search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bug 486106 - restoring JS*Lookup API compatibility with fast arrays. r=shaver
[mozilla-central.git] / js / src / jsarray.cpp
blob5afa3b1f8cd2e3fe0422673cdc783dc8f79c6c1b
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set sw=4 ts=8 et tw=78:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
40
41 /*
42 * JS array class.
43 *
44 * Array objects begin as "dense" arrays, optimized for index-only property
45 * access over a vector of slots (obj->dslots) with high load factor. Array
46 * methods optimize for denseness by testing that the object's class is
47 * &js_ArrayClass, and can then directly manipulate the slots for efficiency.
48 *
49 * We track these pieces of metadata for arrays in dense mode:
50 * - the array's length property as a uint32, in JSSLOT_ARRAY_LENGTH,
51 * - the number of indices that are filled (non-holes), in JSSLOT_ARRAY_COUNT,
52 * - the net number of slots starting at dslots (capacity), in dslots[-1] if
53 * dslots is non-NULL.
54 *
55 * In dense mode, holes in the array are represented by JSVAL_HOLE. The final
56 * slot in fslots (JSSLOT_ARRAY_LOOKUP_HOLDER) is used to store the single jsid
57 * "in use" by a lookupProperty caller.
58 *
59 * Arrays are converted to use js_SlowArrayClass when any of these conditions
60 * are met:
61 * - the load factor (COUNT / capacity) is less than 0.25, and there are
62 * more than MIN_SPARSE_INDEX slots total
63 * - a property is set that is not indexed (and not "length"); or
64 * - a property is defined that has non-default property attributes.
65 *
66 * Dense arrays do not track property creation order, so unlike other native
67 * objects and slow arrays, enumerating an array does not necessarily visit the
68 * properties in the order they were created. We could instead maintain the
69 * scope to track property enumeration order, but still use the fast slot
70 * access. That would have the same memory cost as just using a
71 * js_SlowArrayClass, but have the same performance characteristics as a dense
72 * array for slot accesses, at some cost in code complexity.
73 */
74 #include <stdlib.h>
75 #include <string.h>
76 #include "jstypes.h"
77 #include "jsstdint.h"
78 #include "jsutil.h" /* Added by JSIFY */
79 #include "jsapi.h"
80 #include "jsarray.h"
81 #include "jsatom.h"
82 #include "jsbit.h"
83 #include "jsbool.h"
84 #include "jsbuiltins.h"
85 #include "jscntxt.h"
86 #include "jsversion.h"
87 #include "jsdbgapi.h" /* for js_TraceWatchPoints */
88 #include "jsdtoa.h"
89 #include "jsfun.h"
90 #include "jsgc.h"
91 #include "jsinterp.h"
92 #include "jslock.h"
93 #include "jsnum.h"
94 #include "jsobj.h"
95 #include "jsscope.h"
96 #include "jsstr.h"
97 #include "jsstaticcheck.h"
98
99 /* 2^32 - 1 as a number and a string */
100 #define MAXINDEX 4294967295u
101 #define MAXSTR "4294967295"
102
103 /* Small arrays are dense, no matter what. */
104 #define MIN_SPARSE_INDEX 256
105
106 #define INDEX_TOO_BIG(index) ((index) > JS_BIT(29) - 1)
107 #define INDEX_TOO_SPARSE(array, index) \
108 (INDEX_TOO_BIG(index) || \
109 ((index) > js_DenseArrayCapacity(array) && (index) >= MIN_SPARSE_INDEX && \
110 (index) > (uint32)((array)->fslots[JSSLOT_ARRAY_COUNT] + 1) * 4))
111
112 JS_STATIC_ASSERT(sizeof(JSScopeProperty) > 4 * sizeof(jsval));
113
114 #define ENSURE_SLOW_ARRAY(cx, obj) \
115 (OBJ_GET_CLASS(cx, obj) == &js_SlowArrayClass || js_MakeArraySlow(cx, obj))
116
117 /*
118 * Determine if the id represents an array index or an XML property index.
119 *
120 * An id is an array index according to ECMA by (15.4):
121 *
122 * "Array objects give special treatment to a certain class of property names.
123 * A property name P (in the form of a string value) is an array index if and
124 * only if ToString(ToUint32(P)) is equal to P and ToUint32(P) is not equal
125 * to 2^32-1."
126 *
127 * In our implementation, it would be sufficient to check for JSVAL_IS_INT(id)
128 * except that by using signed 32-bit integers we miss the top half of the
129 * valid range. This function checks the string representation itself; note
130 * that calling a standard conversion routine might allow strings such as
131 * "08" or "4.0" as array indices, which they are not.
132 */
133 JSBool
134 js_IdIsIndex(jsval id, jsuint *indexp)
135 {
136 JSString *str;
137 jschar *cp;
138
139 if (JSVAL_IS_INT(id)) {
140 jsint i;
141 i = JSVAL_TO_INT(id);
142 if (i < 0)
143 return JS_FALSE;
144 *indexp = (jsuint)i;
145 return JS_TRUE;
146 }
147
148 /* NB: id should be a string, but jsxml.c may call us with an object id. */
149 if (!JSVAL_IS_STRING(id))
150 return JS_FALSE;
151
152 str = JSVAL_TO_STRING(id);
153 cp = JSSTRING_CHARS(str);
154 if (JS7_ISDEC(*cp) && JSSTRING_LENGTH(str) < sizeof(MAXSTR)) {
155 jsuint index = JS7_UNDEC(*cp++);
156 jsuint oldIndex = 0;
157 jsuint c = 0;
158 if (index != 0) {
159 while (JS7_ISDEC(*cp)) {
160 oldIndex = index;
161 c = JS7_UNDEC(*cp);
162 index = 10*index + c;
163 cp++;
164 }
165 }
166
167 /* Ensure that all characters were consumed and we didn't overflow. */
168 if (*cp == 0 &&
169 (oldIndex < (MAXINDEX / 10) ||
170 (oldIndex == (MAXINDEX / 10) && c < (MAXINDEX % 10))))
171 {
172 *indexp = index;
173 return JS_TRUE;
174 }
175 }
176 return JS_FALSE;
177 }
178
179 static jsuint
180 ValueIsLength(JSContext *cx, jsval* vp)
181 {
182 jsint i;
183 jsdouble d;
184 jsuint length;
185
186 if (JSVAL_IS_INT(*vp)) {
187 i = JSVAL_TO_INT(*vp);
188 if (i < 0)
189 goto error;
190 return (jsuint) i;
191 }
192
193 d = js_ValueToNumber(cx, vp);
194 if (JSVAL_IS_NULL(*vp))
195 goto error;
196
197 if (JSDOUBLE_IS_NaN(d))
198 goto error;
199 length = (jsuint) d;
200 if (d != (jsdouble) length)
201 goto error;
202 return length;
203
204 error:
205 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
206 JSMSG_BAD_ARRAY_LENGTH);
207 *vp = JSVAL_NULL;
208 return 0;
209 }
210
211 JSBool
212 js_GetLengthProperty(JSContext *cx, JSObject *obj, jsuint *lengthp)
213 {
214 JSTempValueRooter tvr;
215 jsid id;
216 JSBool ok;
217 jsint i;
218
219 if (OBJ_IS_ARRAY(cx, obj)) {
220 *lengthp = obj->fslots[JSSLOT_ARRAY_LENGTH];
221 return JS_TRUE;
222 }
223
224 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
225 id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
226 ok = OBJ_GET_PROPERTY(cx, obj, id, &tvr.u.value);
227 if (ok) {
228 if (JSVAL_IS_INT(tvr.u.value)) {
229 i = JSVAL_TO_INT(tvr.u.value);
230 *lengthp = (jsuint)i; /* jsuint cast does ToUint32 */
231 } else {
232 *lengthp = js_ValueToECMAUint32(cx, &tvr.u.value);
233 ok = !JSVAL_IS_NULL(tvr.u.value);
234 }
235 }
236 JS_POP_TEMP_ROOT(cx, &tvr);
237 return ok;
238 }
239
240 static JSBool
241 IndexToValue(JSContext *cx, jsdouble index, jsval *vp)
242 {
243 return js_NewWeaklyRootedNumber(cx, index, vp);
244 }
245
246 JSBool JS_FASTCALL
247 js_IndexToId(JSContext *cx, jsuint index, jsid *idp)
248 {
249 JSString *str;
250
251 if (index <= JSVAL_INT_MAX) {
252 *idp = INT_TO_JSID(index);
253 return JS_TRUE;
254 }
255 str = js_NumberToString(cx, index);
256 if (!str)
257 return JS_FALSE;
258 return js_ValueToStringId(cx, STRING_TO_JSVAL(str), idp);
259 }
260
261 static JSBool
262 BigIndexToId(JSContext *cx, JSObject *obj, jsuint index, JSBool createAtom,
263 jsid *idp)
264 {
265 jschar buf[10], *start;
266 JSClass *clasp;
267 JSAtom *atom;
268 JS_STATIC_ASSERT((jsuint)-1 == 4294967295U);
269
270 JS_ASSERT(index > JSVAL_INT_MAX);
271
272 start = JS_ARRAY_END(buf);
273 do {
274 --start;
275 *start = (jschar)('0' + index % 10);
276 index /= 10;
277 } while (index != 0);
278
279 /*
280 * Skip the atomization if the class is known to store atoms corresponding
281 * to big indexes together with elements. In such case we know that the
282 * array does not have an element at the given index if its atom does not
283 * exist. Fast arrays (clasp == &js_ArrayClass) don't use atoms for
284 * any indexes, though it would be rare to see them have a big index
285 * in any case.
