr, MutableHandleObject obj);
 JSObject *
 js::CloneObjectLiteral(JSContext *cx, HandleObject parent, HandleObject srcObj)
 {
     Rooted<TypeObject*> typeObj(cx);
     typeObj = cx->getNewType(&JSObject::class_, cx->global()->getOrCreateObjectPrototype(cx));
     JS_ASSERT(srcObj->getClass() == &JSObject::class_);
     AllocKind kind = GetBackgroundAllocKind(GuessObjectGCKind(srcObj->numFixedSlots()));
     JS_ASSERT_IF(srcObj->isTenured(), kind == srcObj->tenuredGetAllocKind());
     RootedShape shape(cx, srcObj->lastProperty());
     return NewReshapedObject(cx, typeObj, parent, kind, shape);
 }
 struct JSObject::TradeGutsReserved {
     Vector<Value> avals;
     Vector<Value> bvals;
     int newafixed;
     int newbfixed;
     RootedShape newashape;
     RootedShape newbshape;
     HeapSlot *newaslots;
     HeapSlot *newbslots;
     TradeGutsReserved(JSContext *cx)
         : avals(cx), bvals(cx),
           newafixed(0), newbfixed(0),
           newashape(cx), newbshape(cx),
           newaslots(nullptr), newbslots(nullptr)
     {}
     ~TradeGutsReserved()
     {
         js_free(newaslots);
         js_free(newbslots);
     }
 };
 bool
 JSObject::ReserveForTradeGuts(JSContext *cx, JSObject *aArg, JSObject *bArg,
                               TradeGutsReserved &reserved)
 {
     /*
      * Avoid GC in here to avoid confusing the tracing code with our
      * intermediate state.
      */
     AutoSuppressGC suppress(cx);
     RootedObject a(cx, aArg);
     RootedObject b(cx, bArg);
     JS_ASSERT(a->compartment() == b->compartment());
     AutoCompartment ac(cx, a);
     /*
      * When performing multiple swaps between objects which may have different
      * numbers of fixed slots, we reserve all space ahead of time so that the
      * swaps can be performed infallibly.
      */
     /*
      * Swap prototypes and classes on the two objects, so that TradeGuts can
      * preserve the types of the two objects.
      */
     const Class *aClass = a->getClass();
     const Class *bClass = b->getClass();
     Rooted<TaggedProto> aProto(cx, a->getTaggedProto());
     Rooted<TaggedProto> bProto(cx, b->getTaggedProto());
     bool success;
     if (!SetClassAndProto(cx, a, bClass, bProto, &success) || !success)
         return false;
     if (!SetClassAndProto(cx, b, aClass, aProto, &success) || !success)
         return false;
     if (a->tenuredSizeOfThis() == b->tenuredSizeOfThis())
         return true;
     /*
      * If either object is native, it needs a new shape to preserve the
      * invariant that objects with the same shape have the same number of
      * inline slots. The fixed slots will be updated in place during TradeGuts.
      * Non-native objects need to be reshaped according to the new count.
      */
     if (a->isNative()) {
         if (!a->generateOwnShape(cx))
             return false;
     } else {
         reserved.newbshape = EmptyShape::getInitialShape(cx, aClass, aProto, a->getParent(), a->getMetadata(),
                                                          b->tenuredGetAllocKind());
         if (!reserved.newbshape)
             return false;
     }
     if (b->isNative()) {
         if (!b->generateOwnShape(cx))
             return false;
     } else {
         reserved.newashape = EmptyShape::getInitialShape(cx, bClass, bProto, b->getParent(), b->getMetadata(),
                                                          a->tenuredGetAllocKind());
         if (!reserved.newashape)
             return false;
     }
     /* The avals/bvals vectors hold all original values from the objects. */
     if (!reserved.avals.reserve(a->slotSpan()))
         return false;
     if (!reserved.bvals.reserve(b->slotSpan()))
         return false;
     /*
      * The newafixed/newbfixed hold the number of fixed slots in the objects
      * after the swap. Adjust these counts according to whether the objects
      * use their last fixed slot for storing private data.
      */
     reserved.newafixed = a->numFixedSlots();
     reserved.newbfixed = b->numFixedSlots();
     if (aClass->hasPrivate()) {
         reserved.newafixed++;
         reserved.newbfixed--;
     }
     if (bClass->hasPrivate()) {
         reserved.newbfixed++;
         reserved.newafixed--;
     }
     JS_ASSERT(reserved.newafixed >= 0);
     JS_ASSERT(reserved.newbfixed >= 0);
     /*
      * The newaslots/newbslots arrays hold any dynamic slots for the objects
      * if they do not have enough fixed slots to accomodate the slots in the
      * other object.
      */
     unsigned adynamic = dynamicSlotsCount(reserved.newafixed, b->slotSpan(), b->getClass());
     unsigned bdynamic = dynamicSlotsCount(reserved.newbfixed, a->slotSpan(), a->getClass());
     if (adynamic) {
         reserved.newaslots = cx->pod_malloc<HeapSlot>(adynamic);
         if (!reserved.newaslots)
             return false;
         Debug_SetSlotRangeToCrashOnTouch(reserved.newaslots, adynamic);
     }
     if (bdynamic) {
         reserved.newbslots = cx->pod_malloc<HeapSlot>(bdynamic);
         if (!reserved.newbslots)
             return false;
         Debug_SetSlotRangeToCrashOnTouch(reserved.newbslots, bdynamic);
     }
     return true;
 }
 void
 JSObject::TradeGuts(JSContext *cx, JSObject *a, JSObject *b, TradeGutsReserved &reserved)
 {
     JS_ASSERT(a->compartment() == b->compartment());
     JS_ASSERT(a->is<JSFunction>() == b->is<JSFunction>());
     /*
      * Swap the object's types, to restore their initial type information.
      * The prototypes and classes of the objects were swapped in ReserveForTradeGuts.
      */
     TypeObject *tmp = a->type_;
     a->type_ = b->type_;
     b->type_ = tmp;
     /* Don't try to swap a JSFunction for a plain function JSObject. */
     JS_ASSERT_IF(a->is<JSFunction>(), a->tenuredSizeOfThis() == b->tenuredSizeOfThis());
     /*
      * Regexp guts are more complicated -- we would need to migrate the
      * refcounted JIT code blob for them across compartments instead of just
      * swapping guts.
      */
     JS_ASSERT(!a->is<RegExpObject>() && !b->is<RegExpObject>());
     /* Arrays can use their fixed storage for elements. */
     JS_ASSERT(!a->is<ArrayObject>() && !b->is<ArrayObject>());
     /*
      * Callers should not try to swap ArrayBuffer objects,
      * these use a different slot representation from other objects.
      */
     JS_ASSERT(!a->is<ArrayBufferObject>() && !b->is<ArrayBufferObject>());
     /* Trade the guts of the objects. */
     const size_t size = a->tenuredSizeOfThis();
     if (size == b->tenuredSizeOfThis()) {
         /*
          * If the objects are the same size, then we make no assumptions about
          * whether they have dynamically allocated slots and instead just copy
          * them over wholesale.
          */
         char tmp[mozilla::tl::Max<sizeof(JSFunction), sizeof(JSObject_Slots16)>::value];
         JS_ASSERT(size <= sizeof(tmp));
         js_memcpy(tmp, a, size);
         js_memcpy(a, b, size);
         js_memcpy(b, tmp, size);
 #ifdef JSGC_GENERATIONAL
         /*
          * Trigger post barriers for fixed slots. JSObject bits are barriered
          * below, in common with the other case.
          */
         for (size_t i = 0; i < a->numFixedSlots(); ++i) {
             HeapSlot::writeBarrierPost(cx->runtime(), a, HeapSlot::Slot, i, a->getSlot(i));
             HeapSlot::writeBarrierPost(cx->runtime(), b, HeapSlot::Slot, i, b->getSlot(i));
         }
 #endif
     } else {
         /*
          * If the objects are of differing sizes, use the space we reserved
          * earlier to save the slots from each object and then copy them into
          * the new layout for the other object.
          */
         uint32_t acap = a->slotSpan();
         uint32_t bcap = b->slotSpan();
         for (size_t i = 0; i < acap; i++)
             reserved.avals.infallibleAppend(a->getSlot(i));
         for (size_t i = 0; i < bcap; i++)
             reserved.bvals.infallibleAppend(b->getSlot(i));
         /* Done with the dynamic slots. */
         if (a->hasDynamicSlots())
             js_free(a->slots);
         if (b->hasDynamicSlots())
             js_free(b->slots);
         void *apriv = a->hasPrivate() ? a->getPrivate() : nullptr;
         void *bpriv = b->hasPrivate() ? b->getPrivate() : nullptr;
         char tmp[sizeof(JSObject)];
         js_memcpy(&tmp, a, sizeof tmp);
         js_memcpy(a, b, sizeof tmp);
         js_memcpy(b, &tmp, sizeof tmp);
         if (a->isNative())
             a->shape_->setNumFixedSlots(reserved.newafixed);
         else
             a->shape_ = reserved.newashape;
         a->slots = reserved.newaslots;
         a->initSlotRange(0, reserved.bvals.begin(), bcap);
         if (a->hasPrivate())
             a->initPrivate(bpriv);
         if (b->isNative())
             b->shape_->setNumFixedSlots(reserved.newbfixed);
         else
             b->shape_ = reserved.newbshape;
         b->slots = reserved.newbslots;
         b->initSlotRange(0, reserved.avals.begin(), acap);
         if (b->hasPrivate())
             b->initPrivate(apriv);
         /* Make sure the destructor for reserved doesn't free the slots. */
         reserved.newaslots = nullptr;
         reserved.newbslots = nullptr;
     }
 #ifdef JSGC_GENERATIONAL
     Shape::writeBarrierPost(a->shape_, &a->shape_);
     Shape::writeBarrierPost(b->shape_, &b->shape_);
     types::TypeObject::writeBarrierPost(a->type_, &a->type_);
     types::TypeObject::writeBarrierPost(b->type_, &b->type_);
 #endif
     if (a->inDictionaryMode())
         a->lastProperty()->listp = &a->shape_;
     if (b->inDictionaryMode())
         b->lastProperty()->listp = &b->shape_;
 #ifdef JSGC_INCREMENTAL
     /*
      * We need a write barrier here. If |a| was marked and |b| was not, then
      * after the swap, |b|'s guts would never be marked. The write barrier
      * solves this.
      *
      * Normally write barriers happen before the write. However, that's not
      * necessary here because nothing is being destroyed. We're just swapping.
      * We don't do the barrier before TradeGuts because ReserveForTradeGuts
      * makes changes to the objects that might confuse the tracing code.
      */
     JS::Zone *zone = a->zone();
     if (zone->needsBarrier()) {
         MarkChildren(zone->barrierTracer(), a);
         MarkChildren(zone->barrierTracer(), b);
     }
 #endif
 }
 /* Use this method with extreme caution. It trades the guts of two objects. */
 bool
 JSObject::swap(JSContext *cx, HandleObject a, HandleObject b)
 {
     AutoMarkInDeadZone adc1(a->zone());
     AutoMarkInDeadZone adc2(b->zone());
     // Ensure swap doesn't cause a finalizer to not be run.
     JS_ASSERT(IsBackgroundFinalized(a->tenuredGetAllocKind()) ==
               IsBackgroundFinalized(b->tenuredGetAllocKind()));
     JS_ASSERT(a->compartment() == b->compartment());
     unsigned r = NotifyGCPreSwap(a, b);
     TradeGutsReserved reserved(cx);
     if (!ReserveForTradeGuts(cx, a, b, reserved)) {
         NotifyGCPostSwap(b, a, r);
         return false;
     }
     TradeGuts(cx, a, b, reserved);
     NotifyGCPostSwap(a, b, r);
     return true;
 }
 static bool
 DefineStandardSlot(JSContext *cx, HandleObject obj, JSProtoKey key, JSAtom *atom,
                    HandleValue v, uint32_t attrs, bool &named)
 {
     RootedId id(cx, AtomToId(atom));
     if (key != JSProto_Null) {
         /*
          * Initializing an actual standard class on a global object. If the
          * property is not yet present, force it into a new one bound to a
          * reserved slot. Otherwise, go through the normal property path.
          */
         JS_ASSERT(obj->is<GlobalObject>());
         JS_ASSERT(obj->isNative());
         if (!obj->nativeLookup(cx, id)) {
             obj->as<GlobalObject>().setConstructorPropertySlot(key, v);
             uint32_t slot = GlobalObject::constructorPropertySlot(key);
             if (!JSObject::addProperty(cx, obj, id, JS_PropertyStub, JS_StrictPropertyStub, slot, attrs, 0))
                 return false;
             named = true;
             return true;
         }
     }
     named = JSObject::defineGeneric(cx, obj, id,
                                     v, JS_PropertyStub, JS_StrictPropertyStub, attrs);
     return named;
 }
 static void
 SetClassObject(JSObject *obj, JSProtoKey key, JSObject *cobj, JSObject *proto)
 {
     JS_ASSERT(!obj->getParent());
     if (!obj->is<GlobalObject>())
         return;
     obj->as<GlobalObject>().setConstructor(key, ObjectOrNullValue(cobj));
     obj->as<GlobalObject>().setPrototype(key, ObjectOrNullValue(proto));
 }
 static void
 ClearClassObject(JSObject *obj, JSProtoKey key)
 {
     JS_ASSERT(!obj->getParent());
     if (!obj->is<GlobalObject>())
         return;
     obj->as<GlobalObject>().setConstructor(key, UndefinedValue());
     obj->as<GlobalObject>().setPrototype(key, UndefinedValue());
 }
 static JSObject *
 DefineConstructorAndPrototype(JSContext *cx, HandleObject obj, JSProtoKey key, HandleAtom atom,
                               JSObject *protoProto, const Class *clasp,
                               Native constructor, unsigned nargs,
                               const JSPropertySpec *ps, const JSFunctionSpec *fs,
                               const JSPropertySpec *static_ps, const JSFunctionSpec *static_fs,
                               JSObject **ctorp, AllocKind ctorKind)
 {
     /*
      * Create a prototype object for this class.
      *
      * FIXME: lazy standard (built-in) class initialization and even older
      * eager boostrapping code rely on all of these properties:
      *
      * 1. NewObject attempting to compute a default prototype object when
      *    passed null for proto; and
      *
      * 2. NewObject tolerating no default prototype (null proto slot value)
      *    due to this js_InitClass call coming from js_InitFunctionClass on an
      *    otherwise-uninitialized global.
      *
      * 3. NewObject allocating a JSFunction-sized GC-thing when clasp is
      *    &JSFunction::class_, not a JSObject-sized (smaller) GC-thing.
      *
      * The JS_NewObjectForGivenProto and JS_NewObject APIs also allow clasp to
      * be &JSFunction::class_ (we could break compatibility easily). But
      * fixing (3) is not enough without addressing the bootstrapping dependency
      * on (1) and (2).
      */
     /*
      * Create the prototype object.  (GlobalObject::createBlankPrototype isn't
      * used because it parents the prototype object to the global and because
      * it uses WithProto::Given.  FIXME: Undo dependencies on this parentage
      * [which already needs to happen for bug 638316], figure out nicer
      * semantics for null-protoProto, and use createBlankPrototype.)
      */
     RootedObject proto(cx, NewObjectWithClassProto(cx, clasp, protoProto, obj, SingletonObject));
     if (!proto)
         return nullptr;
     /* After this point, control must exit via label bad or out. */
     RootedObject ctor(cx);
     bool named = false;
     bool cached = false;
     if (!constructor) {
         /*
          * Lacking a constructor, name the prototype (e.g., Math) unless this
          * class (a) is anonymous, i.e. for internal use only; (b) the class
          * of obj (the global object) is has a reserved slot indexed by key;
          * and (c) key is not the null key.
          */
         if (!(clasp->flags & JSCLASS_IS_ANONYMOUS) || !obj->is<GlobalObject>() ||
             key == JSProto_Null)
         {
             uint32_t attrs = (clasp->flags & JSCLASS_IS_ANONYMOUS)
                            ? JSPROP_READONLY | JSPROP_PERMANENT
                            : 0;
             RootedValue value(cx, ObjectValue(*proto));
             if (!DefineStandardSlot(cx, obj, key, atom, value, attrs, named))
                 goto bad;
         }
         ctor = proto;
     } else {
         /*
          * Create the constructor, not using GlobalObject::createConstructor
          * because the constructor currently must have |obj| as its parent.
          * (FIXME: remove this dependency on the exact identity of the parent,
          * perhaps as part of bug 638316.)
          */
         RootedFunction fun(cx, NewFunction(cx, js::NullPtr(), constructor, nargs,
                                            JSFunction::NATIVE_CTOR, obj, atom, ctorKind));
         if (!fun)
             goto bad;
         /*
          * Set the class object early for standard class constructors. Type
          * inference may need to access these, and js::GetBuiltinPrototype will
          * fail if it tries to do a reentrant reconstruction of the class.
