The Tor Browser: js/src/jsarray.cpp@a63d609f5ebe (annotated)

js/src/jsarray.cpp@a63d609f5ebe (annotated)

js/src/jsarray.cpp

Thu, 15 Jan 2015 15:55:04 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 15 Jan 2015 15:55:04 +0100
branch: TOR_BUG_9701
changeset 9: a63d609f5ebe
permissions: -rw-r--r--

Back out 97036ab72558 which inappropriately compared turds to third parties.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "jsarray.h"
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/FloatingPoint.h"
 #include "mozilla/MathAlgorithms.h"
 #include "jsapi.h"
 #include "jsatom.h"
 #include "jscntxt.h"
 #include "jsfriendapi.h"
 #include "jsfun.h"
 #include "jsiter.h"
 #include "jsnum.h"
 #include "jsobj.h"
 #include "jstypes.h"
 #include "jsutil.h"
 #include "ds/Sort.h"
 #include "gc/Heap.h"
 #include "vm/ArgumentsObject.h"
 #include "vm/ForkJoin.h"
 #include "vm/Interpreter.h"
 #include "vm/NumericConversions.h"
 #include "vm/Shape.h"
 #include "vm/StringBuffer.h"
 #include "jsatominlines.h"
 #include "vm/ArgumentsObject-inl.h"
 #include "vm/ArrayObject-inl.h"
 #include "vm/Interpreter-inl.h"
 #include "vm/Runtime-inl.h"
 using namespace js;
 using namespace js::gc;
 using namespace js::types;
 using mozilla::Abs;
 using mozilla::ArrayLength;
 using mozilla::CeilingLog2;
 using mozilla::DebugOnly;
 using mozilla::IsNaN;
 using mozilla::PointerRangeSize;
 bool
 js::GetLengthProperty(JSContext *cx, HandleObject obj, uint32_t *lengthp)
 {
     if (obj->is<ArrayObject>()) {
         *lengthp = obj->as<ArrayObject>().length();
         return true;
     }
     if (obj->is<ArgumentsObject>()) {
         ArgumentsObject &argsobj = obj->as<ArgumentsObject>();
         if (!argsobj.hasOverriddenLength()) {
             *lengthp = argsobj.initialLength();
             return true;
         }
     }
     RootedValue value(cx);
     if (!JSObject::getProperty(cx, obj, obj, cx->names().length, &value))
         return false;
     if (value.isInt32()) {
         *lengthp = uint32_t(value.toInt32()); // uint32_t cast does ToUint32
         return true;
     }
     return ToUint32(cx, value, lengthp);
 }
 /*
  * Determine if the id represents an array index.
  *
  * An id is an array index according to ECMA by (15.4):
  *
  * "Array objects give special treatment to a certain class of property names.
  * A property name P (in the form of a string value) is an array index if and
  * only if ToString(ToUint32(P)) is equal to P and ToUint32(P) is not equal
  * to 2^32-1."
  *
  * This means the largest allowed index is actually 2^32-2 (4294967294).
  *
  * In our implementation, it would be sufficient to check for JSVAL_IS_INT(id)
  * except that by using signed 31-bit integers we miss the top half of the
  * valid range. This function checks the string representation itself; note
  * that calling a standard conversion routine might allow strings such as
  * "08" or "4.0" as array indices, which they are not.
  *
  */
 JS_FRIEND_API(bool)
 js::StringIsArrayIndex(JSLinearString *str, uint32_t *indexp)
 {
     const jschar *s = str->chars();
     uint32_t length = str->length();
     const jschar *end = s + length;
     if (length == 0 || length > (sizeof("4294967294") - 1) || !JS7_ISDEC(*s))
         return false;
     uint32_t c = 0, previous = 0;
     uint32_t index = JS7_UNDEC(*s++);
     /* Don't allow leading zeros. */
     if (index == 0 && s != end)
         return false;
     for (; s < end; s++) {
         if (!JS7_ISDEC(*s))
             return false;
         previous = index;
         c = JS7_UNDEC(*s);
         index = 10 * index + c;
     }
     /* Make sure we didn't overflow. */
     if (previous < (MAX_ARRAY_INDEX / 10) || (previous == (MAX_ARRAY_INDEX / 10) &&
         c <= (MAX_ARRAY_INDEX % 10))) {
         JS_ASSERT(index <= MAX_ARRAY_INDEX);
         *indexp = index;
         return true;
     }
     return false;
 }
 static bool
 ToId(JSContext *cx, double index, MutableHandleId id)
 {
     if (index == uint32_t(index))
         return IndexToId(cx, uint32_t(index), id);
     Value tmp = DoubleValue(index);
     return ValueToId<CanGC>(cx, HandleValue::fromMarkedLocation(&tmp), id);
 }
 static bool
 ToId(JSContext *cx, uint32_t index, MutableHandleId id)
 {
     return IndexToId(cx, index, id);
 }
 /*
  * If the property at the given index exists, get its value into location
  * pointed by vp and set *hole to false. Otherwise set *hole to true and *vp
  * to JSVAL_VOID. This function assumes that the location pointed by vp is
  * properly rooted and can be used as GC-protected storage for temporaries.
  */
 template<typename IndexType>
 static inline bool
 DoGetElement(JSContext *cx, HandleObject obj, HandleObject receiver,
              IndexType index, bool *hole, MutableHandleValue vp)
 {
     RootedId id(cx);
     if (!ToId(cx, index, &id))
         return false;
     RootedObject obj2(cx);
     RootedShape prop(cx);
     if (!JSObject::lookupGeneric(cx, obj, id, &obj2, &prop))
         return false;
     if (!prop) {
         vp.setUndefined();
         *hole = true;
     } else {
         if (!JSObject::getGeneric(cx, obj, receiver, id, vp))
             return false;
         *hole = false;
     }
     return true;
 }
 template<typename IndexType>
 static void
 AssertGreaterThanZero(IndexType index)
 {
     JS_ASSERT(index >= 0);
     JS_ASSERT(index == floor(index));
 }
 template<>
 void
 AssertGreaterThanZero(uint32_t index)
 {
 }
 template<typename IndexType>
 static bool
 GetElement(JSContext *cx, HandleObject obj, HandleObject receiver,
            IndexType index, bool *hole, MutableHandleValue vp)
 {
     AssertGreaterThanZero(index);
     if (obj->isNative() && index < obj->getDenseInitializedLength()) {
         vp.set(obj->getDenseElement(uint32_t(index)));
         if (!vp.isMagic(JS_ELEMENTS_HOLE)) {
             *hole = false;
             return true;
         }
     }
     if (obj->is<ArgumentsObject>()) {
         if (obj->as<ArgumentsObject>().maybeGetElement(uint32_t(index), vp)) {
             *hole = false;
             return true;
         }
     }
     return DoGetElement(cx, obj, receiver, index, hole, vp);
 }
 template<typename IndexType>
 static inline bool
 GetElement(JSContext *cx, HandleObject obj, IndexType index, bool *hole, MutableHandleValue vp)
 {
     return GetElement(cx, obj, obj, index, hole, vp);
 }
 static bool
 GetElementsSlow(JSContext *cx, HandleObject aobj, uint32_t length, Value *vp)
 {
     for (uint32_t i = 0; i < length; i++) {
         if (!JSObject::getElement(cx, aobj, aobj, i, MutableHandleValue::fromMarkedLocation(&vp[i])))
             return false;
     }
     return true;
 }
 bool
 js::GetElements(JSContext *cx, HandleObject aobj, uint32_t length, Value *vp)
 {
     if (aobj->is<ArrayObject>() && length <= aobj->getDenseInitializedLength() &&
         !ObjectMayHaveExtraIndexedProperties(aobj))
     {
         /* No other indexed properties so hole = undefined */
         const Value *srcbeg = aobj->getDenseElements();
         const Value *srcend = srcbeg + length;
         const Value *src = srcbeg;
         for (Value *dst = vp; src < srcend; ++dst, ++src)
             *dst = src->isMagic(JS_ELEMENTS_HOLE) ? UndefinedValue() : *src;
         return true;
     }
     if (aobj->is<ArgumentsObject>()) {
         ArgumentsObject &argsobj = aobj->as<ArgumentsObject>();
         if (!argsobj.hasOverriddenLength()) {
             if (argsobj.maybeGetElements(0, length, vp))
                 return true;
         }
     }
     return GetElementsSlow(cx, aobj, length, vp);
 }
 /*
  * Set the value of the property at the given index to v assuming v is rooted.
  */
 static bool
 SetArrayElement(JSContext *cx, HandleObject obj, double index, HandleValue v)
 {
     JS_ASSERT(index >= 0);
     if (obj->is<ArrayObject>() && !obj->isIndexed()) {
         Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
         /* Predicted/prefetched code should favor the remains-dense case. */
         JSObject::EnsureDenseResult result = JSObject::ED_SPARSE;
         do {
             if (index > uint32_t(-1))
                 break;
             uint32_t idx = uint32_t(index);
             if (idx >= arr->length() && !arr->lengthIsWritable()) {
                 JS_ReportErrorFlagsAndNumber(cx, JSREPORT_ERROR, js_GetErrorMessage, nullptr,
                                              JSMSG_CANT_REDEFINE_ARRAY_LENGTH);
                 return false;
             }
             result = arr->ensureDenseElements(cx, idx, 1);
             if (result != JSObject::ED_OK)
                 break;
             if (idx >= arr->length())
                 arr->setLengthInt32(idx + 1);
             arr->setDenseElementWithType(cx, idx, v);
             return true;
         } while (false);
         if (result == JSObject::ED_FAILED)
             return false;
         JS_ASSERT(result == JSObject::ED_SPARSE);
     }
     RootedId id(cx);
     if (!ToId(cx, index, &id))
         return false;
     RootedValue tmp(cx, v);
     return JSObject::setGeneric(cx, obj, obj, id, &tmp, true);
 }
 /*
  * Attempt to delete the element |index| from |obj| as if by
  * |obj.[[Delete]](index)|.
  *
  * If an error occurs while attempting to delete the element (that is, the call
  * to [[Delete]] threw), return false.
  *
  * Otherwise set *succeeded to indicate whether the deletion attempt succeeded
  * (that is, whether the call to [[Delete]] returned true or false).  (Deletes
  * generally fail only when the property is non-configurable, but proxies may
  * implement different semantics.)
  */
 static bool
 DeleteArrayElement(JSContext *cx, HandleObject obj, double index, bool *succeeded)
 {
     JS_ASSERT(index >= 0);
     JS_ASSERT(floor(index) == index);
     if (obj->is<ArrayObject>() && !obj->isIndexed()) {
         if (index <= UINT32_MAX) {
             uint32_t idx = uint32_t(index);
             if (idx < obj->getDenseInitializedLength()) {
                 obj->markDenseElementsNotPacked(cx);
                 obj->setDenseElement(idx, MagicValue(JS_ELEMENTS_HOLE));
                 if (!js_SuppressDeletedElement(cx, obj, idx))
                     return false;
             }
         }
         *succeeded = true;
         return true;
     }
     if (index <= UINT32_MAX)
         return JSObject::deleteElement(cx, obj, uint32_t(index), succeeded);
     return JSObject::deleteByValue(cx, obj, DoubleValue(index), succeeded);
 }
 /* ES6 20130308 draft 9.3.5 */
 static bool
 DeletePropertyOrThrow(JSContext *cx, HandleObject obj, double index)
 {
     bool succeeded;
     if (!DeleteArrayElement(cx, obj, index, &succeeded))
         return false;
     if (succeeded)
         return true;
     RootedId id(cx);
     RootedValue indexv(cx, NumberValue(index));
     if (!ValueToId<CanGC>(cx, indexv, &id))
         return false;
     return obj->reportNotConfigurable(cx, id, JSREPORT_ERROR);
 }
 bool
 js::SetLengthProperty(JSContext *cx, HandleObject obj, double length)
 {
     RootedValue v(cx, NumberValue(length));
     return JSObject::setProperty(cx, obj, obj, cx->names().length, &v, true);
 }
 /*
  * Since SpiderMonkey supports cross-class prototype-based delegation, we have
  * to be careful about the length getter and setter being called on an object
  * not of Array class. For the getter, we search obj's prototype chain for the
  * array that caused this getter to be invoked. In the setter case to overcome
  * the JSPROP_SHARED attribute, we must define a shadowing length property.