286 */
287 if (!createAtom &&
288 ((clasp = OBJ_GET_CLASS(cx, obj)) == &js_SlowArrayClass ||
289 clasp == &js_ArgumentsClass ||
290 clasp == &js_ObjectClass)) {
291 atom = js_GetExistingStringAtom(cx, start, JS_ARRAY_END(buf) - start);
292 if (!atom) {
293 *idp = JSVAL_VOID;
294 return JS_TRUE;
295 }
296 } else {
297 atom = js_AtomizeChars(cx, start, JS_ARRAY_END(buf) - start, 0);
298 if (!atom)
299 return JS_FALSE;
300 }
301
302 *idp = ATOM_TO_JSID(atom);
303 return JS_TRUE;
304 }
305
306 static JSBool
307 ResizeSlots(JSContext *cx, JSObject *obj, uint32 oldsize, uint32 size)
308 {
309 jsval *slots, *newslots;
310
311 if (size == 0) {
312 if (obj->dslots) {
313 JS_free(cx, obj->dslots - 1);
314 obj->dslots = NULL;
315 }
316 return JS_TRUE;
317 }
318
319 if (size > ~(uint32)0 / sizeof(jsval)) {
320 js_ReportAllocationOverflow(cx);
321 return JS_FALSE;
322 }
323
324 slots = obj->dslots ? obj->dslots - 1 : NULL;
325 newslots = (jsval *) JS_realloc(cx, slots, sizeof (jsval) * (size + 1));
326 if (!newslots)
327 return JS_FALSE;
328
329 obj->dslots = newslots + 1;
330 js_SetDenseArrayCapacity(obj, size);
331
332 for (slots = obj->dslots + oldsize; slots < obj->dslots + size; slots++)
333 *slots = JSVAL_HOLE;
334
335 return JS_TRUE;
336 }
337
338 /*
339 * When a dense array with CAPACITY_DOUBLING_MAX or fewer slots needs to grow,
340 * double its capacity, to push() N elements in amortized O(N) time.
341 *
342 * Above this limit, grow by 12.5% each time. Speed is still amortized O(N),
343 * with a higher constant factor, and we waste less space.
344 */
345 #define CAPACITY_DOUBLING_MAX (1024 * 1024)
346
347 /*
348 * Round up all large allocations to a multiple of this (1MB), so as not to
349 * waste space if malloc gives us 1MB-sized chunks (as jemalloc does).
350 */
351 #define CAPACITY_CHUNK (1024 * 1024 / sizeof(jsval))
352
353 static JSBool
354 EnsureCapacity(JSContext *cx, JSObject *obj, uint32 capacity)
355 {
356 uint32 oldsize = js_DenseArrayCapacity(obj);
357
358 if (capacity > oldsize) {
359 /*
360 * If this overflows uint32, capacity is very large. nextsize will end
361 * up being less than capacity, the code below will thus disregard it,
362 * and ResizeSlots will fail.
363 *
364 * The way we use dslots[-1] forces a few +1s and -1s here. For
365 * example, (oldsize * 2 + 1) produces the sequence 7, 15, 31, 63, ...
366 * which makes the total allocation size (with dslots[-1]) a power
367 * of two.
368 */
369 uint32 nextsize = (oldsize <= CAPACITY_DOUBLING_MAX)
370 ? oldsize * 2 + 1
371 : oldsize + (oldsize >> 3);
372
373 capacity = JS_MAX(capacity, nextsize);
374 if (capacity >= CAPACITY_CHUNK)
375 capacity = JS_ROUNDUP(capacity + 1, CAPACITY_CHUNK) - 1; /* -1 for dslots[-1] */
376 else if (capacity < ARRAY_CAPACITY_MIN)
377 capacity = ARRAY_CAPACITY_MIN;
378 return ResizeSlots(cx, obj, oldsize, capacity);
379 }
380 return JS_TRUE;
381 }
382
383 static bool
384 ReallyBigIndexToId(JSContext* cx, jsdouble index, jsid* idp)
385 {
386 JSAutoTempValueRooter dval(cx);
387 if (!js_NewDoubleInRootedValue(cx, index, dval.addr()) ||
388 !js_ValueToStringId(cx, dval.value(), idp)) {
389 return JS_FALSE;
390 }
391 return JS_TRUE;
392 }
393
394 static bool
395 IndexToId(JSContext* cx, JSObject* obj, jsdouble index, JSBool* hole, jsid* idp,
396 JSBool createAtom = JS_FALSE)
397 {
398 if (index <= JSVAL_INT_MAX) {
399 *idp = INT_TO_JSID(index);
400 return JS_TRUE;
401 }
402
403 if (index <= jsuint(-1)) {
404 if (!BigIndexToId(cx, obj, jsuint(index), createAtom, idp))
405 return JS_FALSE;
406 if (hole && JSVAL_IS_VOID(*idp))
407 *hole = JS_TRUE;
408 return JS_TRUE;
409 }
410
411 return ReallyBigIndexToId(cx, index, idp);
412 }
413
414 /*
415 * If the property at the given index exists, get its value into location
416 * pointed by vp and set *hole to false. Otherwise set *hole to true and *vp
417 * to JSVAL_VOID. This function assumes that the location pointed by vp is
418 * properly rooted and can be used as GC-protected storage for temporaries.
419 */
420 static JSBool
421 GetArrayElement(JSContext *cx, JSObject *obj, jsdouble index, JSBool *hole,
422 jsval *vp)
423 {
424 JS_ASSERT(index >= 0);
425 if (OBJ_IS_DENSE_ARRAY(cx, obj) && index < js_DenseArrayCapacity(obj) &&
426 (*vp = obj->dslots[jsuint(index)]) != JSVAL_HOLE) {
427 *hole = JS_FALSE;
428 return JS_TRUE;
429 }
430
431 JSAutoTempIdRooter idr(cx);
432
433 *hole = JS_FALSE;
434 if (!IndexToId(cx, obj, index, hole, idr.addr()))
435 return JS_FALSE;
436 if (*hole) {
437 *vp = JSVAL_VOID;
438 return JS_TRUE;
439 }
440
441 JSObject *obj2;
442 JSProperty *prop;
443 if (!OBJ_LOOKUP_PROPERTY(cx, obj, idr.id(), &obj2, &prop))
444 return JS_FALSE;
445 if (!prop) {
446 *hole = JS_TRUE;
447 *vp = JSVAL_VOID;
448 } else {
449 OBJ_DROP_PROPERTY(cx, obj2, prop);
450 if (!OBJ_GET_PROPERTY(cx, obj, idr.id(), vp))
451 return JS_FALSE;
452 *hole = JS_FALSE;
453 }
454 return JS_TRUE;
455 }
456
457 /*
458 * Set the value of the property at the given index to v assuming v is rooted.
459 */
460 static JSBool
461 SetArrayElement(JSContext *cx, JSObject *obj, jsdouble index, jsval v)
462 {
463 JS_ASSERT(index >= 0);
464
465 if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
466 /* Predicted/prefetched code should favor the remains-dense case. */
467 if (index <= jsuint(-1)) {
468 jsuint idx = jsuint(index);
469 if (!INDEX_TOO_SPARSE(obj, idx)) {
470 JS_ASSERT(idx + 1 > idx);
471 if (!EnsureCapacity(cx, obj, idx + 1))
472 return JS_FALSE;
473 if (index >= uint32(obj->fslots[JSSLOT_ARRAY_LENGTH]))
474 obj->fslots[JSSLOT_ARRAY_LENGTH] = idx + 1;
475 if (obj->dslots[idx] == JSVAL_HOLE)
476 obj->fslots[JSSLOT_ARRAY_COUNT]++;
477 obj->dslots[idx] = v;
478 return JS_TRUE;
479 }
480 }
481
482 if (!js_MakeArraySlow(cx, obj))
483 return JS_FALSE;
484 }
485
486 JSAutoTempIdRooter idr(cx);
487
488 if (!IndexToId(cx, obj, index, NULL, idr.addr(), JS_TRUE))
489 return JS_FALSE;
490 JS_ASSERT(!JSVAL_IS_VOID(idr.id()));
491
492 return OBJ_SET_PROPERTY(cx, obj, idr.id(), &v);
493 }
494
495 static JSBool
496 DeleteArrayElement(JSContext *cx, JSObject *obj, jsdouble index)
497 {
498 JS_ASSERT(index >= 0);
499 if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
500 if (index <= jsuint(-1)) {
501 jsuint idx = jsuint(index);
502 if (!INDEX_TOO_SPARSE(obj, idx) && idx < js_DenseArrayCapacity(obj)) {
503 if (obj->dslots[idx] != JSVAL_HOLE)
504 obj->fslots[JSSLOT_ARRAY_COUNT]--;
505 obj->dslots[idx] = JSVAL_HOLE;
506 return JS_TRUE;
507 }
508 }
509 return JS_TRUE;
510 }
511
512 JSAutoTempIdRooter idr(cx);
513
514 if (!IndexToId(cx, obj, index, NULL, idr.addr()))
515 return JS_FALSE;
516 if (JSVAL_IS_VOID(idr.id()))
517 return JS_TRUE;
518
519 jsval junk;
520 return OBJ_DELETE_PROPERTY(cx, obj, idr.id(), &junk);
521 }
522
523 /*
524 * When hole is true, delete the property at the given index. Otherwise set
525 * its value to v assuming v is rooted.
526 */
527 static JSBool
528 SetOrDeleteArrayElement(JSContext *cx, JSObject *obj, jsdouble index,
529 JSBool hole, jsval v)
530 {
531 if (hole) {
532 JS_ASSERT(JSVAL_IS_VOID(v));
533 return DeleteArrayElement(cx, obj, index);
534 }
535 return SetArrayElement(cx, obj, index, v);
536 }
537
538 JSBool
539 js_SetLengthProperty(JSContext *cx, JSObject *obj, jsdouble length)
540 {
541 jsval v;
542 jsid id;
543
544 if (!IndexToValue(cx, length, &v))
545 return JS_FALSE;
546 id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
547 return OBJ_SET_PROPERTY(cx, obj, id, &v);
548 }
549
550 JSBool
551 js_HasLengthProperty(JSContext *cx, JSObject *obj, jsuint *lengthp)
552 {
553 JSErrorReporter older;
554 JSTempValueRooter tvr;
555 jsid id;
556 JSBool ok;
557
558 older = JS_SetErrorReporter(cx, NULL);
559 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
560 id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
561 ok = OBJ_GET_PROPERTY(cx, obj, id, &tvr.u.value);
562 JS_SetErrorReporter(cx, older);
563 if (ok) {
564 *lengthp = ValueIsLength(cx, &tvr.u.value);
565 ok = !JSVAL_IS_NULL(tvr.u.value);
566 }
567 JS_POP_TEMP_ROOT(cx, &tvr);
568 return ok;
569 }
570
571 JSBool
572 js_IsArrayLike(JSContext *cx, JSObject *obj, JSBool *answerp, jsuint *lengthp)
573 {
574 JSClass *clasp;
575
576 clasp = OBJ_GET_CLASS(cx, obj);
577 *answerp = (clasp == &js_ArgumentsClass || clasp == &js_ArrayClass ||
578 clasp == &js_SlowArrayClass);
579 if (!*answerp) {
580 *lengthp = 0;
581 return JS_TRUE;
582 }
583 return js_GetLengthProperty(cx, obj, lengthp);
584 }
585
586 /*
587 * The 'length' property of all native Array instances is a shared permanent
588 * property of Array.prototype, so it appears to be a direct property of each
589 * array instance delegating to that Array.prototype. It accesses the private
590 * slot reserved by js_ArrayClass.