          */
         if (key != JSProto_Null) {
             SetClassObject(obj, key, fun, proto);
             cached = true;
         }
         RootedValue value(cx, ObjectValue(*fun));
         if (!DefineStandardSlot(cx, obj, key, atom, value, 0, named))
             goto bad;
         /*
          * Optionally construct the prototype object, before the class has
          * been fully initialized.  Allow the ctor to replace proto with a
          * different object, as is done for operator new.
          */
         ctor = fun;
         if (!LinkConstructorAndPrototype(cx, ctor, proto))
             goto bad;
         /* Bootstrap Function.prototype (see also JS_InitStandardClasses). */
         Rooted<TaggedProto> tagged(cx, TaggedProto(proto));
         if (ctor->getClass() == clasp && !ctor->splicePrototype(cx, clasp, tagged))
             goto bad;
     }
     if (!DefinePropertiesAndBrand(cx, proto, ps, fs) ||
         (ctor != proto && !DefinePropertiesAndBrand(cx, ctor, static_ps, static_fs)))
     {
         goto bad;
     }
     /* If this is a standard class, cache its prototype. */
     if (!cached && key != JSProto_Null)
         SetClassObject(obj, key, ctor, proto);
     if (ctorp)
         *ctorp = ctor;
     return proto;
 bad:
     if (named) {
         bool succeeded;
         JSObject::deleteByValue(cx, obj, StringValue(atom), &succeeded);
     }
     if (cached)
         ClearClassObject(obj, key);
     return nullptr;
 }
 JSObject *
 js_InitClass(JSContext *cx, HandleObject obj, JSObject *protoProto_,
              const Class *clasp, Native constructor, unsigned nargs,
              const JSPropertySpec *ps, const JSFunctionSpec *fs,
              const JSPropertySpec *static_ps, const JSFunctionSpec *static_fs,
              JSObject **ctorp, AllocKind ctorKind)
 {
     RootedObject protoProto(cx, protoProto_);
     /* Assert mandatory function pointer members. */
     JS_ASSERT(clasp->addProperty);
     JS_ASSERT(clasp->delProperty);
     JS_ASSERT(clasp->getProperty);
     JS_ASSERT(clasp->setProperty);
     JS_ASSERT(clasp->enumerate);
     JS_ASSERT(clasp->resolve);
     JS_ASSERT(clasp->convert);
     RootedAtom atom(cx, Atomize(cx, clasp->name, strlen(clasp->name)));
     if (!atom)
         return nullptr;
     /*
      * All instances of the class will inherit properties from the prototype
      * object we are about to create (in DefineConstructorAndPrototype), which
      * in turn will inherit from protoProto.
      *
      * When initializing a standard class (other than Object), if protoProto is
      * null, default to Object.prototype. The engine's internal uses of
      * js_InitClass depend on this nicety.
      */
     JSProtoKey key = JSCLASS_CACHED_PROTO_KEY(clasp);
     if (key != JSProto_Null &&
         !protoProto &&
         !GetBuiltinPrototype(cx, JSProto_Object, &protoProto))
     {
         return nullptr;
     }
     return DefineConstructorAndPrototype(cx, obj, key, atom, protoProto, clasp, constructor, nargs,
                                          ps, fs, static_ps, static_fs, ctorp, ctorKind);
 }
 /* static */ inline bool
 JSObject::updateSlotsForSpan(ThreadSafeContext *cx,
                              HandleObject obj, size_t oldSpan, size_t newSpan)
 {
     JS_ASSERT(cx->isThreadLocal(obj));
     JS_ASSERT(oldSpan != newSpan);
     size_t oldCount = dynamicSlotsCount(obj->numFixedSlots(), oldSpan, obj->getClass());
     size_t newCount = dynamicSlotsCount(obj->numFixedSlots(), newSpan, obj->getClass());
     if (oldSpan < newSpan) {
         if (oldCount < newCount && !JSObject::growSlots(cx, obj, oldCount, newCount))
             return false;
         if (newSpan == oldSpan + 1)
             obj->initSlotUnchecked(oldSpan, UndefinedValue());
         else
             obj->initializeSlotRange(oldSpan, newSpan - oldSpan);
     } else {
         /* Trigger write barriers on the old slots before reallocating. */
         obj->prepareSlotRangeForOverwrite(newSpan, oldSpan);
         obj->invalidateSlotRange(newSpan, oldSpan - newSpan);
         if (oldCount > newCount)
             JSObject::shrinkSlots(cx, obj, oldCount, newCount);
     }
     return true;
 }
 /* static */ bool
 JSObject::setLastProperty(ThreadSafeContext *cx, HandleObject obj, HandleShape shape)
 {
     JS_ASSERT(cx->isThreadLocal(obj));
     JS_ASSERT(!obj->inDictionaryMode());
     JS_ASSERT(!shape->inDictionary());
     JS_ASSERT(shape->compartment() == obj->compartment());
     JS_ASSERT(shape->numFixedSlots() == obj->numFixedSlots());
     size_t oldSpan = obj->lastProperty()->slotSpan();
     size_t newSpan = shape->slotSpan();
     if (oldSpan == newSpan) {
         obj->shape_ = shape;
         return true;
     }
     if (!updateSlotsForSpan(cx, obj, oldSpan, newSpan))
         return false;
     obj->shape_ = shape;
     return true;
 }
 /* static */ bool
 JSObject::setSlotSpan(ThreadSafeContext *cx, HandleObject obj, uint32_t span)
 {
     JS_ASSERT(cx->isThreadLocal(obj));
     JS_ASSERT(obj->inDictionaryMode());
     size_t oldSpan = obj->lastProperty()->base()->slotSpan();
     if (oldSpan == span)
         return true;
     if (!JSObject::updateSlotsForSpan(cx, obj, oldSpan, span))
         return false;
     obj->lastProperty()->base()->setSlotSpan(span);
     return true;
 }
 static HeapSlot *
 AllocateSlots(ThreadSafeContext *cx, JSObject *obj, uint32_t nslots)
 {
 #ifdef JSGC_GENERATIONAL
     if (cx->isJSContext())
         return cx->asJSContext()->runtime()->gcNursery.allocateSlots(cx->asJSContext(), obj, nslots);
 #endif
     return cx->pod_malloc<HeapSlot>(nslots);
 }
 static HeapSlot *
 ReallocateSlots(ThreadSafeContext *cx, JSObject *obj, HeapSlot *oldSlots,
                 uint32_t oldCount, uint32_t newCount)
 {
 #ifdef JSGC_GENERATIONAL
     if (cx->isJSContext()) {
         return cx->asJSContext()->runtime()->gcNursery.reallocateSlots(cx->asJSContext(),
                                                                        obj, oldSlots,
                                                                        oldCount, newCount);
     }
 #endif
     return (HeapSlot *)cx->realloc_(oldSlots, oldCount * sizeof(HeapSlot),
                                     newCount * sizeof(HeapSlot));
 }
 /* static */ bool
 JSObject::growSlots(ThreadSafeContext *cx, HandleObject obj, uint32_t oldCount, uint32_t newCount)
 {
     JS_ASSERT(cx->isThreadLocal(obj));
     JS_ASSERT(newCount > oldCount);
     JS_ASSERT_IF(!obj->is<ArrayObject>(), newCount >= SLOT_CAPACITY_MIN);
     /*
      * Slot capacities are determined by the span of allocated objects. Due to
      * the limited number of bits to store shape slots, object growth is
      * throttled well before the slot capacity can overflow.
      */
     JS_ASSERT(newCount < NELEMENTS_LIMIT);
     /*
      * If we are allocating slots for an object whose type is always created
      * by calling 'new' on a particular script, bump the GC kind for that
      * type to give these objects a larger number of fixed slots when future
      * objects are constructed.
      */
     if (!obj->hasLazyType() && !oldCount && obj->type()->hasNewScript()) {
         JSObject *oldTemplate = obj->type()->newScript()->templateObject;
         gc::AllocKind kind = gc::GetGCObjectFixedSlotsKind(oldTemplate->numFixedSlots());
         uint32_t newScriptSlots = gc::GetGCKindSlots(kind);
         if (newScriptSlots == obj->numFixedSlots() &&
             gc::TryIncrementAllocKind(&kind) &&
             cx->isJSContext())
         {
             JSContext *ncx = cx->asJSContext();
             AutoEnterAnalysis enter(ncx);
             Rooted<TypeObject*> typeObj(cx, obj->type());
             RootedShape shape(cx, oldTemplate->lastProperty());
             JSObject *reshapedObj = NewReshapedObject(ncx, typeObj, obj->getParent(), kind, shape,
                                                       MaybeSingletonObject);
             if (!reshapedObj)
                 return false;
             typeObj->newScript()->templateObject = reshapedObj;
             typeObj->markStateChange(ncx);
         }
     }
     if (!oldCount) {
         obj->slots = AllocateSlots(cx, obj, newCount);
         if (!obj->slots)
             return false;
         Debug_SetSlotRangeToCrashOnTouch(obj->slots, newCount);
         return true;
     }
     HeapSlot *newslots = ReallocateSlots(cx, obj, obj->slots, oldCount, newCount);
     if (!newslots)
         return false;  /* Leave slots at its old size. */
     obj->slots = newslots;
     Debug_SetSlotRangeToCrashOnTouch(obj->slots + oldCount, newCount - oldCount);
     return true;
 }
 static void
 FreeSlots(ThreadSafeContext *cx, HeapSlot *slots)
 {
     // Note: threads without a JSContext do not have access to nursery allocated things.
 #ifdef JSGC_GENERATIONAL
     if (cx->isJSContext())
         return cx->asJSContext()->runtime()->gcNursery.freeSlots(cx->asJSContext(), slots);
 #endif
     js_free(slots);
 }
 /* static */ void
 JSObject::shrinkSlots(ThreadSafeContext *cx, HandleObject obj, uint32_t oldCount, uint32_t newCount)
 {
     JS_ASSERT(cx->isThreadLocal(obj));
     JS_ASSERT(newCount < oldCount);
     if (newCount == 0) {
         FreeSlots(cx, obj->slots);
         obj->slots = nullptr;
         return;
     }
     JS_ASSERT_IF(!obj->is<ArrayObject>(), newCount >= SLOT_CAPACITY_MIN);
     HeapSlot *newslots = ReallocateSlots(cx, obj, obj->slots, oldCount, newCount);
     if (!newslots)
         return;  /* Leave slots at its old size. */
     obj->slots = newslots;
 }
 /* static */ bool
 JSObject::sparsifyDenseElement(ExclusiveContext *cx, HandleObject obj, uint32_t index)
 {
     RootedValue value(cx, obj->getDenseElement(index));
     JS_ASSERT(!value.isMagic(JS_ELEMENTS_HOLE));
     JSObject::removeDenseElementForSparseIndex(cx, obj, index);
     uint32_t slot = obj->slotSpan();
     if (!obj->addDataProperty(cx, INT_TO_JSID(index), slot, JSPROP_ENUMERATE)) {
         obj->setDenseElement(index, value);
         return false;
     }
     JS_ASSERT(slot == obj->slotSpan() - 1);
     obj->initSlot(slot, value);
     return true;
 }
 /* static */ bool
 JSObject::sparsifyDenseElements(js::ExclusiveContext *cx, HandleObject obj)
 {
     uint32_t initialized = obj->getDenseInitializedLength();
     /* Create new properties with the value of non-hole dense elements. */
     for (uint32_t i = 0; i < initialized; i++) {
         if (obj->getDenseElement(i).isMagic(JS_ELEMENTS_HOLE))
             continue;
         if (!sparsifyDenseElement(cx, obj, i))
             return false;
     }
     if (initialized)
         obj->setDenseInitializedLength(0);
     /*
      * Reduce storage for dense elements which are now holes. Explicitly mark
      * the elements capacity as zero, so that any attempts to add dense
      * elements will be caught in ensureDenseElements.
      */
     if (obj->getDenseCapacity()) {
         obj->shrinkElements(cx, 0);
         obj->getElementsHeader()->capacity = 0;
     }
     return true;
 }
 bool
 JSObject::willBeSparseElements(uint32_t requiredCapacity, uint32_t newElementsHint)
 {
     JS_ASSERT(isNative());
     JS_ASSERT(requiredCapacity > MIN_SPARSE_INDEX);
     uint32_t cap = getDenseCapacity();
     JS_ASSERT(requiredCapacity >= cap);
     if (requiredCapacity >= NELEMENTS_LIMIT)
         return true;
     uint32_t minimalDenseCount = requiredCapacity / SPARSE_DENSITY_RATIO;
     if (newElementsHint >= minimalDenseCount)
         return false;
     minimalDenseCount -= newElementsHint;
     if (minimalDenseCount > cap)
         return true;
     uint32_t len = getDenseInitializedLength();
     const Value *elems = getDenseElements();
     for (uint32_t i = 0; i < len; i++) {
         if (!elems[i].isMagic(JS_ELEMENTS_HOLE) && !--minimalDenseCount)
             return false;
     }
     return true;
 }
 /* static */ JSObject::EnsureDenseResult
 JSObject::maybeDensifySparseElements(js::ExclusiveContext *cx, HandleObject obj)
 {
     /*
      * Wait until after the object goes into dictionary mode, which must happen
      * when sparsely packing any array with more than MIN_SPARSE_INDEX elements
      * (see PropertyTree::MAX_HEIGHT).
      */
     if (!obj->inDictionaryMode())
         return ED_SPARSE;
     /*
      * Only measure the number of indexed properties every log(n) times when
      * populating the object.
      */
     uint32_t slotSpan = obj->slotSpan();
     if (slotSpan != RoundUpPow2(slotSpan))
         return ED_SPARSE;
     /* Watch for conditions under which an object's elements cannot be dense. */
     if (!obj->nonProxyIsExtensible() || obj->watched())
         return ED_SPARSE;
     /*
      * The indexes in the object need to be sufficiently dense before they can
      * be converted to dense mode.
      */
     uint32_t numDenseElements = 0;
     uint32_t newInitializedLength = 0;
     RootedShape shape(cx, obj->lastProperty());
     while (!shape->isEmptyShape()) {
         uint32_t index;
         if (js_IdIsIndex(shape->propid(), &index)) {
             if (shape->attributes() == JSPROP_ENUMERATE &&
                 shape->hasDefaultGetter() &&
                 shape->hasDefaultSetter())
             {
                 numDenseElements++;
                 newInitializedLength = Max(newInitializedLength, index + 1);
             } else {
                 /*
                  * For simplicity, only densify the object if all indexed
                  * properties can be converted to dense elements.
                  */
                 return ED_SPARSE;
             }
         }
         shape = shape->previous();
     }
     if (numDenseElements * SPARSE_DENSITY_RATIO < newInitializedLength)
         return ED_SPARSE;
     if (newInitializedLength >= NELEMENTS_LIMIT)
         return ED_SPARSE;
     /*
      * This object meets all necessary restrictions, convert all indexed
      * properties into dense elements.
      */
     if (newInitializedLength > obj->getDenseCapacity()) {
         if (!obj->growElements(cx, newInitializedLength))
             return ED_FAILED;
     }
     obj->ensureDenseInitializedLength(cx, newInitializedLength, 0);
     RootedValue value(cx);
     shape = obj->lastProperty();
     while (!shape->isEmptyShape()) {
         jsid id = shape->propid();
         uint32_t index;
         if (js_IdIsIndex(id, &index)) {
             value = obj->getSlot(shape->slot());
             /*
              * When removing a property from a dictionary, the specified
              * property will be removed from the dictionary list and the
              * last property will then be changed due to reshaping the object.
              * Compute the next shape in the traverse, watching for such
              * removals from the list.
              */
             if (shape != obj->lastProperty()) {
                 shape = shape->previous();
                 if (!obj->removeProperty(cx, id))
                     return ED_FAILED;
             } else {
                 if (!obj->removeProperty(cx, id))
                     return ED_FAILED;
                 shape = obj->lastProperty();
             }
             obj->setDenseElement(index, value);
         } else {
             shape = shape->previous();
         }
     }
     /*
      * All indexed properties on the object are now dense, clear the indexed
      * flag so that we will not start using sparse indexes again if we need
      * to grow the object.