  */
 static bool
 array_length_getter(JSContext *cx, HandleObject obj_, HandleId id, MutableHandleValue vp)
 {
     RootedObject obj(cx, obj_);
     do {
         if (obj->is<ArrayObject>()) {
             vp.setNumber(obj->as<ArrayObject>().length());
             return true;
         }
         if (!JSObject::getProto(cx, obj, &obj))
             return false;
     } while (obj);
     return true;
 }
 static bool
 array_length_setter(JSContext *cx, HandleObject obj, HandleId id, bool strict, MutableHandleValue vp)
 {
     if (!obj->is<ArrayObject>()) {
         return JSObject::defineProperty(cx, obj, cx->names().length, vp,
                                         nullptr, nullptr, JSPROP_ENUMERATE);
     }
     Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
     MOZ_ASSERT(arr->lengthIsWritable(),
                "setter shouldn't be called if property is non-writable");
     return ArraySetLength<SequentialExecution>(cx, arr, id, JSPROP_PERMANENT, vp, strict);
 }
 struct ReverseIndexComparator
 {
     bool operator()(const uint32_t& a, const uint32_t& b, bool *lessOrEqualp) {
         MOZ_ASSERT(a != b, "how'd we get duplicate indexes?");
         *lessOrEqualp = b <= a;
         return true;
     }
 };
 template <ExecutionMode mode>
 bool
 js::CanonicalizeArrayLengthValue(typename ExecutionModeTraits<mode>::ContextType cx,
                                  HandleValue v, uint32_t *newLen)
 {
     double d;
     if (mode == ParallelExecution) {
         if (v.isObject())
             return false;
         if (!NonObjectToUint32(cx, v, newLen))
             return false;
         if (!NonObjectToNumber(cx, v, &d))
             return false;
     } else {
         if (!ToUint32(cx->asJSContext(), v, newLen))
             return false;
         if (!ToNumber(cx->asJSContext(), v, &d))
             return false;
     }
     if (d == *newLen)
         return true;
     if (cx->isJSContext())
         JS_ReportErrorNumber(cx->asJSContext(), js_GetErrorMessage, nullptr,
                              JSMSG_BAD_ARRAY_LENGTH);
     return false;
 }
 template bool
 js::CanonicalizeArrayLengthValue<SequentialExecution>(JSContext *cx,
                                                       HandleValue v, uint32_t *newLen);
 template bool
 js::CanonicalizeArrayLengthValue<ParallelExecution>(ForkJoinContext *cx,
                                                     HandleValue v, uint32_t *newLen);
 /* ES6 20130308 draft 8.4.2.4 ArraySetLength */
 template <ExecutionMode mode>
 bool
 js::ArraySetLength(typename ExecutionModeTraits<mode>::ContextType cxArg,
                    Handle<ArrayObject*> arr, HandleId id,
                    unsigned attrs, HandleValue value, bool setterIsStrict)
 {
     MOZ_ASSERT(cxArg->isThreadLocal(arr));
     MOZ_ASSERT(id == NameToId(cxArg->names().length));
     /* Steps 1-2 are irrelevant in our implementation. */
     /* Steps 3-5. */
     uint32_t newLen;
     if (!CanonicalizeArrayLengthValue<mode>(cxArg, value, &newLen))
         return false;
     // Abort if we're being asked to change enumerability or configurability.
     // (The length property of arrays is non-configurable, so such attempts
     // must fail.)  This behavior is spread throughout the ArraySetLength spec
     // algorithm, but we only need check it once as our array implementation
     // is internally so different from the spec algorithm.  (ES5 and ES6 define
     // behavior by delegating to the default define-own-property algorithm --
     // OrdinaryDefineOwnProperty in ES6, the default [[DefineOwnProperty]] in
     // ES5 -- but we reimplement all the conflict-detection bits ourselves here
     // so that we can use a customized length representation.)
     if (!(attrs & JSPROP_PERMANENT) || (attrs & JSPROP_ENUMERATE)) {
         if (!setterIsStrict)
             return true;
         // Bail for strict mode in parallel execution, as we need to go back
         // to sequential mode to throw the error.
         if (mode == ParallelExecution)
             return false;
         return Throw(cxArg->asJSContext(), id, JSMSG_CANT_REDEFINE_PROP);
     }
     /* Steps 6-7. */
     bool lengthIsWritable = arr->lengthIsWritable();
 #ifdef DEBUG
     {
         RootedShape lengthShape(cxArg, arr->nativeLookupPure(id));
         MOZ_ASSERT(lengthShape);
         MOZ_ASSERT(lengthShape->writable() == lengthIsWritable);
     }
 #endif
     uint32_t oldLen = arr->length();
     /* Steps 8-9 for arrays with non-writable length. */
     if (!lengthIsWritable) {
         if (newLen == oldLen)
             return true;
         if (!cxArg->isJSContext())
             return false;
         if (setterIsStrict) {
             return JS_ReportErrorFlagsAndNumber(cxArg->asJSContext(),
                                                 JSREPORT_ERROR, js_GetErrorMessage, nullptr,
                                                 JSMSG_CANT_REDEFINE_ARRAY_LENGTH);
         }
         return JSObject::reportReadOnly(cxArg->asJSContext(), id,
                                         JSREPORT_STRICT | JSREPORT_WARNING);
     }
     /* Step 8. */
     bool succeeded = true;
     do {
         // The initialized length and capacity of an array only need updating
         // when non-hole elements are added or removed, which doesn't happen
         // when array length stays the same or increases.
         if (newLen >= oldLen)
             break;
         // Attempt to propagate dense-element optimization tricks, if possible,
         // and avoid the generic (and accordingly slow) deletion code below.
         // We can only do this if there are only densely-indexed elements.
         // Once there's a sparse indexed element, there's no good way to know,
         // save by enumerating all the properties to find it.  But we *have* to
         // know in case that sparse indexed element is non-configurable, as
         // that element must prevent any deletions below it.  Bug 586842 should
         // fix this inefficiency by moving indexed storage to be entirely
         // separate from non-indexed storage.
         if (!arr->isIndexed()) {
             uint32_t oldCapacity = arr->getDenseCapacity();
             uint32_t oldInitializedLength = arr->getDenseInitializedLength();
             MOZ_ASSERT(oldCapacity >= oldInitializedLength);
             if (oldInitializedLength > newLen)
                 arr->setDenseInitializedLength(newLen);
             if (oldCapacity > newLen)
                 arr->shrinkElements(cxArg, newLen);
             // We've done the work of deleting any dense elements needing
             // deletion, and there are no sparse elements.  Thus we can skip
             // straight to defining the length.
             break;
         }
         // Bail from parallel execution if need to perform step 15, which is
         // unsafe and isn't a common case.
         if (mode == ParallelExecution)
             return false;
         JSContext *cx = cxArg->asJSContext();
         // Step 15.
         //
         // Attempt to delete all elements above the new length, from greatest
         // to least.  If any of these deletions fails, we're supposed to define
         // the length to one greater than the index that couldn't be deleted,
         // *with the property attributes specified*.  This might convert the
         // length to be not the value specified, yet non-writable.  (You may be
         // forgiven for thinking these are interesting semantics.)  Example:
         //
         //   var arr =
         //     Object.defineProperty([0, 1, 2, 3], 1, { writable: false });
         //   Object.defineProperty(arr, "length",
         //                         { value: 0, writable: false });
         //
         // will convert |arr| to an array of non-writable length two, then
         // throw a TypeError.
         //
         // We implement this behavior, in the relevant lops below, by setting
         // |succeeded| to false.  Then we exit the loop, define the length
         // appropriately, and only then throw a TypeError, if necessary.
         uint32_t gap = oldLen - newLen;
         const uint32_t RemoveElementsFastLimit = 1 << 24;
         if (gap < RemoveElementsFastLimit) {
             // If we're removing a relatively small number of elements, just do
             // it exactly by the spec.
             while (newLen < oldLen) {
                 /* Step 15a. */
                 oldLen--;
                 /* Steps 15b-d. */
                 bool deleteSucceeded;
                 if (!JSObject::deleteElement(cx, arr, oldLen, &deleteSucceeded))
                     return false;
                 if (!deleteSucceeded) {
                     newLen = oldLen + 1;
                     succeeded = false;
                     break;
                 }
             }
         } else {
             // If we're removing a large number of elements from an array
             // that's probably sparse, try a different tack.  Get all the own
             // property names, sift out the indexes in the deletion range into
             // a vector, sort the vector greatest to least, then delete the
             // indexes greatest to least using that vector.  See bug 322135.
             //
             // This heuristic's kind of a huge guess -- "large number of
             // elements" and "probably sparse" are completely unprincipled
             // predictions.  In the long run, bug 586842 will support the right
             // fix: store sparse elements in a sorted data structure that
             // permits fast in-reverse-order traversal and concurrent removals.
             Vector<uint32_t> indexes(cx);
             {
                 AutoIdVector props(cx);
                 if (!GetPropertyNames(cx, arr, JSITER_OWNONLY | JSITER_HIDDEN, &props))
                     return false;
                 for (size_t i = 0; i < props.length(); i++) {
                     if (!CheckForInterrupt(cx))
                         return false;
                     uint32_t index;
                     if (!js_IdIsIndex(props[i], &index))
                         continue;
                     if (index >= newLen && index < oldLen) {
                         if (!indexes.append(index))
                             return false;
                     }
                 }
             }
             uint32_t count = indexes.length();
             {
                 // We should use radix sort to be O(n), but this is uncommon
                 // enough that we'll punt til someone complains.
                 Vector<uint32_t> scratch(cx);
                 if (!scratch.resize(count))
                     return false;
                 MOZ_ALWAYS_TRUE(MergeSort(indexes.begin(), count, scratch.begin(),
                                           ReverseIndexComparator()));
             }
             uint32_t index = UINT32_MAX;
             for (uint32_t i = 0; i < count; i++) {
                 MOZ_ASSERT(indexes[i] < index, "indexes should never repeat");
                 index = indexes[i];
                 /* Steps 15b-d. */
                 bool deleteSucceeded;
                 if (!JSObject::deleteElement(cx, arr, index, &deleteSucceeded))
                     return false;
                 if (!deleteSucceeded) {
                     newLen = index + 1;
                     succeeded = false;
                     break;
                 }
             }
         }
     } while (false);
     /* Steps 12, 16. */
     // Yes, we totally drop a non-stub getter/setter from a defineProperty
     // API call on the floor here.  Given that getter/setter will go away in
     // the long run, with accessors replacing them both internally and at the
     // API level, just run with this.
     RootedShape lengthShape(cxArg, mode == ParallelExecution
                             ? arr->nativeLookupPure(id)
                             : arr->nativeLookup(cxArg->asJSContext(), id));
     if (!JSObject::changeProperty<mode>(cxArg, arr, lengthShape, attrs,
                                         JSPROP_PERMANENT | JSPROP_READONLY | JSPROP_SHARED,
                                         array_length_getter, array_length_setter))
     {
         return false;
     }
     if (mode == ParallelExecution) {
         // Overflowing int32 requires changing TI state.
         if (newLen > INT32_MAX)
             return false;
         arr->setLengthInt32(newLen);
     } else {
         JSContext *cx = cxArg->asJSContext();
         arr->setLength(cx, newLen);
     }
     // All operations past here until the |!succeeded| code must be infallible,
     // so that all element fields remain properly synchronized.
     // Trim the initialized length, if needed, to preserve the <= length
     // invariant.  (Capacity was already reduced during element deletion, if
     // necessary.)
     ObjectElements *header = arr->getElementsHeader();
     header->initializedLength = Min(header->initializedLength, newLen);
     if (attrs & JSPROP_READONLY) {
         header->setNonwritableArrayLength();
         // When an array's length becomes non-writable, writes to indexes
         // greater than or equal to the length don't change the array.  We
         // handle this with a check for non-writable length in most places.
         // But in JIT code every check counts -- so we piggyback the check on
         // the already-required range check for |index < capacity| by making
         // capacity of arrays with non-writable length never exceed the length.
         if (arr->getDenseCapacity() > newLen) {
             arr->shrinkElements(cxArg, newLen);
             arr->getElementsHeader()->capacity = newLen;
         }
     }
     if (setterIsStrict && !succeeded) {
         // We can't have arrived here under ParallelExecution, as we have
         // returned from the function before step 15 above.
         JSContext *cx = cxArg->asJSContext();
         RootedId elementId(cx);
         if (!IndexToId(cx, newLen - 1, &elementId))
             return false;
         return arr->reportNotConfigurable(cx, elementId);
     }
     return true;
 }
 template bool
 js::ArraySetLength<SequentialExecution>(JSContext *cx, Handle<ArrayObject*> arr,
                                         HandleId id, unsigned attrs, HandleValue value,
                                         bool setterIsStrict);
 template bool
 js::ArraySetLength<ParallelExecution>(ForkJoinContext *cx, Handle<ArrayObject*> arr,
                                       HandleId id, unsigned attrs, HandleValue value,
                                       bool setterIsStrict);
 bool
 js::WouldDefinePastNonwritableLength(ThreadSafeContext *cx,
                                      HandleObject obj, uint32_t index, bool strict,
                                      bool *definesPast)
 {
     if (!obj->is<ArrayObject>()) {
         *definesPast = false;
         return true;
     }
     Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
     uint32_t length = arr->length();
     if (index < length) {
         *definesPast = false;
         return true;
     }
     if (arr->lengthIsWritable()) {
         *definesPast = false;
         return true;
     }
     *definesPast = true;
     // Error in strict mode code or warn with strict option.
     unsigned flags = strict ? JSREPORT_ERROR : (JSREPORT_STRICT | JSREPORT_WARNING);
     if (cx->isForkJoinContext())
         return cx->asForkJoinContext()->reportError(ParallelBailoutUnsupportedVM, flags);
     if (!cx->isJSContext())
         return true;
     JSContext *ncx = cx->asJSContext();
     if (!strict && !ncx->options().extraWarnings())
         return true;
     // XXX include the index and maybe array length in the error message
     return JS_ReportErrorFlagsAndNumber(ncx, flags, js_GetErrorMessage, nullptr,
                                         JSMSG_CANT_DEFINE_PAST_ARRAY_LENGTH);
 }
 static bool
 array_addProperty(JSContext *cx, HandleObject obj, HandleId id, MutableHandleValue vp)
 {
     Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
     uint32_t index;
     if (!js_IdIsIndex(id, &index))
         return true;
     uint32_t length = arr->length();
     if (index >= length) {
         MOZ_ASSERT(arr->lengthIsWritable(),
                    "how'd this element get added if length is non-writable?");
         arr->setLength(cx, index + 1);
     }
     return true;
 }
 bool
 js::ObjectMayHaveExtraIndexedProperties(JSObject *obj)
 {
     /*
      * Whether obj may have indexed properties anywhere besides its dense
      * elements. This includes other indexed properties in its shape hierarchy,
      * and indexed properties or elements along its prototype chain.