591 *
592 * Since SpiderMonkey supports cross-class prototype-based delegation, we have
593 * to be careful about the length getter and setter being called on an object
594 * not of Array class. For the getter, we search obj's prototype chain for the
595 * array that caused this getter to be invoked. In the setter case to overcome
596 * the JSPROP_SHARED attribute, we must define a shadowing length property.
597 */
598 static JSBool
599 array_length_getter(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
600 {
601 do {
602 if (OBJ_IS_ARRAY(cx, obj))
603 return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], vp);
604 } while ((obj = OBJ_GET_PROTO(cx, obj)) != NULL);
605 return JS_TRUE;
606 }
607
608 static JSBool
609 array_length_setter(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
610 {
611 jsuint newlen, oldlen, gap, index;
612 jsval junk;
613 JSObject *iter;
614 JSTempValueRooter tvr;
615 JSBool ok;
616
617 if (!OBJ_IS_ARRAY(cx, obj)) {
618 jsid lengthId = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
619
620 return OBJ_DEFINE_PROPERTY(cx, obj, lengthId, *vp, NULL, NULL,
621 JSPROP_ENUMERATE, NULL);
622 }
623
624 newlen = ValueIsLength(cx, vp);
625 if (JSVAL_IS_NULL(*vp))
626 return JS_FALSE;
627 oldlen = obj->fslots[JSSLOT_ARRAY_LENGTH];
628
629 if (oldlen == newlen)
630 return JS_TRUE;
631
632 if (!IndexToValue(cx, newlen, vp))
633 return JS_FALSE;
634
635 if (oldlen < newlen) {
636 obj->fslots[JSSLOT_ARRAY_LENGTH] = newlen;
637 return JS_TRUE;
638 }
639
640 if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
641 /* Don't reallocate if we're not actually shrinking our slots. */
642 jsuint oldsize = js_DenseArrayCapacity(obj);
643 if (oldsize >= newlen && !ResizeSlots(cx, obj, oldsize, newlen))
644 return JS_FALSE;
645 } else if (oldlen - newlen < (1 << 24)) {
646 do {
647 --oldlen;
648 if (!JS_CHECK_OPERATION_LIMIT(cx) ||
649 !DeleteArrayElement(cx, obj, oldlen)) {
650 return JS_FALSE;
651 }
652 } while (oldlen != newlen);
653 } else {
654 /*
655 * We are going to remove a lot of indexes in a presumably sparse
656 * array. So instead of looping through indexes between newlen and
657 * oldlen, we iterate through all properties and remove those that
658 * correspond to indexes in the half-open range [newlen, oldlen). See
659 * bug 322135.
660 */
661 iter = JS_NewPropertyIterator(cx, obj);
662 if (!iter)
663 return JS_FALSE;
664
665 /* Protect iter against GC in OBJ_DELETE_PROPERTY. */
666 JS_PUSH_TEMP_ROOT_OBJECT(cx, iter, &tvr);
667 gap = oldlen - newlen;
668 for (;;) {
669 ok = (JS_CHECK_OPERATION_LIMIT(cx) &&
670 JS_NextProperty(cx, iter, &id));
671 if (!ok)
672 break;
673 if (JSVAL_IS_VOID(id))
674 break;
675 if (js_IdIsIndex(id, &index) && index - newlen < gap) {
676 ok = OBJ_DELETE_PROPERTY(cx, obj, id, &junk);
677 if (!ok)
678 break;
679 }
680 }
681 JS_POP_TEMP_ROOT(cx, &tvr);
682 if (!ok)
683 return JS_FALSE;
684 }
685
686 obj->fslots[JSSLOT_ARRAY_LENGTH] = newlen;
687 return JS_TRUE;
688 }
689
690 static JSBool
691 array_lookupProperty(JSContext *cx, JSObject *obj, jsid id, JSObject **objp,
692 JSProperty **propp)
693 {
694 uint32 i;
695 union { JSProperty *p; jsval *v; } u;
696
697 if (!OBJ_IS_DENSE_ARRAY(cx, obj))
698 return js_LookupProperty(cx, obj, id, objp, propp);
699
700 /*
701 * We have only indexed properties up to capacity (excepting holes), plus
702 * the length property. For all else, we delegate to the prototype.
703 */
704 if (id != ATOM_TO_JSID(cx->runtime->atomState.lengthAtom) &&
705 (!js_IdIsIndex(id, &i) ||
706 obj->fslots[JSSLOT_ARRAY_LENGTH] == 0 ||
707 i >= js_DenseArrayCapacity(obj) ||
708 obj->dslots[i] == JSVAL_HOLE))
709 {
710 JSObject *proto = STOBJ_GET_PROTO(obj);
711
712 if (!proto) {
713 *objp = NULL;
714 *propp = NULL;
715 return JS_TRUE;
716 }
717
718 return OBJ_LOOKUP_PROPERTY(cx, proto, id, objp, propp);
719 }
720
721 /* FIXME 417501: threadsafety: could race with a lookup on another thread.
722 * If we can only have a single lookup active per context, we could
723 * pigeonhole this on the context instead. */
724 JS_ASSERT(JSVAL_IS_VOID(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER]));
725 obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER] = (jsval) id;
726 u.v = &(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER]);
727 *propp = u.p;
728 *objp = obj;
729 return JS_TRUE;
730 }
731
732 static void
733 array_dropProperty(JSContext *cx, JSObject *obj, JSProperty *prop)
734 {
735 JS_ASSERT_IF(OBJ_IS_DENSE_ARRAY(cx, obj),
736 !JSVAL_IS_VOID(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER]));
737 #ifdef DEBUG
738 obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER] = JSVAL_VOID;
739 #endif
740 }
741
742 jsval
743 js_GetDenseArrayElementValue(JSObject *obj, JSProperty *prop)
744 {
745 /* OBJ_IS_DENSE_ARRAY does not use the cx argument. */
746 JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj));
747 JS_ASSERT((void *) prop ==
748 (void *) &(obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER]));
749 JS_ASSERT((jsval) prop->id == obj->fslots[JSSLOT_ARRAY_LOOKUP_HOLDER]);
750 JS_ASSERT(JSVAL_IS_INT(prop->id));
751
752 jsint i = JSID_TO_INT(prop->id);
753 JS_ASSERT(i >= 0);
754 jsval v = obj->dslots[i];
755 JS_ASSERT(v != JSVAL_HOLE);
756 return v;
757 }
758
759 static JSBool
760 array_getProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
761 {
762 uint32 i;
763
764 if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom))
765 return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], vp);
766
767 if (id == ATOM_TO_JSID(cx->runtime->atomState.protoAtom)) {
768 *vp = STOBJ_GET_SLOT(obj, JSSLOT_PROTO);
769 return JS_TRUE;
770 }
771
772 if (!OBJ_IS_DENSE_ARRAY(cx, obj))
773 return js_GetProperty(cx, obj, id, vp);
774
775 if (!js_IdIsIndex(ID_TO_VALUE(id), &i) || i >= js_DenseArrayCapacity(obj) ||
776 obj->dslots[i] == JSVAL_HOLE) {
777 JSObject *obj2;
778 JSProperty *prop;
779 JSScopeProperty *sprop;
780
781 JSObject *proto = STOBJ_GET_PROTO(obj);
782 if (!proto) {
783 *vp = JSVAL_VOID;
784 return JS_TRUE;
785 }
786
787 *vp = JSVAL_VOID;
788 if (js_LookupPropertyWithFlags(cx, proto, id, cx->resolveFlags,
789 &obj2, &prop) < 0)
790 return JS_FALSE;
791
792 if (prop) {
793 if (OBJ_IS_NATIVE(obj2)) {
794 sprop = (JSScopeProperty *) prop;
795 if (!js_NativeGet(cx, obj, obj2, sprop, vp))
796 return JS_FALSE;
797 }
798 OBJ_DROP_PROPERTY(cx, obj2, prop);
799 }
800 return JS_TRUE;
801 }
802
803 *vp = obj->dslots[i];
804 return JS_TRUE;
805 }
806
807 static JSBool
808 slowarray_addProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
809 {
810 jsuint index, length;
811
812 if (!js_IdIsIndex(id, &index))
813 return JS_TRUE;
814 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
815 if (index >= length)
816 obj->fslots[JSSLOT_ARRAY_LENGTH] = index + 1;
817 return JS_TRUE;
818 }
819
820 static void
821 slowarray_trace(JSTracer *trc, JSObject *obj)
822 {
823 uint32 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
824
825 JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_SlowArrayClass);
826
827 /*
828 * Move JSSLOT_ARRAY_LENGTH aside to prevent the GC from treating
829 * untagged integer values as objects or strings.