      */
     if (!obj->clearFlag(cx, BaseShape::INDEXED))
         return ED_FAILED;
     return ED_OK;
 }
 static ObjectElements *
 AllocateElements(ThreadSafeContext *cx, JSObject *obj, uint32_t nelems)
 {
 #ifdef JSGC_GENERATIONAL
     if (cx->isJSContext())
         return cx->asJSContext()->runtime()->gcNursery.allocateElements(cx->asJSContext(), obj, nelems);
 #endif
     return static_cast<js::ObjectElements *>(cx->malloc_(nelems * sizeof(HeapValue)));
 }
 static ObjectElements *
 ReallocateElements(ThreadSafeContext *cx, JSObject *obj, ObjectElements *oldHeader,
                    uint32_t oldCount, uint32_t newCount)
 {
 #ifdef JSGC_GENERATIONAL
     if (cx->isJSContext()) {
         return cx->asJSContext()->runtime()->gcNursery.reallocateElements(cx->asJSContext(), obj,
                                                                           oldHeader, oldCount,
                                                                           newCount);
     }
 #endif
     return static_cast<js::ObjectElements *>(cx->realloc_(oldHeader, oldCount * sizeof(HeapSlot),
                                                           newCount * sizeof(HeapSlot)));
 }
 bool
 JSObject::growElements(ThreadSafeContext *cx, uint32_t newcap)
 {
     JS_ASSERT(nonProxyIsExtensible());
     JS_ASSERT(canHaveNonEmptyElements());
     /*
      * When an object with CAPACITY_DOUBLING_MAX or fewer elements needs to
      * grow, double its capacity, to add N elements in amortized O(N) time.
      *
      * Above this limit, grow by 12.5% each time. Speed is still amortized
      * O(N), with a higher constant factor, and we waste less space.
      */
     static const size_t CAPACITY_DOUBLING_MAX = 1024 * 1024;
     static const size_t CAPACITY_CHUNK = CAPACITY_DOUBLING_MAX / sizeof(Value);
     uint32_t oldcap = getDenseCapacity();
     JS_ASSERT(oldcap <= newcap);
     uint32_t nextsize = (oldcap <= CAPACITY_DOUBLING_MAX)
                       ? oldcap * 2
                       : oldcap + (oldcap >> 3);
     uint32_t actualCapacity;
     if (is<ArrayObject>() && !as<ArrayObject>().lengthIsWritable()) {
         JS_ASSERT(newcap <= as<ArrayObject>().length());
         // Preserve the |capacity <= length| invariant for arrays with
         // non-writable length.  See also js::ArraySetLength which initially
         // enforces this requirement.
         actualCapacity = newcap;
     } else {
         actualCapacity = Max(newcap, nextsize);
         if (actualCapacity >= CAPACITY_CHUNK)
             actualCapacity = JS_ROUNDUP(actualCapacity, CAPACITY_CHUNK);
         else if (actualCapacity < SLOT_CAPACITY_MIN)
             actualCapacity = SLOT_CAPACITY_MIN;
         /* Don't let nelements get close to wrapping around uint32_t. */
         if (actualCapacity >= NELEMENTS_LIMIT || actualCapacity < oldcap || actualCapacity < newcap)
             return false;
     }
     uint32_t initlen = getDenseInitializedLength();
     uint32_t oldAllocated = oldcap + ObjectElements::VALUES_PER_HEADER;
     uint32_t newAllocated = actualCapacity + ObjectElements::VALUES_PER_HEADER;
     ObjectElements *newheader;
     if (hasDynamicElements()) {
         newheader = ReallocateElements(cx, this, getElementsHeader(), oldAllocated, newAllocated);
         if (!newheader)
             return false; /* Leave elements as its old size. */
     } else {
         newheader = AllocateElements(cx, this, newAllocated);
         if (!newheader)
             return false; /* Leave elements as its old size. */
         js_memcpy(newheader, getElementsHeader(),
                   (ObjectElements::VALUES_PER_HEADER + initlen) * sizeof(Value));
     }
     newheader->capacity = actualCapacity;
     elements = newheader->elements();
     Debug_SetSlotRangeToCrashOnTouch(elements + initlen, actualCapacity - initlen);
     return true;
 }
 void
 JSObject::shrinkElements(ThreadSafeContext *cx, uint32_t newcap)
 {
     JS_ASSERT(cx->isThreadLocal(this));
     JS_ASSERT(canHaveNonEmptyElements());
     uint32_t oldcap = getDenseCapacity();
     JS_ASSERT(newcap <= oldcap);
     // Don't shrink elements below the minimum capacity.
     if (oldcap <= SLOT_CAPACITY_MIN || !hasDynamicElements())
         return;
     newcap = Max(newcap, SLOT_CAPACITY_MIN);
     uint32_t oldAllocated = oldcap + ObjectElements::VALUES_PER_HEADER;
     uint32_t newAllocated = newcap + ObjectElements::VALUES_PER_HEADER;
     ObjectElements *newheader = ReallocateElements(cx, this, getElementsHeader(),
                                                    oldAllocated, newAllocated);
     if (!newheader) {
         cx->recoverFromOutOfMemory();
         return;  // Leave elements at its old size.
     }
     newheader->capacity = newcap;
     elements = newheader->elements();
 }
 bool
 js::SetClassAndProto(JSContext *cx, HandleObject obj,
                      const Class *clasp, Handle<js::TaggedProto> proto,
                      bool *succeeded)
 {
     /*
      * Regenerate shapes for all of the scopes along the old prototype chain,
      * in case any entries were filled by looking up through obj. Stop when a
      * non-native object is found, prototype lookups will not be cached across
      * these.
      *
      * How this shape change is done is very delicate; the change can be made
      * either by marking the object's prototype as uncacheable (such that the
      * property cache and JIT'ed ICs cannot assume the shape determines the
      * prototype) or by just generating a new shape for the object. Choosing
      * the former is bad if the object is on the prototype chain of other
      * objects, as the uncacheable prototype can inhibit iterator caches on
      * those objects and slow down prototype accesses. Choosing the latter is
      * bad if there are many similar objects to this one which will have their
      * prototype mutated, as the generateOwnShape forces the object into
      * dictionary mode and similar property lineages will be repeatedly cloned.
      *
      * :XXX: bug 707717 make this code less brittle.
      */
     *succeeded = false;
     RootedObject oldproto(cx, obj);
     while (oldproto && oldproto->isNative()) {
         if (oldproto->hasSingletonType()) {
             if (!oldproto->generateOwnShape(cx))
                 return false;
         } else {
             if (!oldproto->setUncacheableProto(cx))
                 return false;
         }
         oldproto = oldproto->getProto();
     }
     if (obj->hasSingletonType()) {
         /*
          * Just splice the prototype, but mark the properties as unknown for
          * consistent behavior.
          */
         if (!obj->splicePrototype(cx, clasp, proto))
             return false;
         MarkTypeObjectUnknownProperties(cx, obj->type());
         *succeeded = true;
         return true;
     }
     if (proto.isObject()) {
         RootedObject protoObj(cx, proto.toObject());
         if (!JSObject::setNewTypeUnknown(cx, clasp, protoObj))
             return false;
     }
     TypeObject *type = cx->getNewType(clasp, proto);
     if (!type)
         return false;
     /*
      * Setting __proto__ on an object that has escaped and may be referenced by
      * other heap objects can only be done if the properties of both objects
      * are unknown. Type sets containing this object will contain the original
      * type but not the new type of the object, so we need to go and scan the
      * entire compartment for type sets which have these objects and mark them
      * as containing generic objects.
      */
     MarkTypeObjectUnknownProperties(cx, obj->type(), true);
     MarkTypeObjectUnknownProperties(cx, type, true);
     obj->setType(type);
     *succeeded = true;
     return true;
 }
 static bool
 MaybeResolveConstructor(ExclusiveContext *cxArg, Handle<GlobalObject*> global, JSProtoKey key)
 {
     if (global->isStandardClassResolved(key))
         return true;
     if (!cxArg->shouldBeJSContext())
         return false;
     JSContext *cx = cxArg->asJSContext();
     return GlobalObject::resolveConstructor(cx, global, key);
 }
 bool
 js::GetBuiltinConstructor(ExclusiveContext *cx, JSProtoKey key, MutableHandleObject objp)
 {
     MOZ_ASSERT(key != JSProto_Null);
     Rooted<GlobalObject*> global(cx, cx->global());
     if (!MaybeResolveConstructor(cx, global, key))
         return false;
     objp.set(&global->getConstructor(key).toObject());
     return true;
 }
 bool
 js::GetBuiltinPrototype(ExclusiveContext *cx, JSProtoKey key, MutableHandleObject protop)
 {
     MOZ_ASSERT(key != JSProto_Null);
     Rooted<GlobalObject*> global(cx, cx->global());
     if (!MaybeResolveConstructor(cx, global, key))
         return false;
     protop.set(&global->getPrototype(key).toObject());
     return true;
 }
 static bool
 IsStandardPrototype(JSObject *obj, JSProtoKey key)
 {
     GlobalObject &global = obj->global();
     Value v = global.getPrototype(key);
     return v.isObject() && obj == &v.toObject();
 }
 JSProtoKey
 JS::IdentifyStandardInstance(JSObject *obj)
 {
     // Note: The prototype shares its JSClass with instances.
     JS_ASSERT(!obj->is<CrossCompartmentWrapperObject>());
     JSProtoKey key = JSCLASS_CACHED_PROTO_KEY(obj->getClass());
     if (key != JSProto_Null && !IsStandardPrototype(obj, key))
         return key;
     return JSProto_Null;
 }
 JSProtoKey
 JS::IdentifyStandardPrototype(JSObject *obj)
 {
     // Note: The prototype shares its JSClass with instances.
     JS_ASSERT(!obj->is<CrossCompartmentWrapperObject>());
     JSProtoKey key = JSCLASS_CACHED_PROTO_KEY(obj->getClass());
     if (key != JSProto_Null && IsStandardPrototype(obj, key))
         return key;
     return JSProto_Null;
 }
 JSProtoKey
 JS::IdentifyStandardInstanceOrPrototype(JSObject *obj)
 {
     return JSCLASS_CACHED_PROTO_KEY(obj->getClass());
 }
 bool
 js::FindClassObject(ExclusiveContext *cx, MutableHandleObject protop, const Class *clasp)
 {
     JSProtoKey protoKey = GetClassProtoKey(clasp);
     if (protoKey != JSProto_Null) {
         JS_ASSERT(JSProto_Null < protoKey);
         JS_ASSERT(protoKey < JSProto_LIMIT);
         return GetBuiltinConstructor(cx, protoKey, protop);
     }
     JSAtom *atom = Atomize(cx, clasp->name, strlen(clasp->name));
     if (!atom)
         return false;
     RootedId id(cx, AtomToId(atom));
     RootedObject pobj(cx);
     RootedShape shape(cx);
     if (!LookupNativeProperty(cx, cx->global(), id, &pobj, &shape))
         return false;
     RootedValue v(cx);
     if (shape && pobj->isNative()) {
         if (shape->hasSlot())
             v = pobj->nativeGetSlot(shape->slot());
     }
     if (v.isObject())
         protop.set(&v.toObject());
     return true;
 }
 /* static */ bool
 JSObject::allocSlot(ThreadSafeContext *cx, HandleObject obj, uint32_t *slotp)
 {
     JS_ASSERT(cx->isThreadLocal(obj));
     uint32_t slot = obj->slotSpan();
     JS_ASSERT(slot >= JSSLOT_FREE(obj->getClass()));
     /*
      * If this object is in dictionary mode, try to pull a free slot from the
      * shape table's slot-number freelist.
      */
     if (obj->inDictionaryMode()) {
         ShapeTable &table = obj->lastProperty()->table();
         uint32_t last = table.freelist;
         if (last != SHAPE_INVALID_SLOT) {
 #ifdef DEBUG
             JS_ASSERT(last < slot);
             uint32_t next = obj->getSlot(last).toPrivateUint32();
             JS_ASSERT_IF(next != SHAPE_INVALID_SLOT, next < slot);
 #endif
             *slotp = last;
             const Value &vref = obj->getSlot(last);
             table.freelist = vref.toPrivateUint32();
             obj->setSlot(last, UndefinedValue());
             return true;
         }
     }
     if (slot >= SHAPE_MAXIMUM_SLOT) {
         js_ReportOutOfMemory(cx);
         return false;
     }
     *slotp = slot;
     if (obj->inDictionaryMode() && !setSlotSpan(cx, obj, slot + 1))
         return false;
     return true;
 }
 void
 JSObject::freeSlot(uint32_t slot)
 {
     JS_ASSERT(slot < slotSpan());
     if (inDictionaryMode()) {
         uint32_t &last = lastProperty()->table().freelist;
         /* Can't afford to check the whole freelist, but let's check the head. */
         JS_ASSERT_IF(last != SHAPE_INVALID_SLOT, last < slotSpan() && last != slot);
         /*
          * Place all freed slots other than reserved slots (bug 595230) on the
          * dictionary's free list.
          */
         if (JSSLOT_FREE(getClass()) <= slot) {
             JS_ASSERT_IF(last != SHAPE_INVALID_SLOT, last < slotSpan());
             setSlot(slot, PrivateUint32Value(last));
             last = slot;
             return;
         }
     }
     setSlot(slot, UndefinedValue());
 }
 static bool
 PurgeProtoChain(ExclusiveContext *cx, JSObject *objArg, HandleId id)
 {
     /* Root locally so we can re-assign. */
     RootedObject obj(cx, objArg);
     RootedShape shape(cx);
     while (obj) {
         /* Lookups will not be cached through non-native protos. */
         if (!obj->isNative())
             break;
         shape = obj->nativeLookup(cx, id);
         if (shape) {
             if (!obj->shadowingShapeChange(cx, *shape))
                 return false;
             obj->shadowingShapeChange(cx, *shape);
             return true;
         }
         obj = obj->getProto();
     }
     return true;
 }
 static bool
 PurgeScopeChainHelper(ExclusiveContext *cx, HandleObject objArg, HandleId id)
 {
     /* Re-root locally so we can re-assign. */
     RootedObject obj(cx, objArg);
     JS_ASSERT(obj->isNative());
     JS_ASSERT(obj->isDelegate());
     /* Lookups on integer ids cannot be cached through prototypes. */
     if (JSID_IS_INT(id))
         return true;
     PurgeProtoChain(cx, obj->getProto(), id);
     /*
      * We must purge the scope chain only for Call objects as they are the only
      * kind of cacheable non-global object that can gain properties after outer
      * properties with the same names have been cached or traced. Call objects
      * may gain such properties via eval introducing new vars; see bug 490364.
      */
     if (obj->is<CallObject>()) {
         while ((obj = obj->enclosingScope()) != nullptr) {
             if (!PurgeProtoChain(cx, obj, id))
                 return false;
         }
     }
     return true;
 }
 /*
  * PurgeScopeChain does nothing if obj is not itself a prototype or parent
  * scope, else it reshapes the scope and prototype chains it links. It calls
  * PurgeScopeChainHelper, which asserts that obj is flagged as a delegate
  * (i.e., obj has ever been on a prototype or parent chain).
  */
 static inline bool
 PurgeScopeChain(ExclusiveContext *cx, JS::HandleObject obj, JS::HandleId id)
 {
     if (obj->isDelegate())
         return PurgeScopeChainHelper(cx, obj, id);
     return true;
 }
 bool
 baseops::DefineGeneric(ExclusiveContext *cx, HandleObject obj, HandleId id, HandleValue value,
                        PropertyOp getter, StrictPropertyOp setter, unsigned attrs)
 {
     return DefineNativeProperty(cx, obj, id, value, getter, setter, attrs);
 }
 /* static */ bool
 JSObject::defineGeneric(ExclusiveContext *cx, HandleObject obj,
                         HandleId id, HandleValue value,
                         JSPropertyOp getter, JSStrictPropertyOp setter, unsigned attrs)
 {
     JS_ASSERT(!(attrs & JSPROP_NATIVE_ACCESSORS));
     js::DefineGenericOp op = obj->getOps()->defineGeneric;
     if (op) {
         if (!cx->shouldBeJSContext())
             return false;
         return op(cx->asJSContext(), obj, id, value, getter, setter, attrs);
     }
     return baseops::DefineGeneric(cx, obj, id, value, getter, setter, attrs);
 }
 /* static */ bool
 JSObject::defineProperty(ExclusiveContext *cx, HandleObject obj,
                          PropertyName *name, HandleValue value,
                          JSPropertyOp getter, JSStrictPropertyOp setter, unsigned attrs)
 {
     RootedId id(cx, NameToId(name));
     return defineGeneric(cx, obj, id, value, getter, setter, attrs);
 }
 bool
 baseops::DefineElement(ExclusiveContext *cx, HandleObject obj, uint32_t index, HandleValue value,
                        PropertyOp getter, StrictPropertyOp setter, unsigned attrs)
 {
     RootedId id(cx);
     if (index <= JSID_INT_MAX) {
         id = INT_TO_JSID(index);
         return DefineNativeProperty(cx, obj, id, value, getter, setter, attrs);
     }
     AutoRooterGetterSetter gsRoot(cx, attrs, &getter, &setter);
     if (!IndexToId(cx, index, &id))
         return false;
     return DefineNativeProperty(cx, obj, id, value, getter, setter, attrs);
 }
 /* static */ bool
 JSObject::defineElement(ExclusiveContext *cx, HandleObject obj,
                         uint32_t index, HandleValue value,
                         JSPropertyOp getter, JSStrictPropertyOp setter, unsigned attrs)
 {
     js::DefineElementOp op = obj->getOps()->defineElement;
     if (op) {
         if (!cx->shouldBeJSContext())
             return false;
         return op(cx->asJSContext(), obj, index, value, getter, setter, attrs);
     }
     return baseops::DefineElement(cx, obj, index, value, getter, setter, attrs);
 }
 Shape *
 JSObject::addDataProperty(ExclusiveContext *cx, jsid idArg, uint32_t slot, unsigned attrs)
 {
     JS_ASSERT(!(attrs & (JSPROP_GETTER | JSPROP_SETTER)));
     RootedObject self(cx, this);
     RootedId id(cx, idArg);
     return addProperty(cx, self, id, nullptr, nullptr, slot, attrs, 0);
 }
 Shape *
 JSObject::addDataProperty(ExclusiveContext *cx, HandlePropertyName name,
                           uint32_t slot, unsigned attrs)
 {
     JS_ASSERT(!(attrs & (JSPROP_GETTER | JSPROP_SETTER)));
     RootedObject self(cx, this);
     RootedId id(cx, NameToId(name));
     return addProperty(cx, self, id, nullptr, nullptr, slot, attrs, 0);
 }
 /*
  * Backward compatibility requires allowing addProperty hooks to mutate the
  * nominal initial value of a slotful property, while GC safety wants that
  * value to be stored before the call-out through the hook.  Optimize to do
  * both while saving cycles for classes that stub their addProperty hook.