      */
     JS_ASSERT(obj->isNative());
     if (obj->isIndexed())
         return true;
     /*
      * Walk up the prototype chain and see if this indexed element already
      * exists. If we hit the end of the prototype chain, it's safe to set the
      * element on the original object.
      */
     while ((obj = obj->getProto()) != nullptr) {
         /*
          * If the prototype is a non-native object (possibly a dense array), or
          * a native object (possibly a slow array) that has indexed properties,
          * return true.
          */
         if (!obj->isNative())
             return true;
         if (obj->isIndexed())
             return true;
         if (obj->getDenseInitializedLength() > 0)
             return true;
         if (obj->is<TypedArrayObject>())
             return true;
     }
     return false;
 }
 const Class ArrayObject::class_ = {
     "Array",
     JSCLASS_HAS_CACHED_PROTO(JSProto_Array),
     array_addProperty,
     JS_DeletePropertyStub,   /* delProperty */
     JS_PropertyStub,         /* getProperty */
     JS_StrictPropertyStub,   /* setProperty */
     JS_EnumerateStub,
     JS_ResolveStub,
     JS_ConvertStub,
     nullptr,
     nullptr,        /* call        */
     nullptr,        /* hasInstance */
     nullptr,        /* construct   */
     nullptr         /* trace       */
 };
 static bool
 AddLengthProperty(ExclusiveContext *cx, HandleObject obj)
 {
     /*
      * Add the 'length' property for a newly created array,
      * and update the elements to be an empty array owned by the object.
      * The shared emptyObjectElements singleton cannot be used for slow arrays,
      * as accesses to 'length' will use the elements header.
      */
     RootedId lengthId(cx, NameToId(cx->names().length));
     JS_ASSERT(!obj->nativeLookup(cx, lengthId));
     return JSObject::addProperty(cx, obj, lengthId, array_length_getter, array_length_setter,
                                  SHAPE_INVALID_SLOT, JSPROP_PERMANENT | JSPROP_SHARED, 0,
                                  /* allowDictionary = */ false);
 }
 #if JS_HAS_TOSOURCE
 MOZ_ALWAYS_INLINE bool
 IsArray(HandleValue v)
 {
     return v.isObject() && v.toObject().is<ArrayObject>();
 }
 MOZ_ALWAYS_INLINE bool
 array_toSource_impl(JSContext *cx, CallArgs args)
 {
     JS_ASSERT(IsArray(args.thisv()));
     Rooted<JSObject*> obj(cx, &args.thisv().toObject());
     RootedValue elt(cx);
     AutoCycleDetector detector(cx, obj);
     if (!detector.init())
         return false;
     StringBuffer sb(cx);
     if (detector.foundCycle()) {
         if (!sb.append("[]"))
             return false;
         goto make_string;
     }
     if (!sb.append('['))
         return false;
     uint32_t length;
     if (!GetLengthProperty(cx, obj, &length))
         return false;
     for (uint32_t index = 0; index < length; index++) {
         bool hole;
         if (!CheckForInterrupt(cx) ||
             !GetElement(cx, obj, index, &hole, &elt)) {
             return false;
         }
         /* Get element's character string. */
         JSString *str;
         if (hole) {
             str = cx->runtime()->emptyString;
         } else {
             str = ValueToSource(cx, elt);
             if (!str)
                 return false;
         }
         /* Append element to buffer. */
         if (!sb.append(str))
             return false;
         if (index + 1 != length) {
             if (!sb.append(", "))
                 return false;
         } else if (hole) {
             if (!sb.append(','))
                 return false;
         }
     }
     /* Finalize the buffer. */
     if (!sb.append(']'))
         return false;
   make_string:
     JSString *str = sb.finishString();
     if (!str)
         return false;
     args.rval().setString(str);
     return true;
 }
 static bool
 array_toSource(JSContext *cx, unsigned argc, Value *vp)
 {
     JS_CHECK_RECURSION(cx, return false);
     CallArgs args = CallArgsFromVp(argc, vp);
     return CallNonGenericMethod<IsArray, array_toSource_impl>(cx, args);
 }
 #endif
 struct EmptySeparatorOp
 {
     bool operator()(JSContext *, StringBuffer &sb) { return true; }
 };
 struct CharSeparatorOp
 {
     jschar sep;
     CharSeparatorOp(jschar sep) : sep(sep) {};
     bool operator()(JSContext *, StringBuffer &sb) { return sb.append(sep); }
 };
 struct StringSeparatorOp
 {
     const jschar *sepchars;
     size_t seplen;
     StringSeparatorOp(const jschar *sepchars, size_t seplen)
       : sepchars(sepchars), seplen(seplen) {};
     bool operator()(JSContext *cx, StringBuffer &sb) {
         return sb.append(sepchars, seplen);
     }
 };
 template <bool Locale, typename SeparatorOp>
 static bool
 ArrayJoinKernel(JSContext *cx, SeparatorOp sepOp, HandleObject obj, uint32_t length,
                StringBuffer &sb)
 {
     uint32_t i = 0;
     if (!Locale && obj->is<ArrayObject>() && !ObjectMayHaveExtraIndexedProperties(obj)) {
         // This loop handles all elements up to initializedLength. If
         // length > initLength we rely on the second loop to add the
         // other elements.
         uint32_t initLength = obj->getDenseInitializedLength();
         while (i < initLength) {
             if (!CheckForInterrupt(cx))
                 return false;
             const Value &elem = obj->getDenseElement(i);
             if (elem.isString()) {
                 if (!sb.append(elem.toString()))
                     return false;
             } else if (elem.isNumber()) {
                 if (!NumberValueToStringBuffer(cx, elem, sb))
                     return false;
             } else if (elem.isBoolean()) {
                 if (!BooleanToStringBuffer(elem.toBoolean(), sb))
                     return false;
             } else if (elem.isObject()) {
                 /*
                  * Object stringifying could modify the initialized length or make
                  * the array sparse. Delegate it to a separate loop to keep this
                  * one tight.
                  */
                 break;
             } else {
                 JS_ASSERT(elem.isMagic(JS_ELEMENTS_HOLE) || elem.isNullOrUndefined());
             }
             if (++i != length && !sepOp(cx, sb))
                 return false;
         }
     }
     if (i != length) {
         RootedValue v(cx);
         while (i < length) {
             if (!CheckForInterrupt(cx))
                 return false;
             bool hole;
             if (!GetElement(cx, obj, i, &hole, &v))
                 return false;
             if (!hole && !v.isNullOrUndefined()) {
                 if (Locale) {
                     JSObject *robj = ToObject(cx, v);
                     if (!robj)
                         return false;
                     RootedId id(cx, NameToId(cx->names().toLocaleString));
                     if (!robj->callMethod(cx, id, 0, nullptr, &v))
                         return false;
                 }
                 if (!ValueToStringBuffer(cx, v, sb))
                     return false;
             }
             if (++i != length && !sepOp(cx, sb))
                 return false;
         }
     }
     return true;
 }
 template <bool Locale>
 static bool
 ArrayJoin(JSContext *cx, CallArgs &args)
 {
     // This method is shared by Array.prototype.join and
     // Array.prototype.toLocaleString. The steps in ES5 are nearly the same, so
     // the annotations in this function apply to both toLocaleString and join.
     // Step 1
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     AutoCycleDetector detector(cx, obj);
     if (!detector.init())
         return false;
     if (detector.foundCycle()) {
         args.rval().setString(cx->names().empty);
         return true;
     }
     // Steps 2 and 3
     uint32_t length;
     if (!GetLengthProperty(cx, obj, &length))
         return false;
     // Steps 4 and 5
     RootedString sepstr(cx, nullptr);
     const jschar *sepchars;
     size_t seplen;
     if (!Locale && args.hasDefined(0)) {
         sepstr = ToString<CanGC>(cx, args[0]);
         if (!sepstr)
             return false;
         sepchars = sepstr->getChars(cx);
         if (!sepchars)
             return false;
         seplen = sepstr->length();
     } else {
         HandlePropertyName comma = cx->names().comma;
         sepstr = comma;
         sepchars = comma->chars();
         seplen = comma->length();
     }
     JS::Anchor<JSString*> anchor(sepstr);
     // Step 6 is implicit in the loops below.
     // An optimized version of a special case of steps 7-11: when length==1 and
     // the 0th element is a string, ToString() of that element is a no-op and
     // so it can be immediately returned as the result.
     if (length == 1 && !Locale && obj->is<ArrayObject>() &&
         obj->getDenseInitializedLength() == 1)
     {
         const Value &elem0 = obj->getDenseElement(0);
         if (elem0.isString()) {
             args.rval().setString(elem0.toString());
             return true;
         }
     }
     StringBuffer sb(cx);
     // The separator will be added |length - 1| times, reserve space for that
     // so that we don't have to unnecessarily grow the buffer.
     if (length > 0 && !sb.reserve(seplen * (length - 1)))
         return false;
     // Various optimized versions of steps 7-10.
     if (seplen == 0) {
         EmptySeparatorOp op;
         if (!ArrayJoinKernel<Locale>(cx, op, obj, length, sb))
             return false;
     } else if (seplen == 1) {
         CharSeparatorOp op(sepchars[0]);
         if (!ArrayJoinKernel<Locale>(cx, op, obj, length, sb))
             return false;
     } else {
         StringSeparatorOp op(sepchars, seplen);
         if (!ArrayJoinKernel<Locale>(cx, op, obj, length, sb))
             return false;
     }
     // Step 11
     JSString *str = sb.finishString();
     if (!str)
         return false;
     args.rval().setString(str);
     return true;
 }
 /* ES5 15.4.4.2. NB: The algorithm here differs from the one in ES3. */
 static bool
 array_toString(JSContext *cx, unsigned argc, Value *vp)
 {
     JS_CHECK_RECURSION(cx, return false);
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     RootedValue join(cx, args.calleev());
     if (!JSObject::getProperty(cx, obj, obj, cx->names().join, &join))
         return false;
     if (!js_IsCallable(join)) {
         JSString *str = JS_BasicObjectToString(cx, obj);
         if (!str)
             return false;
         args.rval().setString(str);
         return true;
     }
     InvokeArgs args2(cx);
     if (!args2.init(0))
         return false;
     args2.setCallee(join);
     args2.setThis(ObjectValue(*obj));
     /* Do the call. */
     if (!Invoke(cx, args2))
         return false;
     args.rval().set(args2.rval());
     return true;
 }
 /* ES5 15.4.4.3 */
 static bool
 array_toLocaleString(JSContext *cx, unsigned argc, Value *vp)
 {
     JS_CHECK_RECURSION(cx, return false);
     CallArgs args = CallArgsFromVp(argc, vp);
     return ArrayJoin<true>(cx, args);
 }
 /* ES5 15.4.4.5 */
 static bool
 array_join(JSContext *cx, unsigned argc, Value *vp)
 {
     JS_CHECK_RECURSION(cx, return false);
     CallArgs args = CallArgsFromVp(argc, vp);
     return ArrayJoin<false>(cx, args);
 }
 static inline bool
 InitArrayTypes(JSContext *cx, TypeObject *type, const Value *vector, unsigned count)
 {
     if (!type->unknownProperties()) {
         AutoEnterAnalysis enter(cx);
         HeapTypeSet *types = type->getProperty(cx, JSID_VOID);
         if (!types)
             return false;
         for (unsigned i = 0; i < count; i++) {
             if (vector[i].isMagic(JS_ELEMENTS_HOLE))
                 continue;
             Type valtype = GetValueType(vector[i]);
             types->addType(cx, valtype);
         }
     }
     return true;
 }
 enum ShouldUpdateTypes
 {
     UpdateTypes = true,
     DontUpdateTypes = false
 };
 /* vector must point to rooted memory. */
 static bool
 InitArrayElements(JSContext *cx, HandleObject obj, uint32_t start, uint32_t count, const Value *vector, ShouldUpdateTypes updateTypes)
 {
     JS_ASSERT(count <= MAX_ARRAY_INDEX);
     if (count == 0)
         return true;
     types::TypeObject *type = obj->getType(cx);
     if (!type)
         return false;
     if (updateTypes && !InitArrayTypes(cx, type, vector, count))
         return false;
     /*
      * Optimize for dense arrays so long as adding the given set of elements
      * wouldn't otherwise make the array slow or exceed a non-writable array
      * length.