830 */
831 obj->fslots[JSSLOT_ARRAY_LENGTH] = JSVAL_VOID;
832 js_TraceObject(trc, obj);
833 obj->fslots[JSSLOT_ARRAY_LENGTH] = length;
834 }
835
836 static JSObjectOps js_SlowArrayObjectOps;
837
838 static JSObjectOps *
839 slowarray_getObjectOps(JSContext *cx, JSClass *clasp)
840 {
841 return &js_SlowArrayObjectOps;
842 }
843
844 static JSBool
845 array_setProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
846 {
847 uint32 i;
848
849 if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom))
850 return array_length_setter(cx, obj, id, vp);
851
852 if (!OBJ_IS_DENSE_ARRAY(cx, obj))
853 return js_SetProperty(cx, obj, id, vp);
854
855 if (!js_IdIsIndex(id, &i) || INDEX_TOO_SPARSE(obj, i)) {
856 if (!js_MakeArraySlow(cx, obj))
857 return JS_FALSE;
858 return js_SetProperty(cx, obj, id, vp);
859 }
860
861 if (!EnsureCapacity(cx, obj, i + 1))
862 return JS_FALSE;
863
864 if (i >= (uint32)obj->fslots[JSSLOT_ARRAY_LENGTH])
865 obj->fslots[JSSLOT_ARRAY_LENGTH] = i + 1;
866 if (obj->dslots[i] == JSVAL_HOLE)
867 obj->fslots[JSSLOT_ARRAY_COUNT]++;
868 obj->dslots[i] = *vp;
869 return JS_TRUE;
870 }
871
872 JSBool
873 js_PrototypeHasIndexedProperties(JSContext *cx, JSObject *obj)
874 {
875 /*
876 * Walk up the prototype chain and see if this indexed element already
877 * exists. If we hit the end of the prototype chain, it's safe to set the
878 * element on the original object.
879 */
880 while ((obj = JSVAL_TO_OBJECT(obj->fslots[JSSLOT_PROTO])) != NULL) {
881 /*
882 * If the prototype is a non-native object (possibly a dense array), or
883 * a native object (possibly a slow array) that has indexed properties,
884 * return true.
885 */
886 if (!OBJ_IS_NATIVE(obj))
887 return JS_TRUE;
888 if (SCOPE_HAS_INDEXED_PROPERTIES(OBJ_SCOPE(obj)))
889 return JS_TRUE;
890 }
891 return JS_FALSE;
892 }
893
894 #ifdef JS_TRACER
895 JSBool FASTCALL
896 js_Array_dense_setelem(JSContext* cx, JSObject* obj, jsint i, jsval v)
897 {
898 JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj));
899
900 /*
901 * Let the interpreter worry about negative array indexes.
902 */
903 if (i < 0)
904 return JS_FALSE;
905
906 /*
907 * If needed, grow the array as long it remains dense, otherwise fall off trace.
908 */
909 jsuint u = jsuint(i);
910 jsuint capacity = js_DenseArrayCapacity(obj);
911 if ((u >= capacity) && (INDEX_TOO_SPARSE(obj, u) || !EnsureCapacity(cx, obj, u + 1)))
912 return JS_FALSE;
913
914 if (obj->dslots[u] == JSVAL_HOLE) {
915 if (js_PrototypeHasIndexedProperties(cx, obj))
916 return JS_FALSE;
917
918 if (u >= jsuint(obj->fslots[JSSLOT_ARRAY_LENGTH]))
919 obj->fslots[JSSLOT_ARRAY_LENGTH] = u + 1;
920 ++obj->fslots[JSSLOT_ARRAY_COUNT];
921 }
922
923 obj->dslots[u] = v;
924 return JS_TRUE;
925 }
926 #endif
927
928 static JSBool
929 array_defineProperty(JSContext *cx, JSObject *obj, jsid id, jsval value,
930 JSPropertyOp getter, JSPropertyOp setter, uintN attrs,
931 JSProperty **propp)
932 {
933 uint32 i;
934 JSBool isIndex;
935
936 if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom))
937 return JS_TRUE;
938
939 isIndex = js_IdIsIndex(ID_TO_VALUE(id), &i);
940 if (!isIndex || attrs != JSPROP_ENUMERATE) {
941 if (!ENSURE_SLOW_ARRAY(cx, obj))
942 return JS_FALSE;
943 return js_DefineProperty(cx, obj, id, value, getter, setter, attrs, propp);
944 }
945
946 return array_setProperty(cx, obj, id, &value);
947 }
948
949 static JSBool
950 array_getAttributes(JSContext *cx, JSObject *obj, jsid id, JSProperty *prop,
951 uintN *attrsp)
952 {
953 *attrsp = id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)
954 ? JSPROP_PERMANENT : JSPROP_ENUMERATE;
955 return JS_TRUE;
956 }
957
958 static JSBool
959 array_setAttributes(JSContext *cx, JSObject *obj, jsid id, JSProperty *prop,
960 uintN *attrsp)
961 {
962 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
963 JSMSG_CANT_SET_ARRAY_ATTRS);
964 return JS_FALSE;
965 }
966
967 static JSBool
968 array_deleteProperty(JSContext *cx, JSObject *obj, jsval id, jsval *rval)
969 {
970 uint32 i;
971
972 if (!OBJ_IS_DENSE_ARRAY(cx, obj))
973 return js_DeleteProperty(cx, obj, id, rval);
974
975 if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) {
976 *rval = JSVAL_FALSE;
977 return JS_TRUE;
978 }
979
980 if (js_IdIsIndex(id, &i) && i < js_DenseArrayCapacity(obj) &&
981 obj->dslots[i] != JSVAL_HOLE) {
982 obj->fslots[JSSLOT_ARRAY_COUNT]--;
983 obj->dslots[i] = JSVAL_HOLE;
984 }
985
986 *rval = JSVAL_TRUE;
987 return JS_TRUE;
988 }
989
990 /*
991 * JSObjectOps.enumerate implementation.
992 *
993 * For a fast array, JSENUMERATE_INIT captures in the enumeration state both
994 * the length of the array and the bitmap indicating the positions of holes in
995 * the array. This ensures that adding or deleting array elements does not
996 * affect the sequence of indexes JSENUMERATE_NEXT returns.
997 *
998 * For a common case of an array without holes, to represent the state we pack
999 * the (nextEnumerationIndex, arrayLength) pair as a pseudo-boolean jsval.
1000 * This is possible when length <= PACKED_UINT_PAIR_BITS. For arrays with
1001 * greater length or holes we allocate the JSIndexIterState structure and
1002 * store it as an int-tagged private pointer jsval. For a slow array we
1003 * delegate the enumeration implementation to js_Enumerate in
1004 * slowarray_enumerate.
1005 *
1006 * Array mutations can turn a fast array into a slow one after the enumeration
1007 * starts. When this happens, slowarray_enumerate receives a state created
1008 * when the array was fast. To distinguish such fast state from a slow state,
1009 * which is an int-tagged pointer that js_Enumerate creates, we set not one
1010 * but two lowest bits when tagging a JSIndexIterState pointer -- see
1011 * INDEX_ITER_TAG usage below. Thus, when slowarray_enumerate receives a state
1012 * tagged with JSVAL_BOOLEAN or with two lowest bits set, it knows that this
1013 * is a fast state so it calls array_enumerate to continue enumerating the
1014 * indexes present in the original fast array.
1015 */
1016
1017 #define PACKED_UINT_PAIR_BITS 14
1018 #define PACKED_UINT_PAIR_MASK JS_BITMASK(PACKED_UINT_PAIR_BITS)
1019
1020 #define UINT_PAIR_TO_BOOLEAN_JSVAL(i,j) \
1021 (JS_ASSERT((uint32) (i) <= PACKED_UINT_PAIR_MASK), \
1022 JS_ASSERT((uint32) (j) <= PACKED_UINT_PAIR_MASK), \
1023 ((jsval) (i) << (PACKED_UINT_PAIR_BITS + JSVAL_TAGBITS)) | \
1024 ((jsval) (j) << (JSVAL_TAGBITS)) | \
1025 (jsval) JSVAL_BOOLEAN)
1026
1027 #define BOOLEAN_JSVAL_TO_UINT_PAIR(v,i,j) \
1028 (JS_ASSERT(JSVAL_TAG(v) == JSVAL_BOOLEAN), \
1029 (i) = (uint32) ((v) >> (PACKED_UINT_PAIR_BITS + JSVAL_TAGBITS)), \
1030 (j) = (uint32) ((v) >> JSVAL_TAGBITS) & PACKED_UINT_PAIR_MASK, \
1031 JS_ASSERT((i) <= PACKED_UINT_PAIR_MASK))
1032
1033 JS_STATIC_ASSERT(PACKED_UINT_PAIR_BITS * 2 + JSVAL_TAGBITS <= JS_BITS_PER_WORD);
1034
1035 typedef struct JSIndexIterState {
1036 uint32 index;
1037 uint32 length;
1038 JSBool hasHoles;
1039
1040 /*
1041 * Variable-length bitmap representing array's holes. It must not be
1042 * accessed when hasHoles is false.