  */
 template <ExecutionMode mode>
 static inline bool
 CallAddPropertyHook(typename ExecutionModeTraits<mode>::ExclusiveContextType cxArg,
                     const Class *clasp, HandleObject obj, HandleShape shape,
                     HandleValue nominal)
 {
     if (clasp->addProperty != JS_PropertyStub) {
         if (mode == ParallelExecution)
             return false;
         ExclusiveContext *cx = cxArg->asExclusiveContext();
         if (!cx->shouldBeJSContext())
             return false;
         /* Make a local copy of value so addProperty can mutate its inout parameter. */
         RootedValue value(cx, nominal);
         Rooted<jsid> id(cx, shape->propid());
         if (!CallJSPropertyOp(cx->asJSContext(), clasp->addProperty, obj, id, &value)) {
             obj->removeProperty(cx, shape->propid());
             return false;
         }
         if (value.get() != nominal) {
             if (shape->hasSlot())
                 obj->nativeSetSlotWithType(cx, shape, value);
         }
     }
     return true;
 }
 template <ExecutionMode mode>
 static inline bool
 CallAddPropertyHookDense(typename ExecutionModeTraits<mode>::ExclusiveContextType cxArg,
                          const Class *clasp, HandleObject obj, uint32_t index,
                          HandleValue nominal)
 {
     /* Inline addProperty for array objects. */
     if (obj->is<ArrayObject>()) {
         ArrayObject *arr = &obj->as<ArrayObject>();
         uint32_t length = arr->length();
         if (index >= length) {
             if (mode == ParallelExecution) {
                 /* We cannot deal with overflows in parallel. */
                 if (length > INT32_MAX)
                     return false;
                 arr->setLengthInt32(index + 1);
             } else {
                 arr->setLength(cxArg->asExclusiveContext(), index + 1);
             }
         }
         return true;
     }
     if (clasp->addProperty != JS_PropertyStub) {
         if (mode == ParallelExecution)
             return false;
         ExclusiveContext *cx = cxArg->asExclusiveContext();
         if (!cx->shouldBeJSContext())
             return false;
         /* Make a local copy of value so addProperty can mutate its inout parameter. */
         RootedValue value(cx, nominal);
         Rooted<jsid> id(cx, INT_TO_JSID(index));
         if (!CallJSPropertyOp(cx->asJSContext(), clasp->addProperty, obj, id, &value)) {
             obj->setDenseElementHole(cx, index);
             return false;
         }
         if (value.get() != nominal)
             obj->setDenseElementWithType(cx, index, value);
     }
     return true;
 }
 template <ExecutionMode mode>
 static bool
 UpdateShapeTypeAndValue(typename ExecutionModeTraits<mode>::ExclusiveContextType cx,
                         JSObject *obj, Shape *shape, const Value &value)
 {
     jsid id = shape->propid();
     if (shape->hasSlot()) {
         if (mode == ParallelExecution) {
             if (!obj->nativeSetSlotIfHasType(shape, value))
                 return false;
         } else {
             obj->nativeSetSlotWithType(cx->asExclusiveContext(), shape, value);
         }
     }
     if (!shape->hasSlot() || !shape->hasDefaultGetter() || !shape->hasDefaultSetter()) {
         if (mode == ParallelExecution) {
             if (!IsTypePropertyIdMarkedNonData(obj, id))
                 return false;
         } else {
             MarkTypePropertyNonData(cx->asExclusiveContext(), obj, id);
         }
     }
     if (!shape->writable()) {
         if (mode == ParallelExecution) {
             if (!IsTypePropertyIdMarkedNonWritable(obj, id))
                 return false;
         } else {
             MarkTypePropertyNonWritable(cx->asExclusiveContext(), obj, id);
         }
     }
     return true;
 }
 template <ExecutionMode mode>
 static inline bool
 DefinePropertyOrElement(typename ExecutionModeTraits<mode>::ExclusiveContextType cx,
                         HandleObject obj, HandleId id,
                         PropertyOp getter, StrictPropertyOp setter,
                         unsigned attrs, HandleValue value,
                         bool callSetterAfterwards, bool setterIsStrict)
 {
     /* Use dense storage for new indexed properties where possible. */
     if (JSID_IS_INT(id) &&
         getter == JS_PropertyStub &&
         setter == JS_StrictPropertyStub &&
         attrs == JSPROP_ENUMERATE &&
         (!obj->isIndexed() || !obj->nativeContainsPure(id)) &&
         !obj->is<TypedArrayObject>())
     {
         uint32_t index = JSID_TO_INT(id);
         bool definesPast;
         if (!WouldDefinePastNonwritableLength(cx, obj, index, setterIsStrict, &definesPast))
             return false;
         if (definesPast)
             return true;
         JSObject::EnsureDenseResult result;
         if (mode == ParallelExecution) {
             if (obj->writeToIndexWouldMarkNotPacked(index))
                 return false;
             result = obj->ensureDenseElementsPreservePackedFlag(cx, index, 1);
         } else {
             result = obj->ensureDenseElements(cx->asExclusiveContext(), index, 1);
         }
         if (result == JSObject::ED_FAILED)
             return false;
         if (result == JSObject::ED_OK) {
             if (mode == ParallelExecution) {
                 if (!obj->setDenseElementIfHasType(index, value))
                     return false;
             } else {
                 obj->setDenseElementWithType(cx->asExclusiveContext(), index, value);
             }
             return CallAddPropertyHookDense<mode>(cx, obj->getClass(), obj, index, value);
         }
     }
     if (obj->is<ArrayObject>()) {
         Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
         if (id == NameToId(cx->names().length)) {
             if (mode == SequentialExecution && !cx->shouldBeJSContext())
                 return false;
             return ArraySetLength<mode>(ExecutionModeTraits<mode>::toContextType(cx), arr, id,
                                         attrs, value, setterIsStrict);
         }
         uint32_t index;
         if (js_IdIsIndex(id, &index)) {
             bool definesPast;
             if (!WouldDefinePastNonwritableLength(cx, arr, index, setterIsStrict, &definesPast))
                 return false;
             if (definesPast)
                 return true;
         }
     }
     // Don't define new indexed properties on typed arrays.
     if (obj->is<TypedArrayObject>()) {
         uint64_t index;
         if (IsTypedArrayIndex(id, &index))
             return true;
     }
     AutoRooterGetterSetter gsRoot(cx, attrs, &getter, &setter);
     RootedShape shape(cx, JSObject::putProperty<mode>(cx, obj, id, getter, setter,
                                                       SHAPE_INVALID_SLOT, attrs, 0));
     if (!shape)
         return false;
     if (!UpdateShapeTypeAndValue<mode>(cx, obj, shape, value))
         return false;
     /*
      * Clear any existing dense index after adding a sparse indexed property,
      * and investigate converting the object to dense indexes.
      */
     if (JSID_IS_INT(id)) {
         if (mode == ParallelExecution)
             return false;
         ExclusiveContext *ncx = cx->asExclusiveContext();
         uint32_t index = JSID_TO_INT(id);
         JSObject::removeDenseElementForSparseIndex(ncx, obj, index);
         JSObject::EnsureDenseResult result = JSObject::maybeDensifySparseElements(ncx, obj);
         if (result == JSObject::ED_FAILED)
             return false;
         if (result == JSObject::ED_OK) {
             JS_ASSERT(setter == JS_StrictPropertyStub);
             return CallAddPropertyHookDense<mode>(cx, obj->getClass(), obj, index, value);
         }
     }
     if (!CallAddPropertyHook<mode>(cx, obj->getClass(), obj, shape, value))
         return false;
     if (callSetterAfterwards && setter != JS_StrictPropertyStub) {
         if (!cx->shouldBeJSContext())
             return false;
         RootedValue nvalue(cx, value);
         return NativeSet<mode>(ExecutionModeTraits<mode>::toContextType(cx),
                                obj, obj, shape, setterIsStrict, &nvalue);
     }
     return true;
 }
 static bool
 NativeLookupOwnProperty(ExclusiveContext *cx, HandleObject obj, HandleId id,
                         MutableHandle<Shape*> shapep);
 bool
 js::DefineNativeProperty(ExclusiveContext *cx, HandleObject obj, HandleId id, HandleValue value,
                          PropertyOp getter, StrictPropertyOp setter, unsigned attrs)
 {
     JS_ASSERT(!(attrs & JSPROP_NATIVE_ACCESSORS));
     AutoRooterGetterSetter gsRoot(cx, attrs, &getter, &setter);
     /*
      * If defining a getter or setter, we must check for its counterpart and
      * update the attributes and property ops.  A getter or setter is really
      * only half of a property.
      */
     RootedShape shape(cx);
     if (attrs & (JSPROP_GETTER | JSPROP_SETTER)) {
         /*
          * If we are defining a getter whose setter was already defined, or
          * vice versa, finish the job via obj->changeProperty.
          */
         if (!NativeLookupOwnProperty(cx, obj, id, &shape))
             return false;
         if (shape) {
             if (IsImplicitDenseOrTypedArrayElement(shape)) {
                 if (obj->is<TypedArrayObject>()) {
                     /* Ignore getter/setter properties added to typed arrays. */
                     return true;
                 }
                 if (!JSObject::sparsifyDenseElement(cx, obj, JSID_TO_INT(id)))
                     return false;
                 shape = obj->nativeLookup(cx, id);
             }
             if (shape->isAccessorDescriptor()) {
                 shape = JSObject::changeProperty<SequentialExecution>(cx, obj, shape, attrs,
                                                                       JSPROP_GETTER | JSPROP_SETTER,
                                                                       (attrs & JSPROP_GETTER)
                                                                       ? getter
                                                                       : shape->getter(),
                                                                       (attrs & JSPROP_SETTER)
                                                                       ? setter
                                                                       : shape->setter());
                 if (!shape)
                     return false;
             } else {
                 shape = nullptr;
             }
         }
     }
     /*
      * Purge the property cache of any properties named by id that are about
      * to be shadowed in obj's scope chain.
      */
     if (!PurgeScopeChain(cx, obj, id))
         return false;
     /* Use the object's class getter and setter by default. */
     const Class *clasp = obj->getClass();
     if (!getter && !(attrs & JSPROP_GETTER))
         getter = clasp->getProperty;
     if (!setter && !(attrs & JSPROP_SETTER))
         setter = clasp->setProperty;
     if (!shape) {
         return DefinePropertyOrElement<SequentialExecution>(cx, obj, id, getter, setter,
                                                             attrs, value, false, false);
     }
     JS_ALWAYS_TRUE(UpdateShapeTypeAndValue<SequentialExecution>(cx, obj, shape, value));
     return CallAddPropertyHook<SequentialExecution>(cx, clasp, obj, shape, value);
 }
 /*
  * Call obj's resolve hook.
  *
  * cx, id, and flags are the parameters initially passed to the ongoing lookup;
  * objp and propp are its out parameters. obj is an object along the prototype
  * chain from where the lookup started.
  *
  * There are four possible outcomes:
  *
  *   - On failure, report an error or exception and return false.
  *
  *   - If we are already resolving a property of *curobjp, set *recursedp = true,
  *     and return true.
  *
  *   - If the resolve hook finds or defines the sought property, set *objp and
  *     *propp appropriately, set *recursedp = false, and return true.
  *
  *   - Otherwise no property was resolved. Set *propp = nullptr and
  *     *recursedp = false and return true.
  */
 static MOZ_ALWAYS_INLINE bool
 CallResolveOp(JSContext *cx, HandleObject obj, HandleId id, MutableHandleObject objp,
               MutableHandleShape propp, bool *recursedp)
 {
     const Class *clasp = obj->getClass();
     JSResolveOp resolve = clasp->resolve;
     /*
      * Avoid recursion on (obj, id) already being resolved on cx.
      *
      * Once we have successfully added an entry for (obj, key) to
      * cx->resolvingTable, control must go through cleanup: before
      * returning.  But note that JS_DHASH_ADD may find an existing
      * entry, in which case we bail to suppress runaway recursion.
      */
     AutoResolving resolving(cx, obj, id);
     if (resolving.alreadyStarted()) {
         /* Already resolving id in obj -- suppress recursion. */
         *recursedp = true;
         return true;
     }
     *recursedp = false;
     propp.set(nullptr);
     if (clasp->flags & JSCLASS_NEW_RESOLVE) {
         JSNewResolveOp newresolve = reinterpret_cast<JSNewResolveOp>(resolve);
         RootedObject obj2(cx, nullptr);
         if (!newresolve(cx, obj, id, &obj2))
             return false;
         /*
          * We trust the new style resolve hook to set obj2 to nullptr when
          * the id cannot be resolved. But, when obj2 is not null, we do
          * not assume that id must exist and do full nativeLookup for
          * compatibility.
          */
         if (!obj2)
             return true;
         if (!obj2->isNative()) {
             /* Whoops, newresolve handed back a foreign obj2. */
             JS_ASSERT(obj2 != obj);
             return JSObject::lookupGeneric(cx, obj2, id, objp, propp);
         }
         objp.set(obj2);
     } else {
         if (!resolve(cx, obj, id))
             return false;
         objp.set(obj);
     }
     if (JSID_IS_INT(id) && objp->containsDenseElement(JSID_TO_INT(id))) {
         MarkDenseOrTypedArrayElementFound<CanGC>(propp);
         return true;
     }
     Shape *shape;
     if (!objp->nativeEmpty() && (shape = objp->nativeLookup(cx, id)))
         propp.set(shape);
     else
         objp.set(nullptr);
     return true;
 }
 template <AllowGC allowGC>
 static MOZ_ALWAYS_INLINE bool
 LookupOwnPropertyInline(ExclusiveContext *cx,
                         typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                         typename MaybeRooted<jsid, allowGC>::HandleType id,
                         typename MaybeRooted<JSObject*, allowGC>::MutableHandleType objp,
                         typename MaybeRooted<Shape*, allowGC>::MutableHandleType propp,
                         bool *donep)
 {
     // Check for a native dense element.
     if (JSID_IS_INT(id) && obj->containsDenseElement(JSID_TO_INT(id))) {
         objp.set(obj);
         MarkDenseOrTypedArrayElementFound<allowGC>(propp);
         *donep = true;
         return true;
     }
     // Check for a typed array element. Integer lookups always finish here
     // so that integer properties on the prototype are ignored even for out
     // of bounds accesses.
     if (obj->template is<TypedArrayObject>()) {
         uint64_t index;
         if (IsTypedArrayIndex(id, &index)) {
             if (index < obj->template as<TypedArrayObject>().length()) {
                 objp.set(obj);
                 MarkDenseOrTypedArrayElementFound<allowGC>(propp);
             } else {
                 objp.set(nullptr);
                 propp.set(nullptr);
             }
             *donep = true;
             return true;
         }
     }
     // Check for a native property.
     if (Shape *shape = obj->nativeLookup(cx, id)) {
         objp.set(obj);
         propp.set(shape);
         *donep = true;
         return true;
     }
     // id was not found in obj. Try obj's resolve hook, if any.
     if (obj->getClass()->resolve != JS_ResolveStub) {
         if (!cx->shouldBeJSContext() || !allowGC)
             return false;
         bool recursed;
         if (!CallResolveOp(cx->asJSContext(),
                            MaybeRooted<JSObject*, allowGC>::toHandle(obj),
                            MaybeRooted<jsid, allowGC>::toHandle(id),
                            MaybeRooted<JSObject*, allowGC>::toMutableHandle(objp),
                            MaybeRooted<Shape*, allowGC>::toMutableHandle(propp),
                            &recursed))
         {
             return false;
         }
         if (recursed) {
             objp.set(nullptr);
             propp.set(nullptr);
             *donep = true;
             return true;
         }
         if (propp) {
             *donep = true;
             return true;
         }
     }
     *donep = false;
     return true;
 }
 static bool
 NativeLookupOwnProperty(ExclusiveContext *cx, HandleObject obj, HandleId id,
                         MutableHandle<Shape*> shapep)
 {
     RootedObject pobj(cx);
     bool done;
     if (!LookupOwnPropertyInline<CanGC>(cx, obj, id, &pobj, shapep, &done))
         return false;
     if (!done || pobj != obj)
         shapep.set(nullptr);
     return true;
 }
 template <AllowGC allowGC>
 static MOZ_ALWAYS_INLINE bool
 LookupPropertyInline(ExclusiveContext *cx,
                      typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                      typename MaybeRooted<jsid, allowGC>::HandleType id,
                      typename MaybeRooted<JSObject*, allowGC>::MutableHandleType objp,
                      typename MaybeRooted<Shape*, allowGC>::MutableHandleType propp)
 {
     /* NB: The logic of this procedure is implicitly reflected in IonBuilder.cpp's
      *     |CanEffectlesslyCallLookupGenericOnObject| logic.