      */
     do {
         if (!obj->is<ArrayObject>())
             break;
         if (ObjectMayHaveExtraIndexedProperties(obj))
             break;
         if (obj->shouldConvertDoubleElements())
             break;
         Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
         if (!arr->lengthIsWritable() && start + count > arr->length())
             break;
         JSObject::EnsureDenseResult result = arr->ensureDenseElements(cx, start, count);
         if (result != JSObject::ED_OK) {
             if (result == JSObject::ED_FAILED)
                 return false;
             JS_ASSERT(result == JSObject::ED_SPARSE);
             break;
         }
         uint32_t newlen = start + count;
         if (newlen > arr->length())
             arr->setLengthInt32(newlen);
         JS_ASSERT(count < UINT32_MAX / sizeof(Value));
         arr->copyDenseElements(start, vector, count);
         JS_ASSERT_IF(count != 0, !arr->getDenseElement(newlen - 1).isMagic(JS_ELEMENTS_HOLE));
         return true;
     } while (false);
     const Value* end = vector + count;
     while (vector < end && start <= MAX_ARRAY_INDEX) {
         if (!CheckForInterrupt(cx) ||
             !SetArrayElement(cx, obj, start++, HandleValue::fromMarkedLocation(vector++))) {
             return false;
         }
     }
     if (vector == end)
         return true;
     JS_ASSERT(start == MAX_ARRAY_INDEX + 1);
     RootedValue value(cx);
     RootedId id(cx);
     RootedValue indexv(cx);
     double index = MAX_ARRAY_INDEX + 1;
     do {
         value = *vector++;
         indexv = DoubleValue(index);
         if (!ValueToId<CanGC>(cx, indexv, &id) ||
             !JSObject::setGeneric(cx, obj, obj, id, &value, true))
         {
             return false;
         }
         index += 1;
     } while (vector != end);
     return true;
 }
 static bool
 array_reverse(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     uint32_t len;
     if (!GetLengthProperty(cx, obj, &len))
         return false;
     do {
         if (!obj->is<ArrayObject>())
             break;
         if (ObjectMayHaveExtraIndexedProperties(obj))
             break;
         /* An empty array or an array with no elements is already reversed. */
         if (len == 0 || obj->getDenseCapacity() == 0) {
             args.rval().setObject(*obj);
             return true;
         }
         /*
          * It's actually surprisingly complicated to reverse an array due to the
          * orthogonality of array length and array capacity while handling
          * leading and trailing holes correctly.  Reversing seems less likely to
          * be a common operation than other array mass-mutation methods, so for
          * now just take a probably-small memory hit (in the absence of too many
          * holes in the array at its start) and ensure that the capacity is
          * sufficient to hold all the elements in the array if it were full.
          */
         JSObject::EnsureDenseResult result = obj->ensureDenseElements(cx, len, 0);
         if (result != JSObject::ED_OK) {
             if (result == JSObject::ED_FAILED)
                 return false;
             JS_ASSERT(result == JSObject::ED_SPARSE);
             break;
         }
         /* Fill out the array's initialized length to its proper length. */
         obj->ensureDenseInitializedLength(cx, len, 0);
         RootedValue origlo(cx), orighi(cx);
         uint32_t lo = 0, hi = len - 1;
         for (; lo < hi; lo++, hi--) {
             origlo = obj->getDenseElement(lo);
             orighi = obj->getDenseElement(hi);
             obj->setDenseElement(lo, orighi);
             if (orighi.isMagic(JS_ELEMENTS_HOLE) &&
                 !js_SuppressDeletedProperty(cx, obj, INT_TO_JSID(lo))) {
                 return false;
             }
             obj->setDenseElement(hi, origlo);
             if (origlo.isMagic(JS_ELEMENTS_HOLE) &&
                 !js_SuppressDeletedProperty(cx, obj, INT_TO_JSID(hi))) {
                 return false;
             }
         }
         /*
          * Per ECMA-262, don't update the length of the array, even if the new
          * array has trailing holes (and thus the original array began with
          * holes).
          */
         args.rval().setObject(*obj);
         return true;
     } while (false);
     RootedValue lowval(cx), hival(cx);
     for (uint32_t i = 0, half = len / 2; i < half; i++) {
         bool hole, hole2;
         if (!CheckForInterrupt(cx) ||
             !GetElement(cx, obj, i, &hole, &lowval) ||
             !GetElement(cx, obj, len - i - 1, &hole2, &hival))
         {
             return false;
         }
         if (!hole && !hole2) {
             if (!SetArrayElement(cx, obj, i, hival))
                 return false;
             if (!SetArrayElement(cx, obj, len - i - 1, lowval))
                 return false;
         } else if (hole && !hole2) {
             if (!SetArrayElement(cx, obj, i, hival))
                 return false;
             if (!DeletePropertyOrThrow(cx, obj, len - i - 1))
                 return false;
         } else if (!hole && hole2) {
             if (!DeletePropertyOrThrow(cx, obj, i))
                 return false;
             if (!SetArrayElement(cx, obj, len - i - 1, lowval))
                 return false;
         } else {
             // No action required.
         }
     }
     args.rval().setObject(*obj);
     return true;
 }
 namespace {
 inline bool
 CompareStringValues(JSContext *cx, const Value &a, const Value &b, bool *lessOrEqualp)
 {
     if (!CheckForInterrupt(cx))
         return false;
     JSString *astr = a.toString();
     JSString *bstr = b.toString();
     int32_t result;
     if (!CompareStrings(cx, astr, bstr, &result))
         return false;
     *lessOrEqualp = (result <= 0);
     return true;
 }
 static const uint64_t powersOf10[] = {
 , 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000, 1000000000, 1000000000000ULL
 };
 static inline unsigned
 NumDigitsBase10(uint32_t n)
 {
     /*
      * This is just floor_log10(n) + 1
      * Algorithm taken from
      * http://graphics.stanford.edu/~seander/bithacks.html#IntegerLog10
      */
     uint32_t log2 = CeilingLog2(n);
     uint32_t t = log2 * 1233 >> 12;
     return t - (n < powersOf10[t]) + 1;
 }
 static inline bool
 CompareLexicographicInt32(const Value &a, const Value &b, bool *lessOrEqualp)
 {
     int32_t aint = a.toInt32();
     int32_t bint = b.toInt32();
     /*
      * If both numbers are equal ... trivial
      * If only one of both is negative --> arithmetic comparison as char code
      * of '-' is always less than any other digit
      * If both numbers are negative convert them to positive and continue
      * handling ...
      */
     if (aint == bint) {
         *lessOrEqualp = true;
     } else if ((aint < 0) && (bint >= 0)) {
         *lessOrEqualp = true;
     } else if ((aint >= 0) && (bint < 0)) {
         *lessOrEqualp = false;
     } else {
         uint32_t auint = Abs(aint);
         uint32_t buint = Abs(bint);
         /*
          *  ... get number of digits of both integers.
          * If they have the same number of digits --> arithmetic comparison.
          * If digits_a > digits_b: a < b*10e(digits_a - digits_b).
          * If digits_b > digits_a: a*10e(digits_b - digits_a) <= b.
          */
         unsigned digitsa = NumDigitsBase10(auint);
         unsigned digitsb = NumDigitsBase10(buint);
         if (digitsa == digitsb) {
             *lessOrEqualp = (auint <= buint);
         } else if (digitsa > digitsb) {
             JS_ASSERT((digitsa - digitsb) < ArrayLength(powersOf10));
             *lessOrEqualp = (uint64_t(auint) < uint64_t(buint) * powersOf10[digitsa - digitsb]);
         } else { /* if (digitsb > digitsa) */
             JS_ASSERT((digitsb - digitsa) < ArrayLength(powersOf10));
             *lessOrEqualp = (uint64_t(auint) * powersOf10[digitsb - digitsa] <= uint64_t(buint));
         }
     }
     return true;
 }
 static inline bool
 CompareSubStringValues(JSContext *cx, const jschar *s1, size_t l1,
                        const jschar *s2, size_t l2, bool *lessOrEqualp)
 {
     if (!CheckForInterrupt(cx))
         return false;
     if (!s1 || !s2)
         return false;
     int32_t result = CompareChars(s1, l1, s2, l2);
     *lessOrEqualp = (result <= 0);
     return true;
 }
 struct SortComparatorStrings
 {
     JSContext   *const cx;
     SortComparatorStrings(JSContext *cx)
       : cx(cx) {}
     bool operator()(const Value &a, const Value &b, bool *lessOrEqualp) {
         return CompareStringValues(cx, a, b, lessOrEqualp);
     }
 };
 struct SortComparatorLexicographicInt32
 {
     bool operator()(const Value &a, const Value &b, bool *lessOrEqualp) {
         return CompareLexicographicInt32(a, b, lessOrEqualp);
     }
 };
 struct StringifiedElement
 {
     size_t charsBegin;
     size_t charsEnd;
     size_t elementIndex;
 };
 struct SortComparatorStringifiedElements
 {
     JSContext           *const cx;
     const StringBuffer  &sb;
     SortComparatorStringifiedElements(JSContext *cx, const StringBuffer &sb)
       : cx(cx), sb(sb) {}
     bool operator()(const StringifiedElement &a, const StringifiedElement &b, bool *lessOrEqualp) {
         return CompareSubStringValues(cx, sb.begin() + a.charsBegin, a.charsEnd - a.charsBegin,
                                       sb.begin() + b.charsBegin, b.charsEnd - b.charsBegin,
                                       lessOrEqualp);
     }
 };
 struct SortComparatorFunction
 {
     JSContext          *const cx;
     const Value        &fval;
     FastInvokeGuard    &fig;
     SortComparatorFunction(JSContext *cx, const Value &fval, FastInvokeGuard &fig)
       : cx(cx), fval(fval), fig(fig) { }
     bool operator()(const Value &a, const Value &b, bool *lessOrEqualp);
 };
 bool
 SortComparatorFunction::operator()(const Value &a, const Value &b, bool *lessOrEqualp)
 {
     /*
      * array_sort deals with holes and undefs on its own and they should not
      * come here.
      */
     JS_ASSERT(!a.isMagic() && !a.isUndefined());
     JS_ASSERT(!a.isMagic() && !b.isUndefined());
     if (!CheckForInterrupt(cx))
         return false;
     InvokeArgs &args = fig.args();
     if (!args.init(2))
         return false;
     args.setCallee(fval);
     args.setThis(UndefinedValue());
     args[0].set(a);
     args[1].set(b);
     if (!fig.invoke(cx))
         return false;
     double cmp;
     if (!ToNumber(cx, args.rval(), &cmp))
         return false;
     /*
      * XXX eport some kind of error here if cmp is NaN? ECMA talks about
      * 'consistent compare functions' that don't return NaN, but is silent
      * about what the result should be. So we currently ignore it.
      */
     *lessOrEqualp = (IsNaN(cmp) || cmp <= 0);
     return true;
 }
 struct NumericElement
 {
     double dv;
     size_t elementIndex;
 };
 bool
 ComparatorNumericLeftMinusRight(const NumericElement &a, const NumericElement &b,
                                 bool *lessOrEqualp)
 {
     *lessOrEqualp = (a.dv <= b.dv);
     return true;
 }
 bool
 ComparatorNumericRightMinusLeft(const NumericElement &a, const NumericElement &b,
                                 bool *lessOrEqualp)
 {
     *lessOrEqualp = (b.dv <= a.dv);
     return true;
 }
 typedef bool (*ComparatorNumeric)(const NumericElement &a, const NumericElement &b,
                                   bool *lessOrEqualp);
 ComparatorNumeric SortComparatorNumerics[] = {
     nullptr,
     nullptr,
     ComparatorNumericLeftMinusRight,
     ComparatorNumericRightMinusLeft
 };
 bool
 ComparatorInt32LeftMinusRight(const Value &a, const Value &b, bool *lessOrEqualp)
 {
     *lessOrEqualp = (a.toInt32() <= b.toInt32());
     return true;
 }
 bool
 ComparatorInt32RightMinusLeft(const Value &a, const Value &b, bool *lessOrEqualp)
 {
     *lessOrEqualp = (b.toInt32() <= a.toInt32());
     return true;
 }
 typedef bool (*ComparatorInt32)(const Value &a, const Value &b, bool *lessOrEqualp);
 ComparatorInt32 SortComparatorInt32s[] = {
     nullptr,
     nullptr,
     ComparatorInt32LeftMinusRight,
     ComparatorInt32RightMinusLeft
 };
 // Note: Values for this enum must match up with SortComparatorNumerics
 // and SortComparatorInt32s.
 enum ComparatorMatchResult {
     Match_Failure = 0,
     Match_None,
     Match_LeftMinusRight,
     Match_RightMinusLeft
 };
 /*
  * Specialize behavior for comparator functions with particular common bytecode
  * patterns: namely, |return x - y| and |return y - x|.