1043 */
1044 jsbitmap holes[1];
1045 } JSIndexIterState;
1046
1047 #define INDEX_ITER_TAG 3
1048
1049 JS_STATIC_ASSERT(JSVAL_INT == 1);
1050
1051 static JSBool
1052 array_enumerate(JSContext *cx, JSObject *obj, JSIterateOp enum_op,
1053 jsval *statep, jsid *idp)
1054 {
1055 uint32 capacity, i;
1056 JSIndexIterState *ii;
1057
1058 switch (enum_op) {
1059 case JSENUMERATE_INIT:
1060 JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj));
1061 capacity = js_DenseArrayCapacity(obj);
1062 if (idp)
1063 *idp = INT_TO_JSVAL(obj->fslots[JSSLOT_ARRAY_COUNT]);
1064 ii = NULL;
1065 for (i = 0; i != capacity; ++i) {
1066 if (obj->dslots[i] == JSVAL_HOLE) {
1067 if (!ii) {
1068 ii = (JSIndexIterState *)
1069 JS_malloc(cx, offsetof(JSIndexIterState, holes) +
1070 JS_BITMAP_SIZE(capacity));
1071 if (!ii)
1072 return JS_FALSE;
1073 ii->hasHoles = JS_TRUE;
1074 memset(ii->holes, 0, JS_BITMAP_SIZE(capacity));
1075 }
1076 JS_SET_BIT(ii->holes, i);
1077 }
1078 }
1079 if (!ii) {
1080 /* Array has no holes. */
1081 if (capacity <= PACKED_UINT_PAIR_MASK) {
1082 *statep = UINT_PAIR_TO_BOOLEAN_JSVAL(0, capacity);
1083 break;
1084 }
1085 ii = (JSIndexIterState *)
1086 JS_malloc(cx, offsetof(JSIndexIterState, holes));
1087 if (!ii)
1088 return JS_FALSE;
1089 ii->hasHoles = JS_FALSE;
1090 }
1091 ii->index = 0;
1092 ii->length = capacity;
1093 *statep = (jsval) ii | INDEX_ITER_TAG;
1094 JS_ASSERT(*statep & JSVAL_INT);
1095 break;
1096
1097 case JSENUMERATE_NEXT:
1098 if (JSVAL_TAG(*statep) == JSVAL_BOOLEAN) {
1099 BOOLEAN_JSVAL_TO_UINT_PAIR(*statep, i, capacity);
1100 if (i != capacity) {
1101 *idp = INT_TO_JSID(i);
1102 *statep = UINT_PAIR_TO_BOOLEAN_JSVAL(i + 1, capacity);
1103 break;
1104 }
1105 } else {
1106 JS_ASSERT((*statep & INDEX_ITER_TAG) == INDEX_ITER_TAG);
1107 ii = (JSIndexIterState *) (*statep & ~INDEX_ITER_TAG);
1108 i = ii->index;
1109 if (i != ii->length) {
1110 /* Skip holes if any. */
1111 if (ii->hasHoles) {
1112 while (JS_TEST_BIT(ii->holes, i) && ++i != ii->length)
1113 continue;
1114 }
1115 if (i != ii->length) {
1116 ii->index = i + 1;
1117 return js_IndexToId(cx, i, idp);
1118 }
1119 }
1120 }
1121 /* FALL THROUGH */
1122
1123 case JSENUMERATE_DESTROY:
1124 if (JSVAL_TAG(*statep) != JSVAL_BOOLEAN) {
1125 JS_ASSERT((*statep & INDEX_ITER_TAG) == INDEX_ITER_TAG);
1126 ii = (JSIndexIterState *) (*statep & ~INDEX_ITER_TAG);
1127 JS_free(cx, ii);
1128 }
1129 *statep = JSVAL_NULL;
1130 break;
1131 }
1132 return JS_TRUE;
1133 }
1134
1135 static JSBool
1136 slowarray_enumerate(JSContext *cx, JSObject *obj, JSIterateOp enum_op,
1137 jsval *statep, jsid *idp)
1138 {
1139 JSBool ok;
1140
1141 /* Are we continuing an enumeration that started when we were dense? */
1142 if (enum_op != JSENUMERATE_INIT) {
1143 if (JSVAL_TAG(*statep) == JSVAL_BOOLEAN ||
1144 (*statep & INDEX_ITER_TAG) == INDEX_ITER_TAG) {
1145 return array_enumerate(cx, obj, enum_op, statep, idp);
1146 }
1147 JS_ASSERT((*statep & INDEX_ITER_TAG) == JSVAL_INT);
1148 }
1149 ok = js_Enumerate(cx, obj, enum_op, statep, idp);
1150 JS_ASSERT(*statep == JSVAL_NULL || (*statep & INDEX_ITER_TAG) == JSVAL_INT);
1151 return ok;
1152 }
1153
1154 static void
1155 array_finalize(JSContext *cx, JSObject *obj)
1156 {
1157 if (obj->dslots)
1158 JS_free(cx, obj->dslots - 1);
1159 obj->dslots = NULL;
1160 }
1161
1162 static void
1163 array_trace(JSTracer *trc, JSObject *obj)
1164 {
1165 uint32 capacity;
1166 size_t i;
1167 jsval v;
1168
1169 JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj));
1170
1171 capacity = js_DenseArrayCapacity(obj);
1172 for (i = 0; i < capacity; i++) {
1173 v = obj->dslots[i];
1174 if (JSVAL_IS_TRACEABLE(v)) {
1175 JS_SET_TRACING_INDEX(trc, "array_dslots", i);
1176 JS_CallTracer(trc, JSVAL_TO_TRACEABLE(v), JSVAL_TRACE_KIND(v));
1177 }
1178 }
1179
1180 for (i = JSSLOT_PROTO; i <= JSSLOT_PARENT; ++i) {
1181 v = STOBJ_GET_SLOT(obj, i);
1182 if (JSVAL_IS_TRACEABLE(v)) {
1183 JS_SET_TRACING_DETAILS(trc, js_PrintObjectSlotName, obj, i);
1184 JS_CallTracer(trc, JSVAL_TO_TRACEABLE(v), JSVAL_TRACE_KIND(v));
1185 }
1186 }
1187 }
1188
1189 static JSObjectMap *
1190 array_newObjectMap(JSContext *cx, jsrefcount nrefs, JSObjectOps *ops,
1191 JSClass *clasp, JSObject *obj)
1192 {
1193 #ifdef DEBUG
1194 extern JSClass js_ArrayClass;
1195 extern JSObjectOps js_ArrayObjectOps;
1196 #endif
1197 JSObjectMap *map = (JSObjectMap *) JS_malloc(cx, sizeof(*map));
1198 if (!map)
1199 return NULL;
1200
1201 map->nrefs = nrefs;
1202 JS_ASSERT(ops == &js_ArrayObjectOps);
1203 map->ops = ops;
1204 JS_ASSERT(clasp == &js_ArrayClass);
1205 map->freeslot = JSSLOT_FREE(clasp);
1206
1207 return map;
1208 }
1209
1210 void
1211 array_destroyObjectMap(JSContext *cx, JSObjectMap *map)
1212 {
1213 JS_free(cx, map);
1214 }
1215
1216 JSObjectOps js_ArrayObjectOps = {
1217 array_newObjectMap, array_destroyObjectMap,
1218 array_lookupProperty, array_defineProperty,
1219 array_getProperty, array_setProperty,
1220 array_getAttributes, array_setAttributes,
1221 array_deleteProperty, js_DefaultValue,
1222 array_enumerate, js_CheckAccess,
1223 NULL, array_dropProperty,
1224 NULL, NULL,
1225 NULL, js_HasInstance,
1226 js_SetProtoOrParent, js_SetProtoOrParent,
1227 array_trace, NULL,
1228 NULL, NULL
1229 };
1230
1231 static JSObjectOps *
1232 array_getObjectOps(JSContext *cx, JSClass *clasp)
1233 {
1234 return &js_ArrayObjectOps;
1235 }
1236
1237 JSClass js_ArrayClass = {
1238 "Array",
1239 JSCLASS_HAS_PRIVATE | JSCLASS_HAS_CACHED_PROTO(JSProto_Array) |
1240 JSCLASS_HAS_RESERVED_SLOTS(1) | JSCLASS_NEW_ENUMERATE,
1241 JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub,
1242 JS_EnumerateStub, JS_ResolveStub, js_TryValueOf, array_finalize,
1243 array_getObjectOps, NULL, NULL, NULL,
1244 NULL, NULL, NULL, NULL
1245 };
1246
1247 JSClass js_SlowArrayClass = {
1248 "Array",
1249 JSCLASS_HAS_PRIVATE | JSCLASS_HAS_CACHED_PROTO(JSProto_Array),
1250 slowarray_addProperty, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub,
1251 JS_EnumerateStub, JS_ResolveStub, js_TryValueOf, JS_FinalizeStub,
1252 slowarray_getObjectOps, NULL, NULL, NULL,
1253 NULL, NULL, NULL, NULL
1254 };
1255
1256 /*
1257 * Convert an array object from fast-and-dense to slow-and-flexible.
1258 */
1259 JSBool
1260 js_MakeArraySlow(JSContext *cx, JSObject *obj)
1261 {
1262 JSObjectMap *map, *oldmap;
1263 uint32 i, capacity;
1264
1265 JS_ASSERT(OBJ_GET_CLASS(cx, obj) == &js_ArrayClass);
1266
1267 /* Create a native scope. */
1268 map = js_NewObjectMap(cx, obj->map->nrefs, &js_SlowArrayObjectOps,
1269 &js_SlowArrayClass, obj);
1270 if (!map)
1271 return JS_FALSE;
1272
1273 capacity = js_DenseArrayCapacity(obj);
1274 if (capacity) {
1275 map->freeslot = STOBJ_NSLOTS(obj) + JS_INITIAL_NSLOTS;
1276 obj->dslots[-1] = JS_INITIAL_NSLOTS + capacity;
1277 } else {
1278 map->freeslot = STOBJ_NSLOTS(obj);
1279 }
1280
1281 /* Create new properties pointing to existing values in dslots */
1282 for (i = 0; i < capacity; i++) {
1283 jsid id;
1284 JSScopeProperty *sprop;
1285
1286 if (!JS_ValueToId(cx, INT_TO_JSVAL(i), &id))
1287 goto out_bad;
1288
1289 if (obj->dslots[i] == JSVAL_HOLE) {
1290 obj->dslots[i] = JSVAL_VOID;
1291 continue;
1292 }
1293
1294 sprop = js_AddScopeProperty(cx, (JSScope *)map, id, NULL, NULL,
1295 i + JS_INITIAL_NSLOTS, JSPROP_ENUMERATE,
1296 0, 0);
1297 if (!sprop)
1298 goto out_bad;
1299 }
1300
1301 /*
1302 * Render our formerly-reserved count property GC-safe. If length fits in
1303 * a jsval, set our slow/sparse COUNT to the current length as a jsval, so
1304 * we can tell when only named properties have been added to a dense array
1305 * to make it slow-but-not-sparse.