      *     If this changes, please remember to update the logic there as well.
      */
     /* Search scopes starting with obj and following the prototype link. */
     typename MaybeRooted<JSObject*, allowGC>::RootType current(cx, obj);
     while (true) {
         bool done;
         if (!LookupOwnPropertyInline<allowGC>(cx, current, id, objp, propp, &done))
             return false;
         if (done)
             return true;
         typename MaybeRooted<JSObject*, allowGC>::RootType proto(cx, current->getProto());
         if (!proto)
             break;
         if (!proto->isNative()) {
             if (!cx->shouldBeJSContext() || !allowGC)
                 return false;
             return JSObject::lookupGeneric(cx->asJSContext(),
                                            MaybeRooted<JSObject*, allowGC>::toHandle(proto),
                                            MaybeRooted<jsid, allowGC>::toHandle(id),
                                            MaybeRooted<JSObject*, allowGC>::toMutableHandle(objp),
                                            MaybeRooted<Shape*, allowGC>::toMutableHandle(propp));
         }
         current = proto;
     }
     objp.set(nullptr);
     propp.set(nullptr);
     return true;
 }
 template <AllowGC allowGC>
 bool
 baseops::LookupProperty(ExclusiveContext *cx,
                         typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                         typename MaybeRooted<jsid, allowGC>::HandleType id,
                         typename MaybeRooted<JSObject*, allowGC>::MutableHandleType objp,
                         typename MaybeRooted<Shape*, allowGC>::MutableHandleType propp)
 {
     return LookupPropertyInline<allowGC>(cx, obj, id, objp, propp);
 }
 template bool
 baseops::LookupProperty<CanGC>(ExclusiveContext *cx, HandleObject obj, HandleId id,
                                MutableHandleObject objp, MutableHandleShape propp);
 template bool
 baseops::LookupProperty<NoGC>(ExclusiveContext *cx, JSObject *obj, jsid id,
                               FakeMutableHandle<JSObject*> objp,
                               FakeMutableHandle<Shape*> propp);
 /* static */ bool
 JSObject::lookupGeneric(JSContext *cx, HandleObject obj, js::HandleId id,
                         MutableHandleObject objp, MutableHandleShape propp)
 {
     /*
      * NB: The logic of lookupGeneric is implicitly reflected in IonBuilder.cpp's
      *     |CanEffectlesslyCallLookupGenericOnObject| logic.
      *     If this changes, please remember to update the logic there as well.
      */
     LookupGenericOp op = obj->getOps()->lookupGeneric;
     if (op)
         return op(cx, obj, id, objp, propp);
     return baseops::LookupProperty<js::CanGC>(cx, obj, id, objp, propp);
 }
 bool
 baseops::LookupElement(JSContext *cx, HandleObject obj, uint32_t index,
                        MutableHandleObject objp, MutableHandleShape propp)
 {
     RootedId id(cx);
     if (!IndexToId(cx, index, &id))
         return false;
     return LookupPropertyInline<CanGC>(cx, obj, id, objp, propp);
 }
 bool
 js::LookupNativeProperty(ExclusiveContext *cx, HandleObject obj, HandleId id,
                          MutableHandleObject objp, MutableHandleShape propp)
 {
     return LookupPropertyInline<CanGC>(cx, obj, id, objp, propp);
 }
 bool
 js::LookupName(JSContext *cx, HandlePropertyName name, HandleObject scopeChain,
                MutableHandleObject objp, MutableHandleObject pobjp, MutableHandleShape propp)
 {
     RootedId id(cx, NameToId(name));
     for (RootedObject scope(cx, scopeChain); scope; scope = scope->enclosingScope()) {
         if (!JSObject::lookupGeneric(cx, scope, id, pobjp, propp))
             return false;
         if (propp) {
             objp.set(scope);
             return true;
         }
     }
     objp.set(nullptr);
     pobjp.set(nullptr);
     propp.set(nullptr);
     return true;
 }
 bool
 js::LookupNameNoGC(JSContext *cx, PropertyName *name, JSObject *scopeChain,
                    JSObject **objp, JSObject **pobjp, Shape **propp)
 {
     AutoAssertNoException nogc(cx);
     JS_ASSERT(!*objp && !*pobjp && !*propp);
     for (JSObject *scope = scopeChain; scope; scope = scope->enclosingScope()) {
         if (scope->getOps()->lookupGeneric)
             return false;
         if (!LookupPropertyInline<NoGC>(cx, scope, NameToId(name), pobjp, propp))
             return false;
         if (*propp) {
             *objp = scope;
             return true;
         }
     }
     return true;
 }
 bool
 js::LookupNameWithGlobalDefault(JSContext *cx, HandlePropertyName name, HandleObject scopeChain,
                                 MutableHandleObject objp)
 {
     RootedId id(cx, NameToId(name));
     RootedObject pobj(cx);
     RootedShape prop(cx);
     RootedObject scope(cx, scopeChain);
     for (; !scope->is<GlobalObject>(); scope = scope->enclosingScope()) {
         if (!JSObject::lookupGeneric(cx, scope, id, &pobj, &prop))
             return false;
         if (prop)
             break;
     }
     objp.set(scope);
     return true;
 }
 template <AllowGC allowGC>
 bool
 js::HasOwnProperty(JSContext *cx, LookupGenericOp lookup,
                    typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                    typename MaybeRooted<jsid, allowGC>::HandleType id,
                    typename MaybeRooted<JSObject*, allowGC>::MutableHandleType objp,
                    typename MaybeRooted<Shape*, allowGC>::MutableHandleType propp)
 {
     if (lookup) {
         if (!allowGC)
             return false;
         if (!lookup(cx,
                     MaybeRooted<JSObject*, allowGC>::toHandle(obj),
                     MaybeRooted<jsid, allowGC>::toHandle(id),
                     MaybeRooted<JSObject*, allowGC>::toMutableHandle(objp),
                     MaybeRooted<Shape*, allowGC>::toMutableHandle(propp)))
         {
             return false;
         }
     } else {
         bool done;
         if (!LookupOwnPropertyInline<allowGC>(cx, obj, id, objp, propp, &done))
             return false;
         if (!done) {
             objp.set(nullptr);
             propp.set(nullptr);
             return true;
         }
     }
     if (!propp)
         return true;
     if (objp == obj)
         return true;
     JSObject *outer = nullptr;
     if (JSObjectOp op = objp->getClass()->ext.outerObject) {
         if (!allowGC)
             return false;
         RootedObject inner(cx, objp);
         outer = op(cx, inner);
         if (!outer)
             return false;
     }
     if (outer != objp)
         propp.set(nullptr);
     return true;
 }
 template bool
 js::HasOwnProperty<CanGC>(JSContext *cx, LookupGenericOp lookup,
                           HandleObject obj, HandleId id,
                           MutableHandleObject objp, MutableHandleShape propp);
 template bool
 js::HasOwnProperty<NoGC>(JSContext *cx, LookupGenericOp lookup,
                          JSObject *obj, jsid id,
                          FakeMutableHandle<JSObject*> objp, FakeMutableHandle<Shape*> propp);
 bool
 js::HasOwnProperty(JSContext *cx, HandleObject obj, HandleId id, bool *resultp)
 {
     RootedObject pobj(cx);
     RootedShape shape(cx);
     if (!HasOwnProperty<CanGC>(cx, obj->getOps()->lookupGeneric, obj, id, &pobj, &shape))
         return false;
     *resultp = (shape != nullptr);
     return true;
 }
 template <AllowGC allowGC>
 static MOZ_ALWAYS_INLINE bool
 NativeGetInline(JSContext *cx,
                 typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                 typename MaybeRooted<JSObject*, allowGC>::HandleType receiver,
                 typename MaybeRooted<JSObject*, allowGC>::HandleType pobj,
                 typename MaybeRooted<Shape*, allowGC>::HandleType shape,
                 typename MaybeRooted<Value, allowGC>::MutableHandleType vp)
 {
     JS_ASSERT(pobj->isNative());
     if (shape->hasSlot()) {
         vp.set(pobj->nativeGetSlot(shape->slot()));
         JS_ASSERT(!vp.isMagic());
         JS_ASSERT_IF(!pobj->hasSingletonType() &&
                      !pobj->template is<ScopeObject>() &&
                      shape->hasDefaultGetter(),
                      js::types::TypeHasProperty(cx, pobj->type(), shape->propid(), vp));
     } else {
         vp.setUndefined();
     }
     if (shape->hasDefaultGetter())
         return true;
     {
         jsbytecode *pc;
         JSScript *script = cx->currentScript(&pc);
 #ifdef JS_ION
         if (script && script->hasBaselineScript()) {
             switch (JSOp(*pc)) {
               case JSOP_GETPROP:
               case JSOP_CALLPROP:
               case JSOP_LENGTH:
                 script->baselineScript()->noteAccessedGetter(script->pcToOffset(pc));
                 break;
               default:
                 break;
             }
         }
 #endif
     }
     if (!allowGC)
         return false;
     if (!shape->get(cx,
                     MaybeRooted<JSObject*, allowGC>::toHandle(receiver),
                     MaybeRooted<JSObject*, allowGC>::toHandle(obj),
                     MaybeRooted<JSObject*, allowGC>::toHandle(pobj),
                     MaybeRooted<Value, allowGC>::toMutableHandle(vp)))
     {
         return false;
     }
     /* Update slotful shapes according to the value produced by the getter. */
     if (shape->hasSlot() && pobj->nativeContains(cx, shape))
         pobj->nativeSetSlot(shape->slot(), vp);
     return true;
 }
 bool
 js::NativeGet(JSContext *cx, Handle<JSObject*> obj, Handle<JSObject*> pobj, Handle<Shape*> shape,
               MutableHandle<Value> vp)
 {
     return NativeGetInline<CanGC>(cx, obj, obj, pobj, shape, vp);
 }
 template <ExecutionMode mode>
 bool
 js::NativeSet(typename ExecutionModeTraits<mode>::ContextType cxArg,
               Handle<JSObject*> obj, Handle<JSObject*> receiver,
               HandleShape shape, bool strict, MutableHandleValue vp)
 {
     JS_ASSERT(cxArg->isThreadLocal(obj));
     JS_ASSERT(obj->isNative());
     if (shape->hasSlot()) {
         /* If shape has a stub setter, just store vp. */
         if (shape->hasDefaultSetter()) {
             if (mode == ParallelExecution) {
                 if (!obj->nativeSetSlotIfHasType(shape, vp))
                     return false;
             } else {
                 obj->nativeSetSlotWithType(cxArg->asExclusiveContext(), shape, vp);
             }
             return true;
         }
     }
     if (mode == ParallelExecution)
         return false;
     JSContext *cx = cxArg->asJSContext();
     if (!shape->hasSlot()) {
         /*
          * Allow API consumers to create shared properties with stub setters.
          * Such properties effectively function as data descriptors which are
          * not writable, so attempting to set such a property should do nothing
          * or throw if we're in strict mode.
          */
         if (!shape->hasGetterValue() && shape->hasDefaultSetter())
             return js_ReportGetterOnlyAssignment(cx, strict);
     }
     RootedValue ovp(cx, vp);
     uint32_t sample = cx->runtime()->propertyRemovals;
     if (!shape->set(cx, obj, receiver, strict, vp))
         return false;
     /*
      * Update any slot for the shape with the value produced by the setter,
      * unless the setter deleted the shape.
      */
     if (shape->hasSlot() &&
         (MOZ_LIKELY(cx->runtime()->propertyRemovals == sample) ||
          obj->nativeContains(cx, shape)))
     {
         obj->setSlot(shape->slot(), vp);
     }
     return true;
 }
 template bool
 js::NativeSet<SequentialExecution>(JSContext *cx,
                                    Handle<JSObject*> obj, Handle<JSObject*> receiver,
                                    HandleShape shape, bool strict, MutableHandleValue vp);
 template bool
 js::NativeSet<ParallelExecution>(ForkJoinContext *cx,
                                  Handle<JSObject*> obj, Handle<JSObject*> receiver,
                                  HandleShape shape, bool strict, MutableHandleValue vp);
 template <AllowGC allowGC>
 static MOZ_ALWAYS_INLINE bool
 GetPropertyHelperInline(JSContext *cx,
                         typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                         typename MaybeRooted<JSObject*, allowGC>::HandleType receiver,
                         typename MaybeRooted<jsid, allowGC>::HandleType id,
                         typename MaybeRooted<Value, allowGC>::MutableHandleType vp)
 {
     /* This call site is hot -- use the always-inlined variant of LookupNativeProperty(). */
     typename MaybeRooted<JSObject*, allowGC>::RootType obj2(cx);
     typename MaybeRooted<Shape*, allowGC>::RootType shape(cx);
     if (!LookupPropertyInline<allowGC>(cx, obj, id, &obj2, &shape))
         return false;
     if (!shape) {
         if (!allowGC)
             return false;
         vp.setUndefined();
         if (!CallJSPropertyOp(cx, obj->getClass()->getProperty,
                               MaybeRooted<JSObject*, allowGC>::toHandle(obj),
                               MaybeRooted<jsid, allowGC>::toHandle(id),
                               MaybeRooted<Value, allowGC>::toMutableHandle(vp)))
         {
             return false;
         }
         /*
          * Give a strict warning if foo.bar is evaluated by a script for an
          * object foo with no property named 'bar'.
          */
         if (vp.isUndefined()) {
             jsbytecode *pc = nullptr;
             RootedScript script(cx, cx->currentScript(&pc));
             if (!pc)
                 return true;
             JSOp op = (JSOp) *pc;
             if (op == JSOP_GETXPROP) {
                 /* Undefined property during a name lookup, report an error. */
                 JSAutoByteString printable;
                 if (js_ValueToPrintable(cx, IdToValue(id), &printable))
                     js_ReportIsNotDefined(cx, printable.ptr());
                 return false;
             }
             /* Don't warn if extra warnings not enabled or for random getprop operations. */
             if (!cx->options().extraWarnings() || (op != JSOP_GETPROP && op != JSOP_GETELEM))
                 return true;
             /* Don't warn repeatedly for the same script. */
             if (!script || script->warnedAboutUndefinedProp())
                 return true;
             /*
              * Don't warn in self-hosted code (where the further presence of
              * JS::ContextOptions::werror() would result in impossible-to-avoid
              * errors to entirely-innocent client code).