  */
 ComparatorMatchResult
 MatchNumericComparator(JSContext *cx, const Value &v)
 {
     if (!v.isObject())
         return Match_None;
     JSObject &obj = v.toObject();
     if (!obj.is<JSFunction>())
         return Match_None;
     JSFunction *fun = &obj.as<JSFunction>();
     if (!fun->isInterpreted())
         return Match_None;
     JSScript *script = fun->getOrCreateScript(cx);
     if (!script)
         return Match_Failure;
     jsbytecode *pc = script->code();
     uint16_t arg0, arg1;
     if (JSOp(*pc) != JSOP_GETARG)
         return Match_None;
     arg0 = GET_ARGNO(pc);
     pc += JSOP_GETARG_LENGTH;
     if (JSOp(*pc) != JSOP_GETARG)
         return Match_None;
     arg1 = GET_ARGNO(pc);
     pc += JSOP_GETARG_LENGTH;
     if (JSOp(*pc) != JSOP_SUB)
         return Match_None;
     pc += JSOP_SUB_LENGTH;
     if (JSOp(*pc) != JSOP_RETURN)
         return Match_None;
     if (arg0 == 0 && arg1 == 1)
         return Match_LeftMinusRight;
     if (arg0 == 1 && arg1 == 0)
         return Match_RightMinusLeft;
     return Match_None;
 }
 template<typename K, typename C>
 static inline bool
 MergeSortByKey(K keys, size_t len, K scratch, C comparator, AutoValueVector *vec)
 {
     MOZ_ASSERT(vec->length() >= len);
     /* Sort keys. */
     if (!MergeSort(keys, len, scratch, comparator))
         return false;
     /*
      * Reorder vec by keys in-place, going element by element.  When an out-of-
      * place element is encountered, move that element to its proper position,
      * displacing whatever element was at *that* point to its proper position,
      * and so on until an element must be moved to the current position.
      *
      * At each outer iteration all elements up to |i| are sorted.  If
      * necessary each inner iteration moves some number of unsorted elements
      * (including |i|) directly to sorted position.  Thus on completion |*vec|
      * is sorted, and out-of-position elements have moved once.  Complexity is
      * Θ(len) + O(len) == O(2*len), with each element visited at most twice.
      */
     for (size_t i = 0; i < len; i++) {
         size_t j = keys[i].elementIndex;
         if (i == j)
             continue; // fixed point
         MOZ_ASSERT(j > i, "Everything less than |i| should be in the right place!");
         Value tv = (*vec)[j];
         do {
             size_t k = keys[j].elementIndex;
             keys[j].elementIndex = j;
             (*vec)[j] = (*vec)[k];
             j = k;
         } while (j != i);
         // We could assert the loop invariant that |i == keys[i].elementIndex|
         // here if we synced |keys[i].elementIndex|.  But doing so would render
         // the assertion vacuous, so don't bother, even in debug builds.
         (*vec)[i] = tv;
     }
     return true;
 }
 /*
  * Sort Values as strings.
  *
  * To minimize #conversions, SortLexicographically() first converts all Values
  * to strings at once, then sorts the elements by these cached strings.
  */
 bool
 SortLexicographically(JSContext *cx, AutoValueVector *vec, size_t len)
 {
     JS_ASSERT(vec->length() >= len);
     StringBuffer sb(cx);
     Vector<StringifiedElement, 0, TempAllocPolicy> strElements(cx);
     /* MergeSort uses the upper half as scratch space. */
     if (!strElements.reserve(2 * len))
         return false;
     /* Convert Values to strings. */
     size_t cursor = 0;
     for (size_t i = 0; i < len; i++) {
         if (!CheckForInterrupt(cx))
             return false;
         if (!ValueToStringBuffer(cx, (*vec)[i], sb))
             return false;
         StringifiedElement el = { cursor, sb.length(), i };
         strElements.infallibleAppend(el);
         cursor = sb.length();
     }
     /* Resize strElements so we can perform MergeSort. */
     JS_ALWAYS_TRUE(strElements.resize(2 * len));
     /* Sort Values in vec alphabetically. */
     return MergeSortByKey(strElements.begin(), len, strElements.begin() + len,
                           SortComparatorStringifiedElements(cx, sb), vec);
 }
 /*
  * Sort Values as numbers.
  *
  * To minimize #conversions, SortNumerically first converts all Values to
  * numerics at once, then sorts the elements by these cached numerics.
  */
 bool
 SortNumerically(JSContext *cx, AutoValueVector *vec, size_t len, ComparatorMatchResult comp)
 {
     JS_ASSERT(vec->length() >= len);
     Vector<NumericElement, 0, TempAllocPolicy> numElements(cx);
     /* MergeSort uses the upper half as scratch space. */
     if (!numElements.reserve(2 * len))
         return false;
     /* Convert Values to numerics. */
     for (size_t i = 0; i < len; i++) {
         if (!CheckForInterrupt(cx))
             return false;
         double dv;
         if (!ToNumber(cx, vec->handleAt(i), &dv))
             return false;
         NumericElement el = { dv, i };
         numElements.infallibleAppend(el);
     }
     /* Resize strElements so we can perform MergeSort. */
     JS_ALWAYS_TRUE(numElements.resize(2 * len));
     /* Sort Values in vec numerically. */
     return MergeSortByKey(numElements.begin(), len, numElements.begin() + len,
                           SortComparatorNumerics[comp], vec);
 }
 } /* namespace anonymous */
 bool
 js::array_sort(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedValue fvalRoot(cx);
     Value &fval = fvalRoot.get();
     if (args.hasDefined(0)) {
         if (args[0].isPrimitive()) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_BAD_SORT_ARG);
             return false;
         }
         fval = args[0];     /* non-default compare function */
     } else {
         fval.setNull();
     }
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     uint32_t len;
     if (!GetLengthProperty(cx, obj, &len))
         return false;
     if (len < 2) {
         /* [] and [a] remain unchanged when sorted. */
         args.rval().setObject(*obj);
         return true;
     }
     /*
      * We need a temporary array of 2 * len Value to hold the array elements
      * and the scratch space for merge sort. Check that its size does not
      * overflow size_t, which would allow for indexing beyond the end of the
      * malloc'd vector.
      */
 #if JS_BITS_PER_WORD == 32
     if (size_t(len) > size_t(-1) / (2 * sizeof(Value))) {
         js_ReportAllocationOverflow(cx);
         return false;
     }
 #endif
     /*
      * Initialize vec as a root. We will clear elements of vec one by
      * one while increasing the rooted amount of vec when we know that the
      * property at the corresponding index exists and its value must be rooted.
      *
      * In this way when sorting a huge mostly sparse array we will not
      * access the tail of vec corresponding to properties that do not
      * exist, allowing OS to avoiding committing RAM. See bug 330812.
      */
     size_t n, undefs;
     {
         AutoValueVector vec(cx);
         if (!vec.reserve(2 * size_t(len)))
             return false;
         /*
          * By ECMA 262, 15.4.4.11, a property that does not exist (which we
          * call a "hole") is always greater than an existing property with
          * value undefined and that is always greater than any other property.
          * Thus to sort holes and undefs we simply count them, sort the rest
          * of elements, append undefs after them and then make holes after
          * undefs.
          */
         undefs = 0;
         bool allStrings = true;
         bool allInts = true;
         RootedValue v(cx);
         for (uint32_t i = 0; i < len; i++) {
             if (!CheckForInterrupt(cx))
                 return false;
             /* Clear vec[newlen] before including it in the rooted set. */
             bool hole;
             if (!GetElement(cx, obj, i, &hole, &v))
                 return false;
             if (hole)
                 continue;
             if (v.isUndefined()) {
                 ++undefs;
                 continue;
             }
             vec.infallibleAppend(v);
             allStrings = allStrings && v.isString();
             allInts = allInts && v.isInt32();
         }
         /*
          * If the array only contains holes, we're done.  But if it contains
          * undefs, those must be sorted to the front of the array.
          */
         n = vec.length();
         if (n == 0 && undefs == 0) {
             args.rval().setObject(*obj);
             return true;
         }
         /* Here len == n + undefs + number_of_holes. */
         if (fval.isNull()) {
             /*
              * Sort using the default comparator converting all elements to
              * strings.
              */
             if (allStrings) {
                 JS_ALWAYS_TRUE(vec.resize(n * 2));
                 if (!MergeSort(vec.begin(), n, vec.begin() + n, SortComparatorStrings(cx)))
                     return false;
             } else if (allInts) {
                 JS_ALWAYS_TRUE(vec.resize(n * 2));
                 if (!MergeSort(vec.begin(), n, vec.begin() + n,
                                SortComparatorLexicographicInt32())) {
                     return false;
                 }
             } else {
                 if (!SortLexicographically(cx, &vec, n))
                     return false;
             }
         } else {
             ComparatorMatchResult comp = MatchNumericComparator(cx, fval);
             if (comp == Match_Failure)
                 return false;
             if (comp != Match_None) {
                 if (allInts) {
                     JS_ALWAYS_TRUE(vec.resize(n * 2));
                     if (!MergeSort(vec.begin(), n, vec.begin() + n, SortComparatorInt32s[comp]))
                         return false;
                 } else {
                     if (!SortNumerically(cx, &vec, n, comp))
                         return false;
                 }
             } else {
                 FastInvokeGuard fig(cx, fval);
                 MOZ_ASSERT(!InParallelSection(),
                            "Array.sort() can't currently be used from parallel code");
                 JS_ALWAYS_TRUE(vec.resize(n * 2));
                 if (!MergeSort(vec.begin(), n, vec.begin() + n,
                                SortComparatorFunction(cx, fval, fig)))
                 {
                     return false;
                 }
             }
         }
         if (!InitArrayElements(cx, obj, 0, uint32_t(n), vec.begin(), DontUpdateTypes))
             return false;
     }
     /* Set undefs that sorted after the rest of elements. */
     while (undefs != 0) {
         --undefs;
         if (!CheckForInterrupt(cx) || !SetArrayElement(cx, obj, n++, UndefinedHandleValue))
             return false;
     }
     /* Re-create any holes that sorted to the end of the array. */
     while (len > n) {
         if (!CheckForInterrupt(cx) || !DeletePropertyOrThrow(cx, obj, --len))
             return false;
     }
     args.rval().setObject(*obj);
     return true;
 }
 bool
 js::NewbornArrayPush(JSContext *cx, HandleObject obj, const Value &v)
 {
     Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
     JS_ASSERT(!v.isMagic());
     JS_ASSERT(arr->lengthIsWritable());
     uint32_t length = arr->length();
     JS_ASSERT(length <= arr->getDenseCapacity());
     if (!arr->ensureElements(cx, length + 1))
         return false;
     arr->setDenseInitializedLength(length + 1);
     arr->setLengthInt32(length + 1);
     arr->initDenseElementWithType(cx, length, v);
     return true;
 }
 /* ES5 15.4.4.7 */
 bool
 js::array_push(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     /* Step 1. */
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     /* Steps 2-3. */
     uint32_t length;
     if (!GetLengthProperty(cx, obj, &length))
         return false;
     /* Fast path for native objects with dense elements. */
     do {
         if (!obj->isNative() || obj->is<TypedArrayObject>())
             break;
         if (obj->is<ArrayObject>() && !obj->as<ArrayObject>().lengthIsWritable())
             break;
         if (ObjectMayHaveExtraIndexedProperties(obj))
             break;
         uint32_t argCount = args.length();
         JSObject::EnsureDenseResult result = obj->ensureDenseElements(cx, length, argCount);
         if (result == JSObject::ED_FAILED)
             return false;
         if (result == JSObject::ED_OK) {
             for (uint32_t i = 0, index = length; i < argCount; index++, i++)
                 obj->setDenseElementWithType(cx, index, args[i]);
             uint32_t newlength = length + argCount;
             args.rval().setNumber(newlength);
             if (obj->is<ArrayObject>()) {
                 obj->as<ArrayObject>().setLengthInt32(newlength);
                 return true;
             }
             return SetLengthProperty(cx, obj, newlength);
         }
         MOZ_ASSERT(result == JSObject::ED_SPARSE);
     } while (false);
     /* Steps 4-5. */
     if (!InitArrayElements(cx, obj, length, args.length(), args.array(), UpdateTypes))
         return false;
     /* Steps 6-7. */
     double newlength = length + double(args.length());
     args.rval().setNumber(newlength);
     return SetLengthProperty(cx, obj, newlength);
 }
 /* ES6 20130308 draft 15.4.4.6. */
 bool
 js::array_pop(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     /* Step 1. */
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     /* Steps 2-3. */
     uint32_t index;
     if (!GetLengthProperty(cx, obj, &index))
         return false;
     /* Steps 4-5. */
     if (index == 0) {
         /* Step 4b. */
         args.rval().setUndefined();
     } else {
         /* Step 5a. */
         index--;
         /* Step 5b, 5e. */
         bool hole;
         if (!GetElement(cx, obj, index, &hole, args.rval()))
             return false;
         /* Step 5c. */
         if (!hole && !DeletePropertyOrThrow(cx, obj, index))
             return false;
     }
     // If this was an array, then there are no elements above the one we just
     // deleted (if we deleted an element).  Thus we can shrink the dense
     // initialized length accordingly.  (This is fine even if the array length
     // is non-writable: length-changing occurs after element-deletion effects.)
     // Don't do anything if this isn't an array, as any deletion above has no
     // effect on any elements after the "last" one indicated by the "length"
     // property.
     if (obj->is<ArrayObject>() && obj->getDenseInitializedLength() > index)
         obj->setDenseInitializedLength(index);
     /* Steps 4a, 5d. */
     return SetLengthProperty(cx, obj, index);
 }
 void
 js::ArrayShiftMoveElements(JSObject *obj)
 {
     JS_ASSERT(obj->is<ArrayObject>());
     JS_ASSERT(obj->as<ArrayObject>().lengthIsWritable());
     /*
      * At this point the length and initialized length have already been
      * decremented and the result fetched, so just shift the array elements
      * themselves.