1306 */
1307 {
1308 uint32 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
1309 obj->fslots[JSSLOT_ARRAY_COUNT] = INT_FITS_IN_JSVAL(length)
1310 ? INT_TO_JSVAL(length)
1311 : JSVAL_VOID;
1312 }
1313
1314 /* Make sure we preserve any flags borrowing bits in classword. */
1315 obj->classword ^= (jsuword) &js_ArrayClass;
1316 obj->classword |= (jsuword) &js_SlowArrayClass;
1317
1318 /* Swap in our new map. */
1319 oldmap = obj->map;
1320 obj->map = map;
1321 array_destroyObjectMap(cx, oldmap);
1322
1323 return JS_TRUE;
1324
1325 out_bad:
1326 js_DestroyObjectMap(cx, map);
1327 return JS_FALSE;
1328 }
1329
1330 enum ArrayToStringOp {
1331 TO_STRING,
1332 TO_LOCALE_STRING,
1333 TO_SOURCE
1334 };
1335
1336 /*
1337 * When op is TO_STRING or TO_LOCALE_STRING sep indicates a separator to use
1338 * or "," when sep is NULL.
1339 * When op is TO_SOURCE sep must be NULL.
1340 */
1341 static JSBool
1342 array_join_sub(JSContext *cx, JSObject *obj, enum ArrayToStringOp op,
1343 JSString *sep, jsval *rval)
1344 {
1345 JSBool ok, hole;
1346 jsuint length, index;
1347 jschar *chars, *ochars;
1348 size_t nchars, growth, seplen, tmplen, extratail;
1349 const jschar *sepstr;
1350 JSString *str;
1351 JSHashEntry *he;
1352 JSAtom *atom;
1353
1354 JS_CHECK_RECURSION(cx, return JS_FALSE);
1355
1356 ok = js_GetLengthProperty(cx, obj, &length);
1357 if (!ok)
1358 return JS_FALSE;
1359
1360 he = js_EnterSharpObject(cx, obj, NULL, &chars);
1361 if (!he)
1362 return JS_FALSE;
1363 #ifdef DEBUG
1364 growth = (size_t) -1;
1365 #endif
1366
1367 /*
1368 * We must check for the sharp bit and skip js_LeaveSharpObject when it is
1369 * set even when op is not TO_SOURCE. A script can overwrite the default
1370 * toSource implementation and trigger a call, for example, to the
1371 * toString method during serialization of the object graph (bug 369696).
1372 */
1373 if (IS_SHARP(he)) {
1374 #if JS_HAS_SHARP_VARS
1375 nchars = js_strlen(chars);
1376 #else
1377 chars[0] = '[';
1378 chars[1] = ']';
1379 chars[2] = 0;
1380 nchars = 2;
1381 #endif
1382 goto make_string;
1383 }
1384
1385 if (op == TO_SOURCE) {
1386 /*
1387 * Always allocate 2 extra chars for closing ']' and terminating 0
1388 * and then preallocate 1 + extratail to include starting '['.
1389 */
1390 extratail = 2;
1391 growth = (1 + extratail) * sizeof(jschar);
1392 if (!chars) {
1393 nchars = 0;
1394 chars = (jschar *) malloc(growth);
1395 if (!chars)
1396 goto done;
1397 } else {
1398 MAKE_SHARP(he);
1399 nchars = js_strlen(chars);
1400 growth += nchars * sizeof(jschar);
1401 chars = (jschar *)realloc((ochars = chars), growth);
1402 if (!chars) {
1403 free(ochars);
1404 goto done;
1405 }
1406 }
1407 chars[nchars++] = '[';
1408 JS_ASSERT(sep == NULL);
1409 sepstr = NULL; /* indicates to use ", " as separator */
1410 seplen = 2;
1411 } else {
1412 /*
1413 * Free any sharp variable definition in chars. Normally, we would
1414 * MAKE_SHARP(he) so that only the first sharp variable annotation is
1415 * a definition, and all the rest are references, but in the current
1416 * case of (op != TO_SOURCE), we don't need chars at all.
1417 */
1418 if (chars)
1419 JS_free(cx, chars);
1420 chars = NULL;
1421 nchars = 0;
1422 extratail = 1; /* allocate extra char for terminating 0 */
1423
1424 /* Return the empty string on a cycle as well as on empty join. */
1425 if (IS_BUSY(he) || length == 0) {
1426 js_LeaveSharpObject(cx, NULL);
1427 *rval = JS_GetEmptyStringValue(cx);
1428 return ok;
1429 }
1430
1431 /* Flag he as BUSY so we can distinguish a cycle from a join-point. */
1432 MAKE_BUSY(he);
1433
1434 if (sep) {
1435 JSSTRING_CHARS_AND_LENGTH(sep, sepstr, seplen);
1436 } else {
1437 sepstr = NULL; /* indicates to use "," as separator */
1438 seplen = 1;
1439 }
1440 }
1441
1442 /* Use rval to locally root each element value as we loop and convert. */
1443 for (index = 0; index < length; index++) {
1444 ok = (JS_CHECK_OPERATION_LIMIT(cx) &&
1445 GetArrayElement(cx, obj, index, &hole, rval));
1446 if (!ok)
1447 goto done;
1448 if (hole ||
1449 (op != TO_SOURCE &&
1450 (JSVAL_IS_VOID(*rval) || JSVAL_IS_NULL(*rval)))) {
1451 str = cx->runtime->emptyString;
1452 } else {
1453 if (op == TO_LOCALE_STRING) {
1454 JSObject *robj;
1455
1456 atom = cx->runtime->atomState.toLocaleStringAtom;
1457 ok = js_ValueToObject(cx, *rval, &robj);
1458 if (ok) {
1459 /* Re-use *rval to protect robj temporarily. */
1460 *rval = OBJECT_TO_JSVAL(robj);
1461 ok = js_TryMethod(cx, robj, atom, 0, NULL, rval);
1462 }
1463 if (!ok)
1464 goto done;
1465 str = js_ValueToString(cx, *rval);
1466 } else if (op == TO_STRING) {
1467 str = js_ValueToString(cx, *rval);
1468 } else {
1469 JS_ASSERT(op == TO_SOURCE);
1470 str = js_ValueToSource(cx, *rval);
1471 }
1472 if (!str) {
1473 ok = JS_FALSE;
1474 goto done;
1475 }
1476 }
1477
1478 /*
1479 * Do not append separator after the last element unless it is a hole
1480 * and we are in toSource. In that case we append single ",".
1481 */
1482 if (index + 1 == length)
1483 seplen = (hole && op == TO_SOURCE) ? 1 : 0;
1484
1485 /* Allocate 1 at end for closing bracket and zero. */
1486 tmplen = JSSTRING_LENGTH(str);
1487 growth = nchars + tmplen + seplen + extratail;
1488 if (nchars > growth || tmplen > growth ||
1489 growth > (size_t)-1 / sizeof(jschar)) {
1490 if (chars) {
1491 free(chars);
1492 chars = NULL;
1493 }
1494 goto done;
1495 }
1496 growth *= sizeof(jschar);
1497 if (!chars) {
1498 chars = (jschar *) malloc(growth);
1499 if (!chars)
1500 goto done;
1501 } else {
1502 chars = (jschar *) realloc((ochars = chars), growth);
1503 if (!chars) {
1504 free(ochars);
1505 goto done;
1506 }
1507 }
1508
1509 js_strncpy(&chars[nchars], JSSTRING_CHARS(str), tmplen);
1510 nchars += tmplen;
1511
1512 if (seplen) {
1513 if (sepstr) {
1514 js_strncpy(&chars[nchars], sepstr, seplen);
1515 } else {
1516 JS_ASSERT(seplen == 1 || seplen == 2);
1517 chars[nchars] = ',';
1518 if (seplen == 2)
1519 chars[nchars + 1] = ' ';
1520 }
1521 nchars += seplen;
1522 }
1523 }
1524
1525 done:
1526 if (op == TO_SOURCE) {
1527 if (chars)
1528 chars[nchars++] = ']';
1529 } else {
1530 CLEAR_BUSY(he);
1531 }
1532 js_LeaveSharpObject(cx, NULL);
1533 if (!ok) {
1534 if (chars)
1535 free(chars);
1536 return ok;
1537 }
1538
1539 make_string:
1540 if (!chars) {
1541 JS_ReportOutOfMemory(cx);
1542 return JS_FALSE;
1543 }
1544 chars[nchars] = 0;
1545 JS_ASSERT(growth == (size_t)-1 || (nchars + 1) * sizeof(jschar) == growth);
1546 str = js_NewString(cx, chars, nchars);
1547 if (!str) {
1548 free(chars);
1549 return JS_FALSE;
1550 }
1551 *rval = STRING_TO_JSVAL(str);
1552 return JS_TRUE;
1553 }
1554
1555 #if JS_HAS_TOSOURCE
1556 static JSBool
1557 array_toSource(JSContext *cx, uintN argc, jsval *vp)
1558 {
1559 JSObject *obj;
1560
1561 obj = JS_THIS_OBJECT(cx, vp);
1562 if (OBJ_GET_CLASS(cx, obj) != &js_SlowArrayClass &&
1563 !JS_InstanceOf(cx, obj, &js_ArrayClass, vp + 2)) {
1564 return JS_FALSE;
1565 }
1566 return array_join_sub(cx, obj, TO_SOURCE, NULL, vp);
1567 }
1568 #endif
1569
1570 static JSBool
1571 array_toString(JSContext *cx, uintN argc, jsval *vp)
1572 {
1573 JSObject *obj;
1574
1575 obj = JS_THIS_OBJECT(cx, vp);
1576 if (OBJ_GET_CLASS(cx, obj) != &js_SlowArrayClass &&
1577 !JS_InstanceOf(cx, obj, &js_ArrayClass, vp + 2)) {
1578 return JS_FALSE;
1579 }
1580 return array_join_sub(cx, obj, TO_STRING, NULL, vp);
1581 }
1582
1583 static JSBool
1584 array_toLocaleString(JSContext *cx, uintN argc, jsval *vp)
1585 {
1586 JSObject *obj;
1587
1588 obj = JS_THIS_OBJECT(cx, vp);
1589 if (OBJ_GET_CLASS(cx, obj) != &js_SlowArrayClass &&
1590 !JS_InstanceOf(cx, obj, &js_ArrayClass, vp + 2)) {
1591 return JS_FALSE;
1592 }
1593
1594 /*
1595 * Passing comma here as the separator. Need a way to get a
1596 * locale-specific version.