              */
             if (script->selfHosted())
                 return true;
             /* We may just be checking if that object has an iterator. */
             if (JSID_IS_ATOM(id, cx->names().iteratorIntrinsic))
                 return true;
             /* Do not warn about tests like (obj[prop] == undefined). */
             pc += js_CodeSpec[op].length;
             if (Detecting(cx, script, pc))
                 return true;
             unsigned flags = JSREPORT_WARNING | JSREPORT_STRICT;
             script->setWarnedAboutUndefinedProp();
             /* Ok, bad undefined property reference: whine about it. */
             RootedValue val(cx, IdToValue(id));
             if (!js_ReportValueErrorFlags(cx, flags, JSMSG_UNDEFINED_PROP,
                                           JSDVG_IGNORE_STACK, val, js::NullPtr(),
                                           nullptr, nullptr))
             {
                 return false;
             }
         }
         return true;
     }
     if (!obj2->isNative()) {
         if (!allowGC)
             return false;
         HandleObject obj2Handle = MaybeRooted<JSObject*, allowGC>::toHandle(obj2);
         HandleObject receiverHandle = MaybeRooted<JSObject*, allowGC>::toHandle(receiver);
         HandleId idHandle = MaybeRooted<jsid, allowGC>::toHandle(id);
         MutableHandleValue vpHandle = MaybeRooted<Value, allowGC>::toMutableHandle(vp);
         return obj2->template is<ProxyObject>()
                ? Proxy::get(cx, obj2Handle, receiverHandle, idHandle, vpHandle)
                : JSObject::getGeneric(cx, obj2Handle, obj2Handle, idHandle, vpHandle);
     }
     if (IsImplicitDenseOrTypedArrayElement(shape)) {
         vp.set(obj2->getDenseOrTypedArrayElement(JSID_TO_INT(id)));
         return true;
     }
     /* This call site is hot -- use the always-inlined variant of NativeGet(). */
     if (!NativeGetInline<allowGC>(cx, obj, receiver, obj2, shape, vp))
         return false;
     return true;
 }
 bool
 baseops::GetProperty(JSContext *cx, HandleObject obj, HandleObject receiver, HandleId id, MutableHandleValue vp)
 {
     /* This call site is hot -- use the always-inlined variant of GetPropertyHelper(). */
     return GetPropertyHelperInline<CanGC>(cx, obj, receiver, id, vp);
 }
 bool
 baseops::GetPropertyNoGC(JSContext *cx, JSObject *obj, JSObject *receiver, jsid id, Value *vp)
 {
     AutoAssertNoException nogc(cx);
     return GetPropertyHelperInline<NoGC>(cx, obj, receiver, id, vp);
 }
 static MOZ_ALWAYS_INLINE bool
 LookupPropertyPureInline(JSObject *obj, jsid id, JSObject **objp, Shape **propp)
 {
     if (!obj->isNative())
         return false;
     JSObject *current = obj;
     while (true) {
         /* Search for a native dense element, typed array element, or property. */
         if (JSID_IS_INT(id) && current->containsDenseElement(JSID_TO_INT(id))) {
             *objp = current;
             MarkDenseOrTypedArrayElementFound<NoGC>(propp);
             return true;
         }
         if (current->is<TypedArrayObject>()) {
             uint64_t index;
             if (IsTypedArrayIndex(id, &index)) {
                 if (index < obj->as<TypedArrayObject>().length()) {
                     *objp = current;
                     MarkDenseOrTypedArrayElementFound<NoGC>(propp);
                 } else {
                     *objp = nullptr;
                     *propp = nullptr;
                 }
                 return true;
             }
         }
         if (Shape *shape = current->nativeLookupPure(id)) {
             *objp = current;
             *propp = shape;
             return true;
         }
         /* Fail if there's a resolve hook. */
         if (current->getClass()->resolve != JS_ResolveStub)
             return false;
         JSObject *proto = current->getProto();
         if (!proto)
             break;
         if (!proto->isNative())
             return false;
         current = proto;
     }
     *objp = nullptr;
     *propp = nullptr;
     return true;
 }
 static MOZ_ALWAYS_INLINE bool
 NativeGetPureInline(JSObject *pobj, Shape *shape, Value *vp)
 {
     JS_ASSERT(pobj->isNative());
     if (shape->hasSlot()) {
         *vp = pobj->nativeGetSlot(shape->slot());
         JS_ASSERT(!vp->isMagic());
     } else {
         vp->setUndefined();
     }
     /* Fail if we have a custom getter. */
     return shape->hasDefaultGetter();
 }
 bool
 js::LookupPropertyPure(JSObject *obj, jsid id, JSObject **objp, Shape **propp)
 {
     return LookupPropertyPureInline(obj, id, objp, propp);
 }
 static inline bool
 IdIsLength(ThreadSafeContext *cx, jsid id)
 {
     return JSID_IS_ATOM(id) && cx->names().length == JSID_TO_ATOM(id);
 }
 /*
  * A pure version of GetPropertyHelper that can be called from parallel code
  * without locking. This code path cannot GC. This variant returns false
  * whenever a side-effect might have occured in the effectful version. This
  * includes, but is not limited to:
  *
  *  - Any object in the lookup chain has a non-stub resolve hook.
  *  - Any object in the lookup chain is non-native.
  *  - The property has a getter.
  */
 bool
 js::GetPropertyPure(ThreadSafeContext *cx, JSObject *obj, jsid id, Value *vp)
 {
     /* Deal with native objects. */
     JSObject *obj2;
     Shape *shape;
     if (!LookupPropertyPureInline(obj, id, &obj2, &shape))
         return false;
     if (!shape) {
         /* Fail if we have a non-stub class op hooks. */
         if (obj->getClass()->getProperty && obj->getClass()->getProperty != JS_PropertyStub)
             return false;
         if (obj->getOps()->getElement)
             return false;
         /* Vanilla native object, return undefined. */
         vp->setUndefined();
         return true;
     }
     if (IsImplicitDenseOrTypedArrayElement(shape)) {
         *vp = obj2->getDenseOrTypedArrayElement(JSID_TO_INT(id));
         return true;
     }
     /* Special case 'length' on Array and TypedArray. */
     if (IdIsLength(cx, id)) {
         if (obj->is<ArrayObject>()) {
             vp->setNumber(obj->as<ArrayObject>().length());
             return true;
         }
         if (obj->is<TypedArrayObject>()) {
             vp->setNumber(obj->as<TypedArrayObject>().length());
             return true;
         }
     }
     return NativeGetPureInline(obj2, shape, vp);
 }
 static bool
 MOZ_ALWAYS_INLINE
 GetElementPure(ThreadSafeContext *cx, JSObject *obj, uint32_t index, Value *vp)
 {
     if (index <= JSID_INT_MAX)
         return GetPropertyPure(cx, obj, INT_TO_JSID(index), vp);
     return false;
 }
 /*
  * A pure version of GetObjectElementOperation that can be called from
  * parallel code without locking. This variant returns false whenever a
  * side-effect might have occurred.
  */
 bool
 js::GetObjectElementOperationPure(ThreadSafeContext *cx, JSObject *obj, const Value &prop,
                                   Value *vp)
 {
     uint32_t index;
     if (IsDefinitelyIndex(prop, &index))
         return GetElementPure(cx, obj, index, vp);
     /* Atomizing the property value is effectful and not threadsafe. */
     if (!prop.isString() || !prop.toString()->isAtom())
         return false;
     JSAtom *name = &prop.toString()->asAtom();
     if (name->isIndex(&index))
         return GetElementPure(cx, obj, index, vp);
     return GetPropertyPure(cx, obj, NameToId(name->asPropertyName()), vp);
 }
 bool
 baseops::GetElement(JSContext *cx, HandleObject obj, HandleObject receiver, uint32_t index,
                     MutableHandleValue vp)
 {
     RootedId id(cx);
     if (!IndexToId(cx, index, &id))
         return false;
     /* This call site is hot -- use the always-inlined variant of js_GetPropertyHelper(). */
     return GetPropertyHelperInline<CanGC>(cx, obj, receiver, id, vp);
 }
 static bool
 MaybeReportUndeclaredVarAssignment(JSContext *cx, JSString *propname)
 {
     {
         JSScript *script = cx->currentScript(nullptr, JSContext::ALLOW_CROSS_COMPARTMENT);
         if (!script)
             return true;
         // If the code is not strict and extra warnings aren't enabled, then no
         // check is needed.
         if (!script->strict() && !cx->options().extraWarnings())
             return true;
     }
     JSAutoByteString bytes(cx, propname);
     return !!bytes &&
            JS_ReportErrorFlagsAndNumber(cx,
                                         (JSREPORT_WARNING | JSREPORT_STRICT
                                          | JSREPORT_STRICT_MODE_ERROR),
                                         js_GetErrorMessage, nullptr,
                                         JSMSG_UNDECLARED_VAR, bytes.ptr());
 }
 bool
 js::ReportIfUndeclaredVarAssignment(JSContext *cx, HandleString propname)
 {
     {
         jsbytecode *pc;
         JSScript *script = cx->currentScript(&pc, JSContext::ALLOW_CROSS_COMPARTMENT);
         if (!script)
             return true;
         // If the code is not strict and extra warnings aren't enabled, then no
         // check is needed.
         if (!script->strict() && !cx->options().extraWarnings())
             return true;
         /*
          * We only need to check for bare name mutations: we shouldn't be
          * warning, or throwing, or whatever, if we're not doing a variable
          * access.
          *
          * TryConvertToGname in frontend/BytecodeEmitter.cpp checks for rather
          * more opcodes when it does, in the normal course of events, what this
          * method does in the abnormal course of events.  Because we're called
          * in narrower circumstances, we only need check two.  We don't need to
          * check for the increment/decrement opcodes because they're no-ops:
          * the actual semantics are implemented by desugaring.  And we don't
          * need to check name-access because this method is only supposed to be
          * called in assignment contexts.
          */
         MOZ_ASSERT(*pc != JSOP_NAME);
         MOZ_ASSERT(*pc != JSOP_GETGNAME);
         if (*pc != JSOP_SETNAME && *pc != JSOP_SETGNAME)
             return true;
     }
     JSAutoByteString bytes(cx, propname);
     return !!bytes &&
            JS_ReportErrorFlagsAndNumber(cx,
                                         JSREPORT_WARNING | JSREPORT_STRICT |
                                         JSREPORT_STRICT_MODE_ERROR,
                                         js_GetErrorMessage, nullptr,
                                         JSMSG_UNDECLARED_VAR, bytes.ptr());
 }
 bool
 JSObject::reportReadOnly(ThreadSafeContext *cxArg, jsid id, unsigned report)
 {
     if (cxArg->isForkJoinContext())
         return cxArg->asForkJoinContext()->reportError(ParallelBailoutUnsupportedVM, report);
     if (!cxArg->isJSContext())
         return true;
     JSContext *cx = cxArg->asJSContext();
     RootedValue val(cx, IdToValue(id));
     return js_ReportValueErrorFlags(cx, report, JSMSG_READ_ONLY,
                                     JSDVG_IGNORE_STACK, val, js::NullPtr(),
                                     nullptr, nullptr);
 }
 bool
 JSObject::reportNotConfigurable(ThreadSafeContext *cxArg, jsid id, unsigned report)
 {
     if (cxArg->isForkJoinContext())
         return cxArg->asForkJoinContext()->reportError(ParallelBailoutUnsupportedVM, report);
     if (!cxArg->isJSContext())
         return true;
     JSContext *cx = cxArg->asJSContext();
     RootedValue val(cx, IdToValue(id));
     return js_ReportValueErrorFlags(cx, report, JSMSG_CANT_DELETE,
                                     JSDVG_IGNORE_STACK, val, js::NullPtr(),
                                     nullptr, nullptr);
 }
 bool
 JSObject::reportNotExtensible(ThreadSafeContext *cxArg, unsigned report)
 {
     if (cxArg->isForkJoinContext())
         return cxArg->asForkJoinContext()->reportError(ParallelBailoutUnsupportedVM, report);
     if (!cxArg->isJSContext())
         return true;
     JSContext *cx = cxArg->asJSContext();
     RootedValue val(cx, ObjectValue(*this));
     return js_ReportValueErrorFlags(cx, report, JSMSG_OBJECT_NOT_EXTENSIBLE,
                                     JSDVG_IGNORE_STACK, val, js::NullPtr(),
                                     nullptr, nullptr);
 }
 bool
 JSObject::callMethod(JSContext *cx, HandleId id, unsigned argc, Value *argv, MutableHandleValue vp)
 {
     RootedValue fval(cx);
     RootedObject obj(cx, this);
     if (!JSObject::getGeneric(cx, obj, obj, id, &fval))
         return false;
     return Invoke(cx, ObjectValue(*obj), fval, argc, argv, vp);
 }
 template <ExecutionMode mode>
 bool
 baseops::SetPropertyHelper(typename ExecutionModeTraits<mode>::ContextType cxArg,
                            HandleObject obj, HandleObject receiver, HandleId id,
                            QualifiedBool qualified, MutableHandleValue vp, bool strict)
 {
     JS_ASSERT(cxArg->isThreadLocal(obj));
     if (MOZ_UNLIKELY(obj->watched())) {
         if (mode == ParallelExecution)
             return false;
         /* Fire watchpoints, if any. */
         JSContext *cx = cxArg->asJSContext();
         WatchpointMap *wpmap = cx->compartment()->watchpointMap;
         if (wpmap && !wpmap->triggerWatchpoint(cx, obj, id, vp))
             return false;
     }
     RootedObject pobj(cxArg);
     RootedShape shape(cxArg);
     if (mode == ParallelExecution) {
         if (!LookupPropertyPure(obj, id, pobj.address(), shape.address()))
             return false;
     } else {
         JSContext *cx = cxArg->asJSContext();
         if (!LookupNativeProperty(cx, obj, id, &pobj, &shape))
             return false;
     }
     if (shape) {
         if (!pobj->isNative()) {
             if (pobj->is<ProxyObject>()) {
                 if (mode == ParallelExecution)
                     return false;
                 JSContext *cx = cxArg->asJSContext();
                 Rooted<PropertyDescriptor> pd(cx);
                 if (!Proxy::getPropertyDescriptor(cx, pobj, id, &pd))
                     return false;
                 if ((pd.attributes() & (JSPROP_SHARED | JSPROP_SHADOWABLE)) == JSPROP_SHARED) {
                     return !pd.setter() ||
                            CallSetter(cx, receiver, id, pd.setter(), pd.attributes(), strict, vp);
                 }
                 if (pd.isReadonly()) {
                     if (strict)
                         return JSObject::reportReadOnly(cx, id, JSREPORT_ERROR);
                     if (cx->options().extraWarnings())
                         return JSObject::reportReadOnly(cx, id, JSREPORT_STRICT | JSREPORT_WARNING);
                     return true;
                 }
             }
             shape = nullptr;
         }
     } else {
         /* We should never add properties to lexical blocks. */
         JS_ASSERT(!obj->is<BlockObject>());
         if (obj->is<GlobalObject>() && !qualified) {
             if (mode == ParallelExecution)
                 return false;
             if (!MaybeReportUndeclaredVarAssignment(cxArg->asJSContext(), JSID_TO_STRING(id)))
                 return false;
         }
     }
     /*
      * Now either shape is null, meaning id was not found in obj or one of its
      * prototypes; or shape is non-null, meaning id was found directly in pobj.
      */
     unsigned attrs = JSPROP_ENUMERATE;
     const Class *clasp = obj->getClass();
     PropertyOp getter = clasp->getProperty;
     StrictPropertyOp setter = clasp->setProperty;
     if (IsImplicitDenseOrTypedArrayElement(shape)) {
         /* ES5 8.12.4 [[Put]] step 2, for a dense data property on pobj. */
         if (pobj != obj)
             shape = nullptr;
     } else if (shape) {
         /* ES5 8.12.4 [[Put]] step 2. */
         if (shape->isAccessorDescriptor()) {
             if (shape->hasDefaultSetter()) {
                 /* Bail out of parallel execution if we are strict to throw. */
                 if (mode == ParallelExecution)
                     return !strict;
                 return js_ReportGetterOnlyAssignment(cxArg->asJSContext(), strict);
             }
         } else {
             JS_ASSERT(shape->isDataDescriptor());
             if (!shape->writable()) {
                 /*
                  * Error in strict mode code, warn with extra warnings
                  * options, otherwise do nothing.
                  *
                  * Bail out of parallel execution if we are strict to throw.
                  */
                 if (mode == ParallelExecution)
                     return !strict;
                 JSContext *cx = cxArg->asJSContext();
                 if (strict)
                     return JSObject::reportReadOnly(cx, id, JSREPORT_ERROR);
                 if (cx->options().extraWarnings())
                     return JSObject::reportReadOnly(cx, id, JSREPORT_STRICT | JSREPORT_WARNING);
                 return true;
             }
         }
         attrs = shape->attributes();
         if (pobj != obj) {
             /*
              * We found id in a prototype object: prepare to share or shadow.
              */
             if (!shape->shadowable()) {
                 if (shape->hasDefaultSetter() && !shape->hasGetterValue())
                     return true;
                 if (mode == ParallelExecution)
                     return false;
                 return shape->set(cxArg->asJSContext(), obj, receiver, strict, vp);
             }
             /*
              * Preserve attrs except JSPROP_SHARED, getter, and setter when
              * shadowing any property that has no slot (is shared). We must
              * clear the shared attribute for the shadowing shape so that the
              * property in obj that it defines has a slot to retain the value
              * being set, in case the setter simply cannot operate on instances
              * of obj's class by storing the value in some class-specific
              * location.
              */
             if (!shape->hasSlot()) {
                 attrs &= ~JSPROP_SHARED;
                 getter = shape->getter();
                 setter = shape->setter();
             } else {
                 /* Restore attrs to the ECMA default for new properties. */
                 attrs = JSPROP_ENUMERATE;
             }
             /*
              * Forget we found the proto-property now that we've copied any
              * needed member values.
              */
             shape = nullptr;
         }
     }
     if (IsImplicitDenseOrTypedArrayElement(shape)) {
         uint32_t index = JSID_TO_INT(id);
         if (obj->is<TypedArrayObject>()) {
             double d;
             if (mode == ParallelExecution) {
                 // Bail if converting the value might invoke user-defined
                 // conversions.
                 if (vp.isObject())
                     return false;
                 if (!NonObjectToNumber(cxArg, vp, &d))
                     return false;
             } else {
                 if (!ToNumber(cxArg->asJSContext(), vp, &d))
                     return false;
             }
             // Silently do nothing for out-of-bounds sets, for consistency with
             // current behavior.  (ES6 currently says to throw for this in
             // strict mode code, so we may eventually need to change.)