      */
     uint32_t initlen = obj->getDenseInitializedLength();
     obj->moveDenseElementsNoPreBarrier(0, 1, initlen);
 }
 /* ES5 15.4.4.9 */
 bool
 js::array_shift(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     /* Step 1. */
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     /* Steps 2-3. */
     uint32_t len;
     if (!GetLengthProperty(cx, obj, &len))
         return false;
     /* Step 4. */
     if (len == 0) {
         /* Step 4a. */
         if (!SetLengthProperty(cx, obj, 0))
             return false;
         /* Step 4b. */
         args.rval().setUndefined();
         return true;
     }
     uint32_t newlen = len - 1;
     /* Fast paths. */
     if (obj->is<ArrayObject>() &&
         obj->getDenseInitializedLength() > 0 &&
         newlen < obj->getDenseCapacity() &&
         !ObjectMayHaveExtraIndexedProperties(obj))
     {
         args.rval().set(obj->getDenseElement(0));
         if (args.rval().isMagic(JS_ELEMENTS_HOLE))
             args.rval().setUndefined();
         obj->moveDenseElements(0, 1, obj->getDenseInitializedLength() - 1);
         obj->setDenseInitializedLength(obj->getDenseInitializedLength() - 1);
         if (!SetLengthProperty(cx, obj, newlen))
             return false;
         return js_SuppressDeletedProperty(cx, obj, INT_TO_JSID(newlen));
     }
     /* Steps 5, 10. */
     bool hole;
     if (!GetElement(cx, obj, uint32_t(0), &hole, args.rval()))
         return false;
     /* Steps 6-7. */
     RootedValue value(cx);
     for (uint32_t i = 0; i < newlen; i++) {
         if (!CheckForInterrupt(cx))
             return false;
         if (!GetElement(cx, obj, i + 1, &hole, &value))
             return false;
         if (hole) {
             if (!DeletePropertyOrThrow(cx, obj, i))
                 return false;
         } else {
             if (!SetArrayElement(cx, obj, i, value))
                 return false;
         }
     }
     /* Step 8. */
     if (!DeletePropertyOrThrow(cx, obj, newlen))
         return false;
     /* Step 9. */
     return SetLengthProperty(cx, obj, newlen);
 }
 static bool
 array_unshift(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     uint32_t length;
     if (!GetLengthProperty(cx, obj, &length))
         return false;
     double newlen = length;
     if (args.length() > 0) {
         /* Slide up the array to make room for all args at the bottom. */
         if (length > 0) {
             bool optimized = false;
             do {
                 if (!obj->is<ArrayObject>())
                     break;
                 if (ObjectMayHaveExtraIndexedProperties(obj))
                     break;
                 if (!obj->as<ArrayObject>().lengthIsWritable())
                     break;
                 JSObject::EnsureDenseResult result = obj->ensureDenseElements(cx, length, args.length());
                 if (result != JSObject::ED_OK) {
                     if (result == JSObject::ED_FAILED)
                         return false;
                     JS_ASSERT(result == JSObject::ED_SPARSE);
                     break;
                 }
                 obj->moveDenseElements(args.length(), 0, length);
                 for (uint32_t i = 0; i < args.length(); i++)
                     obj->setDenseElement(i, MagicValue(JS_ELEMENTS_HOLE));
                 optimized = true;
             } while (false);
             if (!optimized) {
                 double last = length;
                 double upperIndex = last + args.length();
                 RootedValue value(cx);
                 do {
                     --last, --upperIndex;
                     bool hole;
                     if (!CheckForInterrupt(cx))
                         return false;
                     if (!GetElement(cx, obj, last, &hole, &value))
                         return false;
                     if (hole) {
                         if (!DeletePropertyOrThrow(cx, obj, upperIndex))
                             return false;
                     } else {
                         if (!SetArrayElement(cx, obj, upperIndex, value))
                             return false;
                     }
                 } while (last != 0);
             }
         }
         /* Copy from args to the bottom of the array. */
         if (!InitArrayElements(cx, obj, 0, args.length(), args.array(), UpdateTypes))
             return false;
         newlen += args.length();
     }
     if (!SetLengthProperty(cx, obj, newlen))
         return false;
     /* Follow Perl by returning the new array length. */
     args.rval().setNumber(newlen);
     return true;
 }
 static inline void
 TryReuseArrayType(JSObject *obj, ArrayObject *narr)
 {
     /*
      * Try to change the type of a newly created array narr to the same type
      * as obj. This can only be performed if the original object is an array
      * and has the same prototype.
      */
     JS_ASSERT(narr->getProto()->hasNewType(&ArrayObject::class_, narr->type()));
     if (obj->is<ArrayObject>() && !obj->hasSingletonType() && obj->getProto() == narr->getProto())
         narr->setType(obj->type());
 }
 /*
  * Returns true if this is a dense array whose |count| properties starting from
  * |startingIndex| may be accessed (get, set, delete) directly through its
  * contiguous vector of elements without fear of getters, setters, etc. along
  * the prototype chain, or of enumerators requiring notification of
  * modifications.
  */
 static inline bool
 CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t count, JSContext *cx)
 {
     /* If the desired properties overflow dense storage, we can't optimize. */
     if (UINT32_MAX - startingIndex < count)
         return false;
     /* There's no optimizing possible if it's not an array. */
     if (!arr->is<ArrayObject>())
         return false;
     /*
      * Don't optimize if the array might be in the midst of iteration.  We
      * rely on this to be able to safely move dense array elements around with
      * just a memmove (see JSObject::moveDenseArrayElements), without worrying
      * about updating any in-progress enumerators for properties implicitly
      * deleted if a hole is moved from one location to another location not yet
      * visited.  See bug 690622.
      *
      * Another potential wrinkle: what if the enumeration is happening on an
      * object which merely has |arr| on its prototype chain?  It turns out this
      * case can't happen, because any dense array used as the prototype of
      * another object is first slowified, for type inference's sake.
      */
     types::TypeObject *arrType = arr->getType(cx);
     if (MOZ_UNLIKELY(!arrType || arrType->hasAllFlags(OBJECT_FLAG_ITERATED)))
         return false;
     /*
      * Now watch out for getters and setters along the prototype chain or in
      * other indexed properties on the object.  (Note that non-writable length
      * is subsumed by the initializedLength comparison.)
      */
     return !ObjectMayHaveExtraIndexedProperties(arr) &&
            startingIndex + count <= arr->getDenseInitializedLength();
 }
 /* ES5 15.4.4.12. */
 bool
 js::array_splice(JSContext *cx, unsigned argc, Value *vp)
 {
     return array_splice_impl(cx, argc, vp, true);
 }
 bool
 js::array_splice_impl(JSContext *cx, unsigned argc, Value *vp, bool returnValueIsUsed)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     /* Step 1. */
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     /* Steps 3-4. */
     uint32_t len;
     if (!GetLengthProperty(cx, obj, &len))
         return false;
     /* Step 5. */
     double relativeStart;
     if (!ToInteger(cx, args.get(0), &relativeStart))
         return false;
     /* Step 6. */
     uint32_t actualStart;
     if (relativeStart < 0)
         actualStart = Max(len + relativeStart, 0.0);
     else
         actualStart = Min(relativeStart, double(len));
     /* Step 7. */
     uint32_t actualDeleteCount;
     if (args.length() != 1) {
         double deleteCountDouble;
         RootedValue cnt(cx, args.length() >= 2 ? args[1] : Int32Value(0));
         if (!ToInteger(cx, cnt, &deleteCountDouble))
             return false;
         actualDeleteCount = Min(Max(deleteCountDouble, 0.0), double(len - actualStart));
     } else {
         /*
          * Non-standard: if start was specified but deleteCount was omitted,
          * delete to the end of the array.  See bug 668024 for discussion.
          */
         actualDeleteCount = len - actualStart;
     }
     JS_ASSERT(len - actualStart >= actualDeleteCount);
     /* Steps 2, 8-9. */
     Rooted<ArrayObject*> arr(cx);
     if (CanOptimizeForDenseStorage(obj, actualStart, actualDeleteCount, cx)) {
         if (returnValueIsUsed) {
             arr = NewDenseCopiedArray(cx, actualDeleteCount, obj, actualStart);
             if (!arr)
                 return false;
             TryReuseArrayType(obj, arr);
         }
     } else {
         arr = NewDenseAllocatedArray(cx, actualDeleteCount);
         if (!arr)
             return false;
         TryReuseArrayType(obj, arr);
         RootedValue fromValue(cx);
         for (uint32_t k = 0; k < actualDeleteCount; k++) {
             bool hole;
             if (!CheckForInterrupt(cx) ||
                 !GetElement(cx, obj, actualStart + k, &hole, &fromValue) ||
                 (!hole && !JSObject::defineElement(cx, arr, k, fromValue)))
             {
                 return false;
             }
         }
     }
     /* Step 11. */
     uint32_t itemCount = (args.length() >= 2) ? (args.length() - 2) : 0;
     if (itemCount < actualDeleteCount) {
         /* Step 12: the array is being shrunk. */
         uint32_t sourceIndex = actualStart + actualDeleteCount;
         uint32_t targetIndex = actualStart + itemCount;
         uint32_t finalLength = len - actualDeleteCount + itemCount;
         if (CanOptimizeForDenseStorage(obj, 0, len, cx)) {
             /* Steps 12(a)-(b). */
             obj->moveDenseElements(targetIndex, sourceIndex, len - sourceIndex);
             /*
              * Update the initialized length. Do so before shrinking so that we
              * can apply the write barrier to the old slots.
              */
             obj->setDenseInitializedLength(finalLength);
             /* Steps 12(c)-(d). */
             obj->shrinkElements(cx, finalLength);
         } else {
             /*
              * This is all very slow if the length is very large. We don't yet
              * have the ability to iterate in sorted order, so we just do the
              * pessimistic thing and let CheckForInterrupt handle the
              * fallout.
              */
             /* Steps 12(a)-(b). */
             RootedValue fromValue(cx);
             for (uint32_t from = sourceIndex, to = targetIndex; from < len; from++, to++) {
                 if (!CheckForInterrupt(cx))
                     return false;
                 bool hole;
                 if (!GetElement(cx, obj, from, &hole, &fromValue))
                     return false;
                 if (hole) {
                     if (!DeletePropertyOrThrow(cx, obj, to))
                         return false;
                 } else {
                     if (!SetArrayElement(cx, obj, to, fromValue))
                         return false;
                 }
             }
             /* Steps 12(c)-(d). */
             for (uint32_t k = len; k > finalLength; k--) {
                 if (!DeletePropertyOrThrow(cx, obj, k - 1))
                     return false;
             }
         }
     } else if (itemCount > actualDeleteCount) {
         /* Step 13. */
         /*
          * Optimize only if the array is already dense and we can extend it to
          * its new length.  It would be wrong to extend the elements here for a
          * number of reasons.
          *
          * First, this could cause us to fall into the fast-path below.  This
          * would cause elements to be moved into places past the non-writable
          * length.  And when the dense initialized length is updated, that'll
          * cause the |in| operator to think that those elements actually exist,
          * even though, properly, setting them must fail.
          *
          * Second, extending the elements here will trigger assertions inside
          * ensureDenseElements that the elements aren't being extended past the
          * length of a non-writable array.  This is because extending elements
          * will extend capacity -- which might extend them past a non-writable
          * length, violating the |capacity <= length| invariant for such
          * arrays.  And that would make the various JITted fast-path method
          * implementations of [].push, [].unshift, and so on wrong.
          *
          * If the array length is non-writable, this method *will* throw.  For
          * simplicity, have the slow-path code do it.  (Also note that the slow
          * path may validly *not* throw -- if all the elements being moved are
          * holes.)
          */
         if (obj->is<ArrayObject>()) {
             Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
             if (arr->lengthIsWritable()) {
                 JSObject::EnsureDenseResult res =
                     arr->ensureDenseElements(cx, arr->length(), itemCount - actualDeleteCount);
                 if (res == JSObject::ED_FAILED)
                     return false;
             }
         }
         if (CanOptimizeForDenseStorage(obj, len, itemCount - actualDeleteCount, cx)) {
             obj->moveDenseElements(actualStart + itemCount,
                                    actualStart + actualDeleteCount,
                                    len - (actualStart + actualDeleteCount));
             obj->setDenseInitializedLength(len + itemCount - actualDeleteCount);
         } else {
             RootedValue fromValue(cx);
             for (double k = len - actualDeleteCount; k > actualStart; k--) {
                 if (!CheckForInterrupt(cx))
                     return false;
                 double from = k + actualDeleteCount - 1;
                 double to = k + itemCount - 1;
                 bool hole;
                 if (!GetElement(cx, obj, from, &hole, &fromValue))
                     return false;
                 if (hole) {
                     if (!DeletePropertyOrThrow(cx, obj, to))
                         return false;
                 } else {
                     if (!SetArrayElement(cx, obj, to, fromValue))
                         return false;
                 }
             }
         }
     }
     /* Step 10. */
     Value *items = args.array() + 2;
     /* Steps 14-15. */
     for (uint32_t k = actualStart, i = 0; i < itemCount; i++, k++) {
         if (!SetArrayElement(cx, obj, k, HandleValue::fromMarkedLocation(&items[i])))
             return false;
     }
     /* Step 16. */
     double finalLength = double(len) - actualDeleteCount + itemCount;
     if (!SetLengthProperty(cx, obj, finalLength))
         return false;
     /* Step 17. */
     if (returnValueIsUsed)
         args.rval().setObject(*arr);
     return true;
 }
 #ifdef JS_ION
 bool
 js::array_concat_dense(JSContext *cx, Handle<ArrayObject*> arr1, Handle<ArrayObject*> arr2,
                        Handle<ArrayObject*> result)
 {
     uint32_t initlen1 = arr1->getDenseInitializedLength();
     JS_ASSERT(initlen1 == arr1->length());
     uint32_t initlen2 = arr2->getDenseInitializedLength();
     JS_ASSERT(initlen2 == arr2->length());
     /* No overflow here due to nelements limit. */
     uint32_t len = initlen1 + initlen2;
     if (!result->ensureElements(cx, len))
         return false;
     JS_ASSERT(!result->getDenseInitializedLength());
     result->setDenseInitializedLength(len);
     result->initDenseElements(0, arr1->getDenseElements(), initlen1);
     result->initDenseElements(initlen1, arr2->getDenseElements(), initlen2);
     result->setLengthInt32(len);
     return true;
 }
 #endif /* JS_ION */
 /*
  * Python-esque sequence operations.