1597 */
1598 return array_join_sub(cx, obj, TO_LOCALE_STRING, NULL, vp);
1599 }
1600
1601 static JSBool
1602 InitArrayElements(JSContext *cx, JSObject *obj, jsuint start, jsuint count, jsval *vector)
1603 {
1604 JS_ASSERT(count < MAXINDEX);
1605 /*
1606 * Optimize for dense arrays so long as adding the given set of elements
1607 * wouldn't otherwise make the array slow.
1608 */
1609 if (OBJ_IS_DENSE_ARRAY(cx, obj) && start <= MAXINDEX - count &&
1610 !INDEX_TOO_BIG(start + count)) {
1611 jsuint newlen = start + count;
1612 JS_ASSERT(jsdouble(start) + count == jsdouble(newlen));
1613 if (!EnsureCapacity(cx, obj, newlen))
1614 return JS_FALSE;
1615
1616 if (newlen > uint32(obj->fslots[JSSLOT_ARRAY_LENGTH]))
1617 obj->fslots[JSSLOT_ARRAY_LENGTH] = newlen;
1618
1619 JS_ASSERT(count < size_t(-1) / sizeof(jsval));
1620 memcpy(obj->dslots + start, vector, sizeof(jsval) * count);
1621 JS_ASSERT_IF(count != 0, obj->dslots[newlen - 1] != JSVAL_HOLE);
1622 return JS_TRUE;
1623 }
1624
1625 jsval* end = vector + count;
1626 while (vector != end && start < MAXINDEX) {
1627 if (!JS_CHECK_OPERATION_LIMIT(cx) ||
1628 !SetArrayElement(cx, obj, start++, *vector++)) {
1629 return JS_FALSE;
1630 }
1631 }
1632
1633 if (vector == end)
1634 return JS_TRUE;
1635
1636 /* Finish out any remaining elements past the max array index. */
1637 if (!ENSURE_SLOW_ARRAY(cx, obj))
1638 return JS_FALSE;
1639
1640 JS_ASSERT(start == MAXINDEX);
1641 jsval tmp[2] = {JSVAL_NULL, JSVAL_NULL};
1642 jsdouble* dp = js_NewWeaklyRootedDouble(cx, MAXINDEX);
1643 if (!dp)
1644 return JS_FALSE;
1645 tmp[0] = DOUBLE_TO_JSVAL(dp);
1646 JSAutoTempValueRooter(cx, JS_ARRAY_LENGTH(tmp), tmp);
1647 JSAutoTempIdRooter idr(cx);
1648 do {
1649 tmp[1] = *vector++;
1650 if (!js_ValueToStringId(cx, tmp[0], idr.addr()) ||
1651 !js_SetProperty(cx, obj, idr.id(), &tmp[1])) {
1652 return JS_FALSE;
1653 }
1654 *dp += 1;
1655 } while (vector != end);
1656
1657 return JS_TRUE;
1658 }
1659
1660 static JSBool
1661 InitArrayObject(JSContext *cx, JSObject *obj, jsuint length, jsval *vector,
1662 JSBool holey = JS_FALSE)
1663 {
1664 JS_ASSERT(OBJ_IS_ARRAY(cx, obj));
1665
1666 obj->fslots[JSSLOT_ARRAY_LENGTH] = length;
1667
1668 if (vector) {
1669 if (!EnsureCapacity(cx, obj, length))
1670 return JS_FALSE;
1671
1672 jsuint count = length;
1673 if (!holey) {
1674 memcpy(obj->dslots, vector, length * sizeof (jsval));
1675 } else {
1676 for (jsuint i = 0; i < length; i++) {
1677 if (vector[i] == JSVAL_HOLE)
1678 --count;
1679 obj->dslots[i] = vector[i];
1680 }
1681 }
1682 obj->fslots[JSSLOT_ARRAY_COUNT] = count;
1683 } else {
1684 obj->fslots[JSSLOT_ARRAY_COUNT] = 0;
1685 }
1686 return JS_TRUE;
1687 }
1688
1689 #ifdef JS_TRACER
1690 static JSString* FASTCALL
1691 Array_p_join(JSContext* cx, JSObject* obj, JSString *str)
1692 {
1693 JSAutoTempValueRooter tvr(cx);
1694 if (!array_join_sub(cx, obj, TO_STRING, str, tvr.addr())) {
1695 cx->builtinStatus |= JSBUILTIN_ERROR;
1696 return NULL;
1697 }
1698 return JSVAL_TO_STRING(tvr.value());
1699 }
1700
1701 static JSString* FASTCALL
1702 Array_p_toString(JSContext* cx, JSObject* obj)
1703 {
1704 JSAutoTempValueRooter tvr(cx);
1705 if (!array_join_sub(cx, obj, TO_STRING, NULL, tvr.addr())) {
1706 cx->builtinStatus |= JSBUILTIN_ERROR;
1707 return NULL;
1708 }
1709 return JSVAL_TO_STRING(tvr.value());
1710 }
1711 #endif
1712
1713 /*
1714 * Perl-inspired join, reverse, and sort.
1715 */
1716 static JSBool
1717 array_join(JSContext *cx, uintN argc, jsval *vp)
1718 {
1719 JSString *str;
1720 JSObject *obj;
1721
1722 if (argc == 0 || JSVAL_IS_VOID(vp[2])) {
1723 str = NULL;
1724 } else {
1725 str = js_ValueToString(cx, vp[2]);
1726 if (!str)
1727 return JS_FALSE;
1728 vp[2] = STRING_TO_JSVAL(str);
1729 }
1730 obj = JS_THIS_OBJECT(cx, vp);
1731 return obj && array_join_sub(cx, obj, TO_STRING, str, vp);
1732 }
1733
1734 static JSBool
1735 array_reverse(JSContext *cx, uintN argc, jsval *vp)
1736 {
1737 JSObject *obj;
1738 JSTempValueRooter tvr;
1739 jsuint len, half, i;
1740 JSBool ok, hole, hole2;
1741
1742 obj = JS_THIS_OBJECT(cx, vp);
1743 if (!obj || !js_GetLengthProperty(cx, obj, &len))
1744 return JS_FALSE;
1745
1746 ok = JS_TRUE;
1747 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
1748 half = len / 2;
1749 for (i = 0; i < half; i++) {
1750 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
1751 GetArrayElement(cx, obj, i, &hole, &tvr.u.value) &&
1752 GetArrayElement(cx, obj, len - i - 1, &hole2, vp) &&
1753 SetOrDeleteArrayElement(cx, obj, len - i - 1, hole, tvr.u.value) &&
1754 SetOrDeleteArrayElement(cx, obj, i, hole2, *vp);
1755 if (!ok)
1756 break;
1757 }
1758 JS_POP_TEMP_ROOT(cx, &tvr);
1759
1760 *vp = OBJECT_TO_JSVAL(obj);
1761 return ok;
1762 }
1763
1764 typedef struct MSortArgs {
1765 size_t elsize;
1766 JSComparator cmp;
1767 void *arg;
1768 JSBool fastcopy;
1769 } MSortArgs;
1770
1771 /* Helper function for js_MergeSort. */
1772 static JS_REQUIRES_STACK JSBool
1773 MergeArrays(MSortArgs *msa, void *src, void *dest, size_t run1, size_t run2)
1774 {
1775 void *arg, *a, *b, *c;
1776 size_t elsize, runtotal;
1777 int cmp_result;
1778 JSComparator cmp;
1779 JSBool fastcopy;
1780
1781 runtotal = run1 + run2;
1782
1783 elsize = msa->elsize;
1784 cmp = msa->cmp;
1785 arg = msa->arg;
1786 fastcopy = msa->fastcopy;
1787
1788 #define CALL_CMP(a, b) \
1789 if (!cmp(arg, (a), (b), &cmp_result)) return JS_FALSE;
1790
1791 /* Copy runs already in sorted order. */
1792 b = (char *)src + run1 * elsize;
1793 a = (char *)b - elsize;
1794 CALL_CMP(a, b);
1795 if (cmp_result <= 0) {
1796 memcpy(dest, src, runtotal * elsize);
1797 return JS_TRUE;
1798 }
1799
1800 #define COPY_ONE(p,q,n) \
1801 (fastcopy ? (void)(*(jsval*)(p) = *(jsval*)(q)) : (void)memcpy(p, q, n))
1802
1803 a = src;
1804 c = dest;
1805 for (; runtotal != 0; runtotal--) {
1806 JSBool from_a = run2 == 0;
1807 if (!from_a && run1 != 0) {
1808 CALL_CMP(a,b);
1809 from_a = cmp_result <= 0;
1810 }
1811
1812 if (from_a) {
1813 COPY_ONE(c, a, elsize);
1814 run1--;
1815 a = (char *)a + elsize;
1816 } else {
1817 COPY_ONE(c, b, elsize);
1818 run2--;
1819 b = (char *)b + elsize;
1820 }
1821 c = (char *)c + elsize;
1822 }
1823 #undef COPY_ONE
1824 #undef CALL_CMP
1825
1826 return JS_TRUE;
1827 }
1828
1829 /*
1830 * This sort is stable, i.e. sequence of equal elements is preserved.
1831 * See also bug #224128.
1832 */
1833 JS_REQUIRES_STACK JSBool
1834 js_MergeSort(void *src, size_t nel, size_t elsize,
1835 JSComparator cmp, void *arg, void *tmp)
1836 {
1837 void *swap, *vec1, *vec2;
1838 MSortArgs msa;
1839 size_t i, j, lo, hi, run;
1840 JSBool fastcopy;
1841 int cmp_result;
1842
1843 /* Avoid memcpy overhead for word-sized and word-aligned elements. */
1844 fastcopy = (elsize == sizeof(jsval) &&
1845 (((jsuword) src | (jsuword) tmp) & JSVAL_ALIGN) == 0);
1846 #define COPY_ONE(p,q,n) \
1847 (fastcopy ? (void)(*(jsval*)(p) = *(jsval*)(q)) : (void)memcpy(p, q, n))
1848 #define CALL_CMP(a, b) \
1849 if (!cmp(arg, (a), (b), &cmp_result)) return JS_FALSE;
1850 #define INS_SORT_INT 4
1851
1852 /*
1853 * Apply insertion sort to small chunks to reduce the number of merge
1854 * passes needed.