             TypedArrayObject &tarray = obj->as<TypedArrayObject>();
             if (index < tarray.length())
                 TypedArrayObject::setElement(tarray, index, d);
             return true;
         }
         bool definesPast;
         if (!WouldDefinePastNonwritableLength(cxArg, obj, index, strict, &definesPast))
             return false;
         if (definesPast) {
             /* Bail out of parallel execution if we are strict to throw. */
             if (mode == ParallelExecution)
                 return !strict;
             return true;
         }
         if (mode == ParallelExecution)
             return obj->setDenseElementIfHasType(index, vp);
         obj->setDenseElementWithType(cxArg->asJSContext(), index, vp);
         return true;
     }
     if (obj->is<ArrayObject>() && id == NameToId(cxArg->names().length)) {
         Rooted<ArrayObject*> arr(cxArg, &obj->as<ArrayObject>());
         return ArraySetLength<mode>(cxArg, arr, id, attrs, vp, strict);
     }
     if (!shape) {
         bool extensible;
         if (mode == ParallelExecution) {
             if (obj->is<ProxyObject>())
                 return false;
             extensible = obj->nonProxyIsExtensible();
         } else {
             if (!JSObject::isExtensible(cxArg->asJSContext(), obj, &extensible))
                 return false;
         }
         if (!extensible) {
             /* Error in strict mode code, warn with extra warnings option, otherwise do nothing. */
             if (strict)
                 return obj->reportNotExtensible(cxArg);
             if (mode == SequentialExecution && cxArg->asJSContext()->options().extraWarnings())
                 return obj->reportNotExtensible(cxArg, JSREPORT_STRICT | JSREPORT_WARNING);
             return true;
         }
         if (mode == ParallelExecution) {
             if (obj->isDelegate())
                 return false;
             if (getter != JS_PropertyStub || !HasTypePropertyId(obj, id, vp))
                 return false;
         } else {
             JSContext *cx = cxArg->asJSContext();
             /* Purge the property cache of now-shadowed id in obj's scope chain. */
             if (!PurgeScopeChain(cx, obj, id))
                 return false;
         }
         return DefinePropertyOrElement<mode>(cxArg, obj, id, getter, setter,
                                              attrs, vp, true, strict);
     }
     return NativeSet<mode>(cxArg, obj, receiver, shape, strict, vp);
 }
 template bool
 baseops::SetPropertyHelper<SequentialExecution>(JSContext *cx, HandleObject obj,
                                                 HandleObject receiver, HandleId id,
                                                 QualifiedBool qualified,
                                                 MutableHandleValue vp, bool strict);
 template bool
 baseops::SetPropertyHelper<ParallelExecution>(ForkJoinContext *cx, HandleObject obj,
                                               HandleObject receiver, HandleId id,
                                               QualifiedBool qualified,
                                               MutableHandleValue vp, bool strict);
 bool
 baseops::SetElementHelper(JSContext *cx, HandleObject obj, HandleObject receiver, uint32_t index,
                           MutableHandleValue vp, bool strict)
 {
     RootedId id(cx);
     if (!IndexToId(cx, index, &id))
         return false;
     return baseops::SetPropertyHelper<SequentialExecution>(cx, obj, receiver, id, Qualified, vp,
                                                            strict);
 }
 bool
 baseops::GetAttributes(JSContext *cx, HandleObject obj, HandleId id, unsigned *attrsp)
 {
     RootedObject nobj(cx);
     RootedShape shape(cx);
     if (!baseops::LookupProperty<CanGC>(cx, obj, id, &nobj, &shape))
         return false;
     if (!shape) {
         *attrsp = 0;
         return true;
     }
     if (!nobj->isNative())
         return JSObject::getGenericAttributes(cx, nobj, id, attrsp);
     *attrsp = GetShapeAttributes(nobj, shape);
     return true;
 }
 bool
 baseops::SetAttributes(JSContext *cx, HandleObject obj, HandleId id, unsigned *attrsp)
 {
     RootedObject nobj(cx);
     RootedShape shape(cx);
     if (!baseops::LookupProperty<CanGC>(cx, obj, id, &nobj, &shape))
         return false;
     if (!shape)
         return true;
     if (nobj->isNative() && IsImplicitDenseOrTypedArrayElement(shape)) {
         if (nobj->is<TypedArrayObject>()) {
             if (*attrsp == (JSPROP_ENUMERATE | JSPROP_PERMANENT))
                 return true;
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_CANT_SET_ARRAY_ATTRS);
             return false;
         }
         if (!JSObject::sparsifyDenseElement(cx, nobj, JSID_TO_INT(id)))
             return false;
         shape = obj->nativeLookup(cx, id);
     }
     if (nobj->isNative()) {
         if (!JSObject::changePropertyAttributes(cx, nobj, shape, *attrsp))
             return false;
         if (*attrsp & JSPROP_READONLY)
             MarkTypePropertyNonWritable(cx, obj, id);
         return true;
     } else {
         return JSObject::setGenericAttributes(cx, nobj, id, attrsp);
     }
 }
 bool
 baseops::DeleteGeneric(JSContext *cx, HandleObject obj, HandleId id, bool *succeeded)
 {
     RootedObject proto(cx);
     RootedShape shape(cx);
     if (!baseops::LookupProperty<CanGC>(cx, obj, id, &proto, &shape))
         return false;
     if (!shape || proto != obj) {
         /*
          * If no property, or the property comes from a prototype, call the
          * class's delProperty hook, passing succeeded as the result parameter.
          */
         return CallJSDeletePropertyOp(cx, obj->getClass()->delProperty, obj, id, succeeded);
     }
     GCPoke(cx->runtime());
     if (IsImplicitDenseOrTypedArrayElement(shape)) {
         if (obj->is<TypedArrayObject>()) {
             // Don't delete elements from typed arrays.
             *succeeded = false;
             return true;
         }
         if (!CallJSDeletePropertyOp(cx, obj->getClass()->delProperty, obj, id, succeeded))
             return false;
         if (!succeeded)
             return true;
         obj->setDenseElementHole(cx, JSID_TO_INT(id));
         return js_SuppressDeletedProperty(cx, obj, id);
     }
     if (!shape->configurable()) {
         *succeeded = false;
         return true;
     }
     RootedId propid(cx, shape->propid());
     if (!CallJSDeletePropertyOp(cx, obj->getClass()->delProperty, obj, propid, succeeded))
         return false;
     if (!succeeded)
         return true;
     return obj->removeProperty(cx, id) && js_SuppressDeletedProperty(cx, obj, id);
 }
 bool
 baseops::DeleteProperty(JSContext *cx, HandleObject obj, HandlePropertyName name,
                         bool *succeeded)
 {
     Rooted<jsid> id(cx, NameToId(name));
     return baseops::DeleteGeneric(cx, obj, id, succeeded);
 }
 bool
 baseops::DeleteElement(JSContext *cx, HandleObject obj, uint32_t index, bool *succeeded)
 {
     RootedId id(cx);
     if (!IndexToId(cx, index, &id))
         return false;
     return baseops::DeleteGeneric(cx, obj, id, succeeded);
 }
 bool
 js::WatchGuts(JSContext *cx, JS::HandleObject origObj, JS::HandleId id, JS::HandleObject callable)
 {
     RootedObject obj(cx, GetInnerObject(cx, origObj));
     if (obj->isNative()) {
         // Use sparse indexes for watched objects, as dense elements can be
         // written to without checking the watchpoint map.
         if (!JSObject::sparsifyDenseElements(cx, obj))
             return false;
         types::MarkTypePropertyNonData(cx, obj, id);
     }
     WatchpointMap *wpmap = cx->compartment()->watchpointMap;
     if (!wpmap) {
         wpmap = cx->runtime()->new_<WatchpointMap>();
         if (!wpmap || !wpmap->init()) {
             js_ReportOutOfMemory(cx);
             return false;
         }
         cx->compartment()->watchpointMap = wpmap;
     }
     return wpmap->watch(cx, obj, id, js::WatchHandler, callable);
 }
 bool
 baseops::Watch(JSContext *cx, JS::HandleObject obj, JS::HandleId id, JS::HandleObject callable)
 {
     if (!obj->isNative() || obj->is<TypedArrayObject>()) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_CANT_WATCH,
                              obj->getClass()->name);
         return false;
     }
     return WatchGuts(cx, obj, id, callable);
 }
 bool
 js::UnwatchGuts(JSContext *cx, JS::HandleObject origObj, JS::HandleId id)
 {
     // Looking in the map for an unsupported object will never hit, so we don't
     // need to check for nativeness or watchable-ness here.
     RootedObject obj(cx, GetInnerObject(cx, origObj));
     if (WatchpointMap *wpmap = cx->compartment()->watchpointMap)
         wpmap->unwatch(obj, id, nullptr, nullptr);
     return true;
 }
 bool
 baseops::Unwatch(JSContext *cx, JS::HandleObject obj, JS::HandleId id)
 {
     return UnwatchGuts(cx, obj, id);
 }
 bool
 js::HasDataProperty(JSContext *cx, JSObject *obj, jsid id, Value *vp)
 {
     if (JSID_IS_INT(id) && obj->containsDenseElement(JSID_TO_INT(id))) {
         *vp = obj->getDenseElement(JSID_TO_INT(id));
         return true;
     }
     if (Shape *shape = obj->nativeLookup(cx, id)) {
         if (shape->hasDefaultGetter() && shape->hasSlot()) {
             *vp = obj->nativeGetSlot(shape->slot());
             return true;
         }
     }
     return false;
 }
 /*
  * Gets |obj[id]|.  If that value's not callable, returns true and stores a
  * non-primitive value in *vp.  If it's callable, calls it with no arguments
  * and |obj| as |this|, returning the result in *vp.
  *
  * This is a mini-abstraction for ES5 8.12.8 [[DefaultValue]], either steps 1-2
  * or steps 3-4.
  */
 static bool
 MaybeCallMethod(JSContext *cx, HandleObject obj, HandleId id, MutableHandleValue vp)
 {
     if (!JSObject::getGeneric(cx, obj, obj, id, vp))
         return false;
     if (!js_IsCallable(vp)) {
         vp.setObject(*obj);
         return true;
     }
     return Invoke(cx, ObjectValue(*obj), vp, 0, nullptr, vp);
 }
 JS_FRIEND_API(bool)
 js::DefaultValue(JSContext *cx, HandleObject obj, JSType hint, MutableHandleValue vp)
 {
     JS_ASSERT(hint == JSTYPE_NUMBER || hint == JSTYPE_STRING || hint == JSTYPE_VOID);
     Rooted<jsid> id(cx);
     const Class *clasp = obj->getClass();
     if (hint == JSTYPE_STRING) {
         id = NameToId(cx->names().toString);
         /* Optimize (new String(...)).toString(). */
         if (clasp == &StringObject::class_) {
             if (ClassMethodIsNative(cx, obj, &StringObject::class_, id, js_str_toString)) {
                 vp.setString(obj->as<StringObject>().unbox());
                 return true;
             }
         }
         if (!MaybeCallMethod(cx, obj, id, vp))
             return false;
         if (vp.isPrimitive())
             return true;
         id = NameToId(cx->names().valueOf);
         if (!MaybeCallMethod(cx, obj, id, vp))
             return false;
         if (vp.isPrimitive())
             return true;
     } else {
         /* Optimize new String(...).valueOf(). */
         if (clasp == &StringObject::class_) {
             id = NameToId(cx->names().valueOf);
             if (ClassMethodIsNative(cx, obj, &StringObject::class_, id, js_str_toString)) {
                 vp.setString(obj->as<StringObject>().unbox());
                 return true;
             }
         }
         /* Optimize new Number(...).valueOf(). */
         if (clasp == &NumberObject::class_) {
             id = NameToId(cx->names().valueOf);
             if (ClassMethodIsNative(cx, obj, &NumberObject::class_, id, js_num_valueOf)) {
                 vp.setNumber(obj->as<NumberObject>().unbox());
                 return true;
             }
         }
         id = NameToId(cx->names().valueOf);
         if (!MaybeCallMethod(cx, obj, id, vp))
             return false;
         if (vp.isPrimitive())
             return true;
         id = NameToId(cx->names().toString);
         if (!MaybeCallMethod(cx, obj, id, vp))
             return false;
         if (vp.isPrimitive())
             return true;
     }
     /* Avoid recursive death when decompiling in js_ReportValueError. */
     RootedString str(cx);
     if (hint == JSTYPE_STRING) {
         str = JS_InternString(cx, clasp->name);
         if (!str)
             return false;
     } else {
         str = nullptr;
     }
     RootedValue val(cx, ObjectValue(*obj));
     js_ReportValueError2(cx, JSMSG_CANT_CONVERT_TO, JSDVG_SEARCH_STACK, val, str,
                          (hint == JSTYPE_VOID) ? "primitive type" : TypeStrings[hint]);
     return false;
 }
 JS_FRIEND_API(bool)
 JS_EnumerateState(JSContext *cx, HandleObject obj, JSIterateOp enum_op,
                   MutableHandleValue statep, JS::MutableHandleId idp)
 {
     /* If the class has a custom JSCLASS_NEW_ENUMERATE hook, call it. */
     const Class *clasp = obj->getClass();
     JSEnumerateOp enumerate = clasp->enumerate;
     if (clasp->flags & JSCLASS_NEW_ENUMERATE) {
         JS_ASSERT(enumerate != JS_EnumerateStub);
         return ((JSNewEnumerateOp) enumerate)(cx, obj, enum_op, statep, idp);
     }
     if (!enumerate(cx, obj))
         return false;
     /* Tell InitNativeIterator to treat us like a native object. */
     JS_ASSERT(enum_op == JSENUMERATE_INIT || enum_op == JSENUMERATE_INIT_ALL);
     statep.setMagic(JS_NATIVE_ENUMERATE);
     return true;
 }
 bool
 js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result)
 {
     if (v.isPrimitive()) {
         *result = false;
         return true;
     }
     return IsDelegateOfObject(cx, obj, &v.toObject(), result);
 }
 bool
 js::IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result)
 {
     RootedObject obj2(cx, obj);
     for (;;) {
         if (!JSObject::getProto(cx, obj2, &obj2))
             return false;
         if (!obj2) {
             *result = false;
             return true;
         }
         if (obj2 == protoObj) {
             *result = true;
             return true;
         }
     }
 }
 JSObject *
 js::GetBuiltinPrototypePure(GlobalObject *global, JSProtoKey protoKey)
 {
     JS_ASSERT(JSProto_Null <= protoKey);
     JS_ASSERT(protoKey < JSProto_LIMIT);
     if (protoKey != JSProto_Null) {
         const Value &v = global->getPrototype(protoKey);
         if (v.isObject())
             return &v.toObject();
     }
     return nullptr;
 }
 /*
  * The first part of this function has been hand-expanded and optimized into
  * NewBuiltinClassInstance in jsobjinlines.h.