  */
 bool
 js::array_concat(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     /* Treat our |this| object as the first argument; see ECMA 15.4.4.4. */
     Value *p = args.array() - 1;
     /* Create a new Array object and root it using *vp. */
     RootedObject aobj(cx, ToObject(cx, args.thisv()));
     if (!aobj)
         return false;
     Rooted<ArrayObject*> narr(cx);
     uint32_t length;
     if (aobj->is<ArrayObject>() && !aobj->isIndexed()) {
         length = aobj->as<ArrayObject>().length();
         uint32_t initlen = aobj->getDenseInitializedLength();
         narr = NewDenseCopiedArray(cx, initlen, aobj, 0);
         if (!narr)
             return false;
         TryReuseArrayType(aobj, narr);
         narr->setLength(cx, length);
         args.rval().setObject(*narr);
         if (argc == 0)
             return true;
         argc--;
         p++;
     } else {
         narr = NewDenseEmptyArray(cx);
         if (!narr)
             return false;
         args.rval().setObject(*narr);
         length = 0;
     }
     /* Loop over [0, argc] to concat args into narr, expanding all Arrays. */
     for (unsigned i = 0; i <= argc; i++) {
         if (!CheckForInterrupt(cx))
             return false;
         HandleValue v = HandleValue::fromMarkedLocation(&p[i]);
         if (v.isObject()) {
             RootedObject obj(cx, &v.toObject());
             if (ObjectClassIs(obj, ESClass_Array, cx)) {
                 uint32_t alength;
                 if (!GetLengthProperty(cx, obj, &alength))
                     return false;
                 RootedValue tmp(cx);
                 for (uint32_t slot = 0; slot < alength; slot++) {
                     bool hole;
                     if (!CheckForInterrupt(cx) || !GetElement(cx, obj, slot, &hole, &tmp))
                         return false;
                     /*
                      * Per ECMA 262, 15.4.4.4, step 9, ignore nonexistent
                      * properties.
                      */
                     if (!hole && !SetArrayElement(cx, narr, length + slot, tmp))
                         return false;
                 }
                 length += alength;
                 continue;
             }
         }
         if (!SetArrayElement(cx, narr, length, v))
             return false;
         length++;
     }
     return SetLengthProperty(cx, narr, length);
 }
 static bool
 array_slice(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     uint32_t length;
     if (!GetLengthProperty(cx, obj, &length))
         return false;
     uint32_t begin = 0;
     uint32_t end = length;
     if (args.length() > 0) {
         double d;
         if (!ToInteger(cx, args[0], &d))
             return false;
         if (d < 0) {
             d += length;
             if (d < 0)
                 d = 0;
         } else if (d > length) {
             d = length;
         }
         begin = (uint32_t)d;
         if (args.hasDefined(1)) {
             if (!ToInteger(cx, args[1], &d))
                 return false;
             if (d < 0) {
                 d += length;
                 if (d < 0)
                     d = 0;
             } else if (d > length) {
                 d = length;
             }
             end = (uint32_t)d;
         }
     }
     if (begin > end)
         begin = end;
     Rooted<ArrayObject*> narr(cx);
     narr = NewDenseAllocatedArray(cx, end - begin);
     if (!narr)
         return false;
     TryReuseArrayType(obj, narr);
     if (obj->is<ArrayObject>() && !ObjectMayHaveExtraIndexedProperties(obj)) {
         if (obj->getDenseInitializedLength() > begin) {
             uint32_t numSourceElements = obj->getDenseInitializedLength() - begin;
             uint32_t initLength = Min(numSourceElements, end - begin);
             narr->setDenseInitializedLength(initLength);
             narr->initDenseElements(0, &obj->getDenseElement(begin), initLength);
         }
         args.rval().setObject(*narr);
         return true;
     }
     if (js::SliceOp op = obj->getOps()->slice) {
         // Ensure that we have dense elements, so that DOM can use js::UnsafeDefineElement.
         JSObject::EnsureDenseResult result = narr->ensureDenseElements(cx, 0, end - begin);
         if (result == JSObject::ED_FAILED)
              return false;
         if (result == JSObject::ED_OK) {
             if (!op(cx, obj, begin, end, narr))
                 return false;
             args.rval().setObject(*narr);
             return true;
         }
         // Fallthrough
         JS_ASSERT(result == JSObject::ED_SPARSE);
     }
     if (!SliceSlowly(cx, obj, obj, begin, end, narr))
         return false;
     args.rval().setObject(*narr);
     return true;
 }
 JS_FRIEND_API(bool)
 js::SliceSlowly(JSContext* cx, HandleObject obj, HandleObject receiver,
                 uint32_t begin, uint32_t end, HandleObject result)
 {
     RootedValue value(cx);
     for (uint32_t slot = begin; slot < end; slot++) {
         bool hole;
         if (!CheckForInterrupt(cx) ||
             !GetElement(cx, obj, receiver, slot, &hole, &value))
         {
             return false;
         }
         if (!hole && !JSObject::defineElement(cx, result, slot - begin, value))
             return false;
     }
     return true;
 }
 /* ES5 15.4.4.20. */
 static bool
 array_filter(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     /* Step 1. */
     RootedObject obj(cx, ToObject(cx, args.thisv()));
     if (!obj)
         return false;
     /* Step 2-3. */
     uint32_t len;
     if (!GetLengthProperty(cx, obj, &len))
         return false;
     /* Step 4. */
     if (args.length() == 0) {
         js_ReportMissingArg(cx, args.calleev(), 0);
         return false;
     }
     RootedObject callable(cx, ValueToCallable(cx, args[0], args.length() - 1));
     if (!callable)
         return false;
     /* Step 5. */
     RootedValue thisv(cx, args.length() >= 2 ? args[1] : UndefinedValue());
     /* Step 6. */
     RootedObject arr(cx, NewDenseAllocatedArray(cx, 0));
     if (!arr)
         return false;
     TypeObject *newtype = GetTypeCallerInitObject(cx, JSProto_Array);
     if (!newtype)
         return false;
     arr->setType(newtype);
     /* Step 7. */
     uint32_t k = 0;
     /* Step 8. */
     uint32_t to = 0;
     /* Step 9. */
     JS_ASSERT(!InParallelSection());
     FastInvokeGuard fig(cx, ObjectValue(*callable));
     InvokeArgs &args2 = fig.args();
     RootedValue kValue(cx);
     while (k < len) {
         if (!CheckForInterrupt(cx))
             return false;
         /* Step a, b, and c.i. */
         bool kNotPresent;
         if (!GetElement(cx, obj, k, &kNotPresent, &kValue))
             return false;
         /* Step c.ii-iii. */
         if (!kNotPresent) {
             if (!args2.init(3))
                 return false;
             args2.setCallee(ObjectValue(*callable));
             args2.setThis(thisv);
             args2[0].set(kValue);
             args2[1].setNumber(k);
             args2[2].setObject(*obj);
             if (!fig.invoke(cx))
                 return false;
             if (ToBoolean(args2.rval())) {
                 if (!SetArrayElement(cx, arr, to, kValue))
                     return false;
                 to++;
             }
         }
         /* Step d. */
         k++;
     }
     /* Step 10. */
     args.rval().setObject(*arr);
     return true;
 }
 static bool
 array_isArray(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx);
     args.rval().setBoolean(isArray);
     return true;
 }
 static bool
 IsArrayConstructor(const Value &v)
 {
     // This must only return true if v is *the* Array constructor for the
     // current compartment; we rely on the fact that any other Array
     // constructor would be represented as a wrapper.
     return v.isObject() &&
            v.toObject().is<JSFunction>() &&
            v.toObject().as<JSFunction>().isNative() &&
            v.toObject().as<JSFunction>().native() == js_Array;
 }
 static bool
 ArrayFromCallArgs(JSContext *cx, RootedTypeObject &type, CallArgs &args)
 {
     if (!InitArrayTypes(cx, type, args.array(), args.length()))
         return false;
     JSObject *obj = (args.length() == 0)
         ? NewDenseEmptyArray(cx)
         : NewDenseCopiedArray(cx, args.length(), args.array());
     if (!obj)
         return false;
     obj->setType(type);
     args.rval().setObject(*obj);
     return true;
 }
 static bool
 array_of(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     if (IsArrayConstructor(args.thisv()) || !IsConstructor(args.thisv())) {
         // IsArrayConstructor(this) will usually be true in practice. This is
         // the most common path.
         RootedTypeObject type(cx, GetTypeCallerInitObject(cx, JSProto_Array));
         if (!type)
             return false;
         return ArrayFromCallArgs(cx, type, args);
     }
     // Step 4.
     RootedObject obj(cx);
     {
         RootedValue v(cx);
         Value argv[1] = {NumberValue(args.length())};
         if (!InvokeConstructor(cx, args.thisv(), 1, argv, v.address()))
             return false;
         obj = ToObject(cx, v);
         if (!obj)
             return false;
     }
     // Step 8.
     for (unsigned k = 0; k < args.length(); k++) {
         if (!JSObject::defineElement(cx, obj, k, args[k]))
             return false;
     }
     // Steps 9-10.
     RootedValue v(cx, NumberValue(args.length()));
     if (!JSObject::setProperty(cx, obj, obj, cx->names().length, &v, true))
         return false;
     // Step 11.
     args.rval().setObject(*obj);
     return true;
 }
 #define GENERIC JSFUN_GENERIC_NATIVE
 static const JSFunctionSpec array_methods[] = {
 #if JS_HAS_TOSOURCE
     JS_FN(js_toSource_str,      array_toSource,     0,0),
 #endif
     JS_FN(js_toString_str,      array_toString,     0,0),
     JS_FN(js_toLocaleString_str,array_toLocaleString,0,0),
     /* Perl-ish methods. */
     JS_FN("join",               array_join,         1,JSFUN_GENERIC_NATIVE),
     JS_FN("reverse",            array_reverse,      0,JSFUN_GENERIC_NATIVE),
     JS_FN("sort",               array_sort,         1,JSFUN_GENERIC_NATIVE),
     JS_FN("push",               array_push,         1,JSFUN_GENERIC_NATIVE),
     JS_FN("pop",                array_pop,          0,JSFUN_GENERIC_NATIVE),
     JS_FN("shift",              array_shift,        0,JSFUN_GENERIC_NATIVE),
     JS_FN("unshift",            array_unshift,      1,JSFUN_GENERIC_NATIVE),
     JS_FN("splice",             array_splice,       2,JSFUN_GENERIC_NATIVE),
     /* Pythonic sequence methods. */
     JS_FN("concat",             array_concat,       1,JSFUN_GENERIC_NATIVE),
     JS_FN("slice",              array_slice,        2,JSFUN_GENERIC_NATIVE),
     JS_SELF_HOSTED_FN("lastIndexOf", "ArrayLastIndexOf", 1,0),
     JS_SELF_HOSTED_FN("indexOf",     "ArrayIndexOf",     1,0),
     JS_SELF_HOSTED_FN("forEach",     "ArrayForEach",     1,0),
     JS_SELF_HOSTED_FN("map",         "ArrayMap",         1,0),
     JS_SELF_HOSTED_FN("reduce",      "ArrayReduce",      1,0),
     JS_SELF_HOSTED_FN("reduceRight", "ArrayReduceRight", 1,0),
     JS_FN("filter",             array_filter,       1,JSFUN_GENERIC_NATIVE),
     JS_SELF_HOSTED_FN("some",        "ArraySome",        1,0),
     JS_SELF_HOSTED_FN("every",       "ArrayEvery",       1,0),
 #ifdef ENABLE_PARALLEL_JS
     /* Parallelizable and pure methods. */
     JS_SELF_HOSTED_FN("mapPar",      "ArrayMapPar",      2,0),
     JS_SELF_HOSTED_FN("reducePar",   "ArrayReducePar",   2,0),
     JS_SELF_HOSTED_FN("scanPar",     "ArrayScanPar",     2,0),
     JS_SELF_HOSTED_FN("scatterPar",  "ArrayScatterPar",  5,0),
     JS_SELF_HOSTED_FN("filterPar",   "ArrayFilterPar",   2,0),
 #endif
     /* ES6 additions */
     JS_SELF_HOSTED_FN("find",        "ArrayFind",        1,0),
     JS_SELF_HOSTED_FN("findIndex",   "ArrayFindIndex",   1,0),
     JS_SELF_HOSTED_FN("fill",        "ArrayFill",        3,0),
     JS_SELF_HOSTED_FN("@@iterator",  "ArrayValues",      0,0),
     JS_SELF_HOSTED_FN("entries",     "ArrayEntries",     0,0),
     JS_SELF_HOSTED_FN("keys",        "ArrayKeys",        0,0),
     JS_FS_END
 };
 static const JSFunctionSpec array_static_methods[] = {
     JS_FN("isArray",            array_isArray,      1,0),
     JS_SELF_HOSTED_FN("lastIndexOf", "ArrayStaticLastIndexOf", 2,0),
     JS_SELF_HOSTED_FN("indexOf",     "ArrayStaticIndexOf", 2,0),
     JS_SELF_HOSTED_FN("forEach",     "ArrayStaticForEach", 2,0),
     JS_SELF_HOSTED_FN("map",         "ArrayStaticMap",   2,0),
     JS_SELF_HOSTED_FN("every",       "ArrayStaticEvery", 2,0),
     JS_SELF_HOSTED_FN("some",        "ArrayStaticSome",  2,0),
     JS_SELF_HOSTED_FN("reduce",      "ArrayStaticReduce", 2,0),
     JS_SELF_HOSTED_FN("reduceRight", "ArrayStaticReduceRight", 2,0),
     JS_FN("of",                 array_of,           0,0),
 #ifdef ENABLE_PARALLEL_JS
     JS_SELF_HOSTED_FN("build",       "ArrayStaticBuild", 2,0),
     /* Parallelizable and pure static methods. */
     JS_SELF_HOSTED_FN("buildPar",    "ArrayStaticBuildPar", 3,0),
 #endif
     JS_FS_END
 };
 /* ES5 15.4.2 */
 bool
 js_Array(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedTypeObject type(cx, GetTypeCallerInitObject(cx, JSProto_Array));
     if (!type)
         return false;
     if (args.length() != 1 || !args[0].isNumber())
         return ArrayFromCallArgs(cx, type, args);
     uint32_t length;
     if (args[0].isInt32()) {
         int32_t i = args[0].toInt32();
         if (i < 0) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH);
             return false;
         }
         length = uint32_t(i);
     } else {
         double d = args[0].toDouble();
         length = ToUint32(d);
         if (d != double(length)) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH);
             return false;
         }
     }
     /*
      * Allocate dense elements eagerly for small arrays, to avoid reallocating
      * elements when filling the array.
      */
     RootedObject obj(cx);
     obj = (length <= ArrayObject::EagerAllocationMaxLength)
           ? NewDenseAllocatedArray(cx, length)
           : NewDenseUnallocatedArray(cx, length);
     if (!obj)
         return false;
     Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
     arr->setType(type);
     /* If the length calculation overflowed, make sure that is marked for the new type. */
     if (arr->length() > INT32_MAX)
         arr->setLength(cx, arr->length());
     args.rval().setObject(*arr);
     return true;
 }
 JSObject *
 js_InitArrayClass(JSContext *cx, HandleObject obj)
 {
     JS_ASSERT(obj->isNative());
     Rooted<GlobalObject*> global(cx, &obj->as<GlobalObject>());
     RootedObject proto(cx, global->getOrCreateObjectPrototype(cx));
     if (!proto)
         return nullptr;
     RootedTypeObject type(cx, cx->getNewType(&ArrayObject::class_, proto.get()));
     if (!type)
         return nullptr;
     JSObject *metadata = nullptr;
     if (!NewObjectMetadata(cx, &metadata))
         return nullptr;
     RootedShape shape(cx, EmptyShape::getInitialShape(cx, &ArrayObject::class_, TaggedProto(proto),
                                                       proto->getParent(), metadata,
                                                       gc::FINALIZE_OBJECT0));
     if (!shape)
         return nullptr;
     RootedObject arrayProto(cx, JSObject::createArray(cx, gc::FINALIZE_OBJECT4, gc::TenuredHeap, shape, type, 0));
     if (!arrayProto || !JSObject::setSingletonType(cx, arrayProto) || !AddLengthProperty(cx, arrayProto))
         return nullptr;
     RootedFunction ctor(cx);
     ctor = global->createConstructor(cx, js_Array, cx->names().Array, 1);
     if (!ctor)
         return nullptr;
     /*
      * The default 'new' type of Array.prototype is required by type inference
      * to have unknown properties, to simplify handling of e.g. heterogenous
      * arrays in JSON and script literals and allows setDenseArrayElement to
      * be used without updating the indexed type set for such default arrays.
      */
     if (!JSObject::setNewTypeUnknown(cx, &ArrayObject::class_, arrayProto))
         return nullptr;
     if (!LinkConstructorAndPrototype(cx, ctor, arrayProto))
         return nullptr;
     if (!DefinePropertiesAndBrand(cx, arrayProto, nullptr, array_methods) ||
         !DefinePropertiesAndBrand(cx, ctor, nullptr, array_static_methods))
     {
         return nullptr;
     }
     if (!GlobalObject::initBuiltinConstructor(cx, global, JSProto_Array, ctor, arrayProto))
         return nullptr;
     return arrayProto;
 }
 /*
  * Array allocation functions.
  */
 static inline bool
 EnsureNewArrayElements(ExclusiveContext *cx, JSObject *obj, uint32_t length)
 {
     /*
      * If ensureElements creates dynamically allocated slots, then having
      * fixedSlots is a waste.
      */
     DebugOnly<uint32_t> cap = obj->getDenseCapacity();
     if (!obj->ensureElements(cx, length))
         return false;
     JS_ASSERT_IF(cap, !obj->hasDynamicElements());
     return true;
 }
 template<bool allocateCapacity>
 static MOZ_ALWAYS_INLINE ArrayObject *
 NewArray(ExclusiveContext *cxArg, uint32_t length,
          JSObject *protoArg, NewObjectKind newKind = GenericObject)
 {
     gc::AllocKind allocKind = GuessArrayGCKind(length);
     JS_ASSERT(CanBeFinalizedInBackground(allocKind, &ArrayObject::class_));
     allocKind = GetBackgroundAllocKind(allocKind);
     NewObjectCache::EntryIndex entry = -1;
     if (JSContext *cx = cxArg->maybeJSContext()) {
         NewObjectCache &cache = cx->runtime()->newObjectCache;
         if (newKind == GenericObject &&
             !cx->compartment()->hasObjectMetadataCallback() &&
             cache.lookupGlobal(&ArrayObject::class_, cx->global(), allocKind, &entry))
         {
             gc::InitialHeap heap = GetInitialHeap(newKind, &ArrayObject::class_);
             JSObject *obj = cache.newObjectFromHit<NoGC>(cx, entry, heap);
             if (obj) {
                 /* Fixup the elements pointer and length, which may be incorrect. */
                 ArrayObject *arr = &obj->as<ArrayObject>();
                 arr->setFixedElements();
                 arr->setLength(cx, length);
                 if (allocateCapacity && !EnsureNewArrayElements(cx, arr, length))
                     return nullptr;
                 return arr;
             } else {
                 RootedObject proto(cxArg, protoArg);
                 obj = cache.newObjectFromHit<CanGC>(cx, entry, heap);
                 JS_ASSERT(!obj);
                 protoArg = proto;
             }
         }
     }
     RootedObject proto(cxArg, protoArg);
     if (protoArg)
         JS::PoisonPtr(&protoArg);
     if (!proto && !GetBuiltinPrototype(cxArg, JSProto_Array, &proto))
         return nullptr;
     RootedTypeObject type(cxArg, cxArg->getNewType(&ArrayObject::class_, proto.get()));
     if (!type)
         return nullptr;
     JSObject *metadata = nullptr;
     if (!NewObjectMetadata(cxArg, &metadata))
         return nullptr;
     /*
      * Get a shape with zero fixed slots, regardless of the size class.
      * See JSObject::createArray.
      */
     RootedShape shape(cxArg, EmptyShape::getInitialShape(cxArg, &ArrayObject::class_,
                                                          TaggedProto(proto), cxArg->global(),
                                                          metadata, gc::FINALIZE_OBJECT0));
     if (!shape)
         return nullptr;
     Rooted<ArrayObject*> arr(cxArg, JSObject::createArray(cxArg, allocKind,
                                                           GetInitialHeap(newKind, &ArrayObject::class_),
                                                           shape, type, length));
     if (!arr)
         return nullptr;
     if (shape->isEmptyShape()) {
         if (!AddLengthProperty(cxArg, arr))
             return nullptr;
         shape = arr->lastProperty();
         EmptyShape::insertInitialShape(cxArg, shape, proto);
     }
     if (newKind == SingletonObject && !JSObject::setSingletonType(cxArg, arr))
         return nullptr;
     if (entry != -1) {
         cxArg->asJSContext()->runtime()->newObjectCache.fillGlobal(entry, &ArrayObject::class_,
                                                                    cxArg->global(), allocKind, arr);
     }
     if (allocateCapacity && !EnsureNewArrayElements(cxArg, arr, length))
         return nullptr;
     probes::CreateObject(cxArg, arr);
     return arr;
 }
 ArrayObject * JS_FASTCALL
 js::NewDenseEmptyArray(JSContext *cx, JSObject *proto /* = nullptr */,
                        NewObjectKind newKind /* = GenericObject */)
 {
     return NewArray<false>(cx, 0, proto, newKind);
 }
 ArrayObject * JS_FASTCALL
 js::NewDenseAllocatedArray(ExclusiveContext *cx, uint32_t length, JSObject *proto /* = nullptr */,
                            NewObjectKind newKind /* = GenericObject */)
 {
     return NewArray<true>(cx, length, proto, newKind);
 }
 ArrayObject * JS_FASTCALL
 js::NewDenseUnallocatedArray(ExclusiveContext *cx, uint32_t length, JSObject *proto /* = nullptr */,
                              NewObjectKind newKind /* = GenericObject */)
 {
     return NewArray<false>(cx, length, proto, newKind);
 }
 ArrayObject *
 js::NewDenseCopiedArray(JSContext *cx, uint32_t length, HandleObject src, uint32_t elementOffset,
                         JSObject *proto /* = nullptr */)
 {
     JS_ASSERT(!src->isIndexed());
     ArrayObject* arr = NewArray<true>(cx, length, proto);
     if (!arr)
         return nullptr;
     JS_ASSERT(arr->getDenseCapacity() >= length);
     const Value* vp = src->getDenseElements() + elementOffset;
     arr->setDenseInitializedLength(vp ? length : 0);
     if (vp)
         arr->initDenseElements(0, vp, length);
     return arr;
 }
 // values must point at already-rooted Value objects
 ArrayObject *
 js::NewDenseCopiedArray(JSContext *cx, uint32_t length, const Value *values,
                         JSObject *proto /* = nullptr */, NewObjectKind newKind /* = GenericObject */)
 {
     ArrayObject* arr = NewArray<true>(cx, length, proto);
     if (!arr)
         return nullptr;
     JS_ASSERT(arr->getDenseCapacity() >= length);
     arr->setDenseInitializedLength(values ? length : 0);
     if (values)
         arr->initDenseElements(0, values, length);
     return arr;
 }
 ArrayObject *
 js::NewDenseAllocatedArrayWithTemplate(JSContext *cx, uint32_t length, JSObject *templateObject)
 {
     gc::AllocKind allocKind = GuessArrayGCKind(length);
     JS_ASSERT(CanBeFinalizedInBackground(allocKind, &ArrayObject::class_));
     allocKind = GetBackgroundAllocKind(allocKind);
     RootedTypeObject type(cx, templateObject->type());
     if (!type)
         return nullptr;
     RootedShape shape(cx, templateObject->lastProperty());
     if (!shape)
         return nullptr;
     gc::InitialHeap heap = GetInitialHeap(GenericObject, &ArrayObject::class_);
     Rooted<ArrayObject *> arr(cx, JSObject::createArray(cx, allocKind, heap, shape, type, length));
     if (!arr)
         return nullptr;
     if (!EnsureNewArrayElements(cx, arr, length))
         return nullptr;
     probes::CreateObject(cx, arr);
     return arr;
 }
 #ifdef DEBUG
 bool
 js_ArrayInfo(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     JSObject *obj;
     for (unsigned i = 0; i < args.length(); i++) {
         RootedValue arg(cx, args[i]);
         char *bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, arg, NullPtr());
         if (!bytes)
             return false;
         if (arg.isPrimitive() ||
             !(obj = arg.toObjectOrNull())->is<ArrayObject>()) {
             fprintf(stderr, "%s: not array\n", bytes);
             js_free(bytes);
             continue;
         }
         fprintf(stderr, "%s: (len %u", bytes, obj->as<ArrayObject>().length());
         fprintf(stderr, ", capacity %u", obj->getDenseCapacity());
         fputs(")\n", stderr);
         js_free(bytes);
     }
     args.rval().setUndefined();
     return true;
 }
 #endif

The Tor Browser / annotate

js/src/jsarray.cpp@a63d609f5ebe (annotated)

js/src/jsarray.cpp