  */
 bool
 js::FindClassPrototype(ExclusiveContext *cx, MutableHandleObject protop, const Class *clasp)
 {
     protop.set(nullptr);
     JSProtoKey protoKey = GetClassProtoKey(clasp);
     if (protoKey != JSProto_Null)
         return GetBuiltinPrototype(cx, protoKey, protop);
     RootedObject ctor(cx);
     if (!FindClassObject(cx, &ctor, clasp))
         return false;
     if (ctor && ctor->is<JSFunction>()) {
         RootedValue v(cx);
         if (cx->isJSContext()) {
             if (!JSObject::getProperty(cx->asJSContext(),
                                        ctor, ctor, cx->names().prototype, &v))
             {
                 return false;
             }
         } else {
             Shape *shape = ctor->nativeLookup(cx, cx->names().prototype);
             if (!shape || !NativeGetPureInline(ctor, shape, v.address()))
                 return false;
         }
         if (v.isObject())
             protop.set(&v.toObject());
     }
     return true;
 }
 JSObject *
 js::PrimitiveToObject(JSContext *cx, const Value &v)
 {
     if (v.isString()) {
         Rooted<JSString*> str(cx, v.toString());
         return StringObject::create(cx, str);
     }
     if (v.isNumber())
         return NumberObject::create(cx, v.toNumber());
     JS_ASSERT(v.isBoolean());
     return BooleanObject::create(cx, v.toBoolean());
 }
 /* Callers must handle the already-object case . */
 JSObject *
 js::ToObjectSlow(JSContext *cx, HandleValue val, bool reportScanStack)
 {
     JS_ASSERT(!val.isMagic());
     JS_ASSERT(!val.isObject());
     if (val.isNullOrUndefined()) {
         if (reportScanStack) {
             js_ReportIsNullOrUndefined(cx, JSDVG_SEARCH_STACK, val, NullPtr());
         } else {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_CANT_CONVERT_TO,
                                  val.isNull() ? "null" : "undefined", "object");
         }
         return nullptr;
     }
     return PrimitiveToObject(cx, val);
 }
 void
 js_GetObjectSlotName(JSTracer *trc, char *buf, size_t bufsize)
 {
     JS_ASSERT(trc->debugPrinter() == js_GetObjectSlotName);
     JSObject *obj = (JSObject *)trc->debugPrintArg();
     uint32_t slot = uint32_t(trc->debugPrintIndex());
     Shape *shape;
     if (obj->isNative()) {
         shape = obj->lastProperty();
         while (shape && (!shape->hasSlot() || shape->slot() != slot))
             shape = shape->previous();
     } else {
         shape = nullptr;
     }
     if (!shape) {
         const char *slotname = nullptr;
         if (obj->is<GlobalObject>()) {
 #define TEST_SLOT_MATCHES_PROTOTYPE(name,code,init,clasp)                     \
             if ((code) == slot) { slotname = js_##name##_str; goto found; }
             JS_FOR_EACH_PROTOTYPE(TEST_SLOT_MATCHES_PROTOTYPE)
 #undef TEST_SLOT_MATCHES_PROTOTYPE
         }
       found:
         if (slotname)
             JS_snprintf(buf, bufsize, "CLASS_OBJECT(%s)", slotname);
         else
             JS_snprintf(buf, bufsize, "**UNKNOWN SLOT %ld**", (long)slot);
     } else {
         jsid propid = shape->propid();
         if (JSID_IS_INT(propid)) {
             JS_snprintf(buf, bufsize, "%ld", (long)JSID_TO_INT(propid));
         } else if (JSID_IS_ATOM(propid)) {
             PutEscapedString(buf, bufsize, JSID_TO_ATOM(propid), 0);
         } else {
             JS_snprintf(buf, bufsize, "**FINALIZED ATOM KEY**");
         }
     }
 }
 bool
 js_ReportGetterOnlyAssignment(JSContext *cx, bool strict)
 {
     return JS_ReportErrorFlagsAndNumber(cx,
                                         strict
                                         ? JSREPORT_ERROR
                                         : JSREPORT_WARNING | JSREPORT_STRICT,
                                         js_GetErrorMessage, nullptr,
                                         JSMSG_GETTER_ONLY);
 }
 JS_FRIEND_API(bool)
 js_GetterOnlyPropertyStub(JSContext *cx, HandleObject obj, HandleId id, bool strict,
                           MutableHandleValue vp)
 {
     JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_GETTER_ONLY);
     return false;
 }
 #ifdef DEBUG
 /*
  * Routines to print out values during debugging.  These are FRIEND_API to help
  * the debugger find them and to support temporarily hacking js_Dump* calls
  * into other code.
  */
 static void
 dumpValue(const Value &v)
 {
     if (v.isNull())
         fprintf(stderr, "null");
     else if (v.isUndefined())
         fprintf(stderr, "undefined");
     else if (v.isInt32())
         fprintf(stderr, "%d", v.toInt32());
     else if (v.isDouble())
         fprintf(stderr, "%g", v.toDouble());
     else if (v.isString())
         v.toString()->dump();
     else if (v.isObject() && v.toObject().is<JSFunction>()) {
         JSFunction *fun = &v.toObject().as<JSFunction>();
         if (fun->displayAtom()) {
             fputs("<function ", stderr);
             FileEscapedString(stderr, fun->displayAtom(), 0);
         } else {
             fputs("<unnamed function", stderr);
         }
         if (fun->hasScript()) {
             JSScript *script = fun->nonLazyScript();
             fprintf(stderr, " (%s:%d)",
                     script->filename() ? script->filename() : "", (int) script->lineno());
         }
         fprintf(stderr, " at %p>", (void *) fun);
     } else if (v.isObject()) {
         JSObject *obj = &v.toObject();
         const Class *clasp = obj->getClass();
         fprintf(stderr, "<%s%s at %p>",
                 clasp->name,
                 (clasp == &JSObject::class_) ? "" : " object",
                 (void *) obj);
     } else if (v.isBoolean()) {
         if (v.toBoolean())
             fprintf(stderr, "true");
         else
             fprintf(stderr, "false");
     } else if (v.isMagic()) {
         fprintf(stderr, "<invalid");
 #ifdef DEBUG
         switch (v.whyMagic()) {
           case JS_ELEMENTS_HOLE:     fprintf(stderr, " elements hole");      break;
           case JS_NATIVE_ENUMERATE:  fprintf(stderr, " native enumeration"); break;
           case JS_NO_ITER_VALUE:     fprintf(stderr, " no iter value");      break;
           case JS_GENERATOR_CLOSING: fprintf(stderr, " generator closing");  break;
           case JS_OPTIMIZED_OUT:     fprintf(stderr, " optimized out");      break;
           default:                   fprintf(stderr, " ?!");                 break;
         }
 #endif
         fprintf(stderr, ">");
     } else {
         fprintf(stderr, "unexpected value");
     }
 }
 JS_FRIEND_API(void)
 js_DumpValue(const Value &val)
 {
     dumpValue(val);
     fputc('\n', stderr);
 }
 JS_FRIEND_API(void)
 js_DumpId(jsid id)
 {
     fprintf(stderr, "jsid %p = ", (void *) JSID_BITS(id));
     dumpValue(IdToValue(id));
     fputc('\n', stderr);
 }
 static void
 DumpProperty(JSObject *obj, Shape &shape)
 {
     jsid id = shape.propid();
     uint8_t attrs = shape.attributes();
     fprintf(stderr, "    ((JSShape *) %p) ", (void *) &shape);
     if (attrs & JSPROP_ENUMERATE) fprintf(stderr, "enumerate ");
     if (attrs & JSPROP_READONLY) fprintf(stderr, "readonly ");
     if (attrs & JSPROP_PERMANENT) fprintf(stderr, "permanent ");
     if (attrs & JSPROP_SHARED) fprintf(stderr, "shared ");
     if (shape.hasGetterValue())
         fprintf(stderr, "getterValue=%p ", (void *) shape.getterObject());
     else if (!shape.hasDefaultGetter())
         fprintf(stderr, "getterOp=%p ", JS_FUNC_TO_DATA_PTR(void *, shape.getterOp()));
     if (shape.hasSetterValue())
         fprintf(stderr, "setterValue=%p ", (void *) shape.setterObject());
     else if (!shape.hasDefaultSetter())
         fprintf(stderr, "setterOp=%p ", JS_FUNC_TO_DATA_PTR(void *, shape.setterOp()));
     if (JSID_IS_ATOM(id))
         JSID_TO_STRING(id)->dump();
     else if (JSID_IS_INT(id))
         fprintf(stderr, "%d", (int) JSID_TO_INT(id));
     else
         fprintf(stderr, "unknown jsid %p", (void *) JSID_BITS(id));
     uint32_t slot = shape.hasSlot() ? shape.maybeSlot() : SHAPE_INVALID_SLOT;
     fprintf(stderr, ": slot %d", slot);
     if (shape.hasSlot()) {
         fprintf(stderr, " = ");
         dumpValue(obj->getSlot(slot));
     } else if (slot != SHAPE_INVALID_SLOT) {
         fprintf(stderr, " (INVALID!)");
     }
     fprintf(stderr, "\n");
 }
 bool
 JSObject::uninlinedIsProxy() const
 {
     return is<ProxyObject>();
 }
 void
 JSObject::dump()
 {
     JSObject *obj = this;
     fprintf(stderr, "object %p\n", (void *) obj);
     const Class *clasp = obj->getClass();
     fprintf(stderr, "class %p %s\n", (const void *)clasp, clasp->name);
     fprintf(stderr, "flags:");
     if (obj->isDelegate()) fprintf(stderr, " delegate");
     if (!obj->is<ProxyObject>() && !obj->nonProxyIsExtensible()) fprintf(stderr, " not_extensible");
     if (obj->isIndexed()) fprintf(stderr, " indexed");
     if (obj->isBoundFunction()) fprintf(stderr, " bound_function");
     if (obj->isVarObj()) fprintf(stderr, " varobj");
     if (obj->watched()) fprintf(stderr, " watched");
     if (obj->isIteratedSingleton()) fprintf(stderr, " iterated_singleton");
     if (obj->isNewTypeUnknown()) fprintf(stderr, " new_type_unknown");
     if (obj->hasUncacheableProto()) fprintf(stderr, " has_uncacheable_proto");
     if (obj->hadElementsAccess()) fprintf(stderr, " had_elements_access");
     if (obj->isNative()) {
         if (obj->inDictionaryMode())
             fprintf(stderr, " inDictionaryMode");
         if (obj->hasShapeTable())
             fprintf(stderr, " hasShapeTable");
     }
     fprintf(stderr, "\n");
     if (obj->isNative()) {
         uint32_t slots = obj->getDenseInitializedLength();
         if (slots) {
             fprintf(stderr, "elements\n");
             for (uint32_t i = 0; i < slots; i++) {
                 fprintf(stderr, " %3d: ", i);
                 dumpValue(obj->getDenseElement(i));
                 fprintf(stderr, "\n");
                 fflush(stderr);
             }
         }
     }
     fprintf(stderr, "proto ");
     TaggedProto proto = obj->getTaggedProto();
     if (proto.isLazy())
         fprintf(stderr, "<lazy>");
     else
         dumpValue(ObjectOrNullValue(proto.toObjectOrNull()));
     fputc('\n', stderr);
     fprintf(stderr, "parent ");
     dumpValue(ObjectOrNullValue(obj->getParent()));
     fputc('\n', stderr);
     if (clasp->flags & JSCLASS_HAS_PRIVATE)
         fprintf(stderr, "private %p\n", obj->getPrivate());
     if (!obj->isNative())
         fprintf(stderr, "not native\n");
     uint32_t reservedEnd = JSCLASS_RESERVED_SLOTS(clasp);
     uint32_t slots = obj->slotSpan();
     uint32_t stop = obj->isNative() ? reservedEnd : slots;
     if (stop > 0)
         fprintf(stderr, obj->isNative() ? "reserved slots:\n" : "slots:\n");
     for (uint32_t i = 0; i < stop; i++) {
         fprintf(stderr, " %3d ", i);
         if (i < reservedEnd)
             fprintf(stderr, "(reserved) ");
         fprintf(stderr, "= ");
         dumpValue(obj->getSlot(i));
         fputc('\n', stderr);
     }
     if (obj->isNative()) {
         fprintf(stderr, "properties:\n");
         Vector<Shape *, 8, SystemAllocPolicy> props;
         for (Shape::Range<NoGC> r(obj->lastProperty()); !r.empty(); r.popFront())
             props.append(&r.front());
         for (size_t i = props.length(); i-- != 0;)
             DumpProperty(obj, *props[i]);
     }
     fputc('\n', stderr);
 }
 static void
 MaybeDumpObject(const char *name, JSObject *obj)
 {
     if (obj) {
         fprintf(stderr, "  %s: ", name);
         dumpValue(ObjectValue(*obj));
         fputc('\n', stderr);
     }
 }
 static void
 MaybeDumpValue(const char *name, const Value &v)
 {
     if (!v.isNull()) {
         fprintf(stderr, "  %s: ", name);
         dumpValue(v);
         fputc('\n', stderr);
     }
 }
 JS_FRIEND_API(void)
 js_DumpInterpreterFrame(JSContext *cx, InterpreterFrame *start)
 {
     /* This should only called during live debugging. */
     ScriptFrameIter i(cx, ScriptFrameIter::GO_THROUGH_SAVED);
     if (!start) {
         if (i.done()) {
             fprintf(stderr, "no stack for cx = %p\n", (void*) cx);
             return;
         }
     } else {
         while (!i.done() && !i.isJit() && i.interpFrame() != start)
             ++i;
         if (i.done()) {
             fprintf(stderr, "fp = %p not found in cx = %p\n",
                     (void *)start, (void *)cx);
             return;
         }
     }
     for (; !i.done(); ++i) {
         if (i.isJit())
             fprintf(stderr, "JIT frame\n");
         else
             fprintf(stderr, "InterpreterFrame at %p\n", (void *) i.interpFrame());
         if (i.isFunctionFrame()) {
             fprintf(stderr, "callee fun: ");
             dumpValue(i.calleev());
         } else {
             fprintf(stderr, "global frame, no callee");
         }
         fputc('\n', stderr);
         fprintf(stderr, "file %s line %u\n",
                 i.script()->filename(), (unsigned) i.script()->lineno());
         if (jsbytecode *pc = i.pc()) {
             fprintf(stderr, "  pc = %p\n", pc);
             fprintf(stderr, "  current op: %s\n", js_CodeName[*pc]);
             MaybeDumpObject("staticScope", i.script()->getStaticScope(pc));
         }
         MaybeDumpValue("this", i.thisv());
         if (!i.isJit()) {
             fprintf(stderr, "  rval: ");
             dumpValue(i.interpFrame()->returnValue());
             fputc('\n', stderr);
         }
         fprintf(stderr, "  flags:");
         if (i.isConstructing())
             fprintf(stderr, " constructing");
         if (!i.isJit() && i.interpFrame()->isDebuggerFrame())
             fprintf(stderr, " debugger");
         if (i.isEvalFrame())
             fprintf(stderr, " eval");
         if (!i.isJit() && i.interpFrame()->isYielding())
             fprintf(stderr, " yielding");
         if (!i.isJit() && i.interpFrame()->isGeneratorFrame())
             fprintf(stderr, " generator");
         fputc('\n', stderr);
         fprintf(stderr, "  scopeChain: (JSObject *) %p\n", (void *) i.scopeChain());
         fputc('\n', stderr);
     }
 }
 #endif /* DEBUG */
 JS_FRIEND_API(void)
 js_DumpBacktrace(JSContext *cx)
 {
     Sprinter sprinter(cx);
     sprinter.init();
     size_t depth = 0;
     for (ScriptFrameIter i(cx); !i.done(); ++i, ++depth) {
         const char *filename = JS_GetScriptFilename(i.script());
         unsigned line = JS_PCToLineNumber(cx, i.script(), i.pc());
         JSScript *script = i.script();
         sprinter.printf("#%d %14p   %s:%d (%p @ %d)\n",
                         depth, (i.isJit() ? 0 : i.interpFrame()), filename, line,
                         script, script->pcToOffset(i.pc()));
     }
     fprintf(stdout, "%s", sprinter.string());
 }
 void
 JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf, JS::ObjectsExtraSizes *sizes)
 {
     if (hasDynamicSlots())
         sizes->mallocHeapSlots += mallocSizeOf(slots);
     if (hasDynamicElements()) {
         js::ObjectElements *elements = getElementsHeader();
         sizes->mallocHeapElementsNonAsmJS += mallocSizeOf(elements);
     }
     // Other things may be measured in the future if DMD indicates it is worthwhile.
     if (is<JSFunction>() ||
         is<JSObject>() ||
         is<ArrayObject>() ||
         is<CallObject>() ||
         is<RegExpObject>() ||
         is<ProxyObject>())
     {
         // Do nothing.  But this function is hot, and we win by getting the
         // common cases out of the way early.  Some stats on the most common
         // classes, as measured during a vanilla browser session:
         // - (53.7%, 53.7%): Function
         // - (18.0%, 71.7%): Object
         // - (16.9%, 88.6%): Array
         // - ( 3.9%, 92.5%): Call
         // - ( 2.8%, 95.3%): RegExp
         // - ( 1.0%, 96.4%): Proxy
     } else if (is<ArgumentsObject>()) {
         sizes->mallocHeapArgumentsData += as<ArgumentsObject>().sizeOfMisc(mallocSizeOf);
     } else if (is<RegExpStaticsObject>()) {
         sizes->mallocHeapRegExpStatics += as<RegExpStaticsObject>().sizeOfData(mallocSizeOf);
     } else if (is<PropertyIteratorObject>()) {
         sizes->mallocHeapPropertyIteratorData += as<PropertyIteratorObject>().sizeOfMisc(mallocSizeOf);
     } else if (is<ArrayBufferObject>() || is<SharedArrayBufferObject>()) {
         ArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf, sizes);
 #ifdef JS_ION
     } else if (is<AsmJSModuleObject>()) {
         as<AsmJSModuleObject>().addSizeOfMisc(mallocSizeOf, &sizes->nonHeapCodeAsmJS,
                                               &sizes->mallocHeapAsmJSModuleData);
 #endif
 #ifdef JS_HAS_CTYPES
     } else {
         // This must be the last case.
         sizes->mallocHeapCtypesData +=
             js::SizeOfDataIfCDataObject(mallocSizeOf, const_cast<JSObject *>(this));
 #endif
     }
 }

The Tor Browser / annotate

js/src/jsobj.cpp@129ffea94266 (annotated)

js/src/jsobj.cpp