1855 */
1856 for (lo = 0; lo < nel; lo += INS_SORT_INT) {
1857 hi = lo + INS_SORT_INT;
1858 if (hi >= nel)
1859 hi = nel;
1860 for (i = lo + 1; i < hi; i++) {
1861 vec1 = (char *)src + i * elsize;
1862 vec2 = (char *)vec1 - elsize;
1863 for (j = i; j > lo; j--) {
1864 CALL_CMP(vec2, vec1);
1865 /* "<=" instead of "<" insures the sort is stable */
1866 if (cmp_result <= 0) {
1867 break;
1868 }
1869
1870 /* Swap elements, using "tmp" as tmp storage */
1871 COPY_ONE(tmp, vec2, elsize);
1872 COPY_ONE(vec2, vec1, elsize);
1873 COPY_ONE(vec1, tmp, elsize);
1874 vec1 = vec2;
1875 vec2 = (char *)vec1 - elsize;
1876 }
1877 }
1878 }
1879 #undef CALL_CMP
1880 #undef COPY_ONE
1881
1882 msa.elsize = elsize;
1883 msa.cmp = cmp;
1884 msa.arg = arg;
1885 msa.fastcopy = fastcopy;
1886
1887 vec1 = src;
1888 vec2 = tmp;
1889 for (run = INS_SORT_INT; run < nel; run *= 2) {
1890 for (lo = 0; lo < nel; lo += 2 * run) {
1891 hi = lo + run;
1892 if (hi >= nel) {
1893 memcpy((char *)vec2 + lo * elsize, (char *)vec1 + lo * elsize,
1894 (nel - lo) * elsize);
1895 break;
1896 }
1897 if (!MergeArrays(&msa, (char *)vec1 + lo * elsize,
1898 (char *)vec2 + lo * elsize, run,
1899 hi + run > nel ? nel - hi : run)) {
1900 return JS_FALSE;
1901 }
1902 }
1903 swap = vec1;
1904 vec1 = vec2;
1905 vec2 = swap;
1906 }
1907 if (src != vec1)
1908 memcpy(src, tmp, nel * elsize);
1909
1910 return JS_TRUE;
1911 }
1912
1913 typedef struct CompareArgs {
1914 JSContext *context;
1915 jsval fval;
1916 jsval *elemroot; /* stack needed for js_Invoke */
1917 } CompareArgs;
1918
1919 static JS_REQUIRES_STACK JSBool
1920 sort_compare(void *arg, const void *a, const void *b, int *result)
1921 {
1922 jsval av = *(const jsval *)a, bv = *(const jsval *)b;
1923 CompareArgs *ca = (CompareArgs *) arg;
1924 JSContext *cx = ca->context;
1925 jsval *invokevp, *sp;
1926 jsdouble cmp;
1927
1928 /**
1929 * array_sort deals with holes and undefs on its own and they should not
1930 * come here.
1931 */
1932 JS_ASSERT(!JSVAL_IS_VOID(av));
1933 JS_ASSERT(!JSVAL_IS_VOID(bv));
1934
1935 if (!JS_CHECK_OPERATION_LIMIT(cx))
1936 return JS_FALSE;
1937
1938 invokevp = ca->elemroot;
1939 sp = invokevp;
1940 *sp++ = ca->fval;
1941 *sp++ = JSVAL_NULL;
1942 *sp++ = av;
1943 *sp++ = bv;
1944
1945 if (!js_Invoke(cx, 2, invokevp, 0))
1946 return JS_FALSE;
1947
1948 cmp = js_ValueToNumber(cx, invokevp);
1949 if (JSVAL_IS_NULL(*invokevp))
1950 return JS_FALSE;
1951
1952 /* Clamp cmp to -1, 0, 1. */
1953 *result = 0;
1954 if (!JSDOUBLE_IS_NaN(cmp) && cmp != 0)
1955 *result = cmp > 0 ? 1 : -1;
1956
1957 /*
1958 * XXX else report some kind of error here? ECMA talks about 'consistent
1959 * compare functions' that don't return NaN, but is silent about what the
1960 * result should be. So we currently ignore it.
1961 */
1962
1963 return JS_TRUE;
1964 }
1965
1966 static int
1967 sort_compare_strings(void *arg, const void *a, const void *b, int *result)
1968 {
1969 jsval av = *(const jsval *)a, bv = *(const jsval *)b;
1970
1971 JS_ASSERT(JSVAL_IS_STRING(av));
1972 JS_ASSERT(JSVAL_IS_STRING(bv));
1973 if (!JS_CHECK_OPERATION_LIMIT((JSContext *)arg))
1974 return JS_FALSE;
1975
1976 *result = (int) js_CompareStrings(JSVAL_TO_STRING(av), JSVAL_TO_STRING(bv));
1977 return JS_TRUE;
1978 }
1979
1980 /*
1981 * The array_sort function below assumes JSVAL_NULL is zero in order to
1982 * perform initialization using memset. Other parts of SpiderMonkey likewise
1983 * "know" that JSVAL_NULL is zero; this static assertion covers all cases.
1984 */
1985 JS_STATIC_ASSERT(JSVAL_NULL == 0);
1986
1987 static JS_REQUIRES_STACK JSBool
1988 array_sort(JSContext *cx, uintN argc, jsval *vp)
1989 {
1990 jsval *argv, fval, *vec, *mergesort_tmp, v;
1991 JSObject *obj;
1992 CompareArgs ca;
1993 jsuint len, newlen, i, undefs;
1994 JSTempValueRooter tvr;
1995 JSBool hole;
1996 JSBool ok;
1997 size_t elemsize;
1998 JSString *str;
1999
2000 /*
2001 * Optimize the default compare function case if all of obj's elements
2002 * have values of type string.
2003 */
2004 JSBool all_strings;
2005
2006 argv = JS_ARGV(cx, vp);
2007 if (argc > 0) {
2008 if (JSVAL_IS_PRIMITIVE(argv[0])) {
2009 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
2010 JSMSG_BAD_SORT_ARG);
2011 return JS_FALSE;
2012 }
2013 fval = argv[0]; /* non-default compare function */
2014 } else {
2015 fval = JSVAL_NULL;
2016 }
2017
2018 obj = JS_THIS_OBJECT(cx, vp);
2019 if (!obj || !js_GetLengthProperty(cx, obj, &len))
2020 return JS_FALSE;
2021 if (len == 0) {
2022 *vp = OBJECT_TO_JSVAL(obj);
2023 return JS_TRUE;
2024 }
2025
2026 /*
2027 * We need a temporary array of 2 * len jsvals to hold the array elements
2028 * and the scratch space for merge sort. Check that its size does not
2029 * overflow size_t, which would allow for indexing beyond the end of the
2030 * malloc'd vector.
2031 */
2032 #if JS_BITS_PER_WORD == 32
2033 if ((size_t)len > ~(size_t)0 / (2 * sizeof(jsval))) {
2034 js_ReportAllocationOverflow(cx);
2035 return JS_FALSE;
2036 }
2037 #endif
2038 vec = (jsval *) JS_malloc(cx, 2 * (size_t) len * sizeof(jsval));
2039 if (!vec)
2040 return JS_FALSE;
2041
2042 /*
2043 * Initialize vec as a root. We will clear elements of vec one by
2044 * one while increasing tvr.count when we know that the property at
2045 * the corresponding index exists and its value must be rooted.
2046 *
2047 * In this way when sorting a huge mostly sparse array we will not
2048 * access the tail of vec corresponding to properties that do not
2049 * exist, allowing OS to avoiding committing RAM. See bug 330812.
2050 *
2051 * After this point control must flow through label out: to exit.
2052 */
2053 JS_PUSH_TEMP_ROOT(cx, 0, vec, &tvr);
2054
2055 /*
2056 * By ECMA 262, 15.4.4.11, a property that does not exist (which we
2057 * call a "hole") is always greater than an existing property with
2058 * value undefined and that is always greater than any other property.
2059 * Thus to sort holes and undefs we simply count them, sort the rest
2060 * of elements, append undefs after them and then make holes after
2061 * undefs.
2062 */
2063 undefs = 0;
2064 newlen = 0;
2065 all_strings = JS_TRUE;
2066 for (i = 0; i < len; i++) {
2067 ok = JS_CHECK_OPERATION_LIMIT(cx);
2068 if (!ok)
2069 goto out;
2070
2071 /* Clear vec[newlen] before including it in the rooted set. */
2072 vec[newlen] = JSVAL_NULL;
2073 tvr.count = newlen + 1;
2074 ok = GetArrayElement(cx, obj, i, &hole, &vec[newlen]);
2075 if (!ok)
2076 goto out;
2077
2078 if (hole)
2079 continue;
2080
2081 if (JSVAL_IS_VOID(vec[newlen])) {
2082 ++undefs;
2083 continue;
2084 }
2085
2086 /* We know JSVAL_IS_STRING yields 0 or 1, so avoid a branch via &=. */
2087 all_strings &= JSVAL_IS_STRING(vec[newlen]);
2088
2089 ++newlen;
2090 }
2091
2092 if (newlen == 0) {
2093 /* The array has only holes and undefs. */
2094 ok = JS_TRUE;
2095 goto out;
2096 }
2097
2098 /*
2099 * The first newlen elements of vec are copied from the array object
2100 * (above). The remaining newlen positions are used as GC-rooted scratch
2101 * space for mergesort. We must clear the space before including it to
2102 * the root set covered by tvr.count. We assume JSVAL_NULL==0 to optimize
2103 * initialization using memset.
2104 */
2105 mergesort_tmp = vec + newlen;
2106 memset(mergesort_tmp, 0, newlen * sizeof(jsval));
2107 tvr.count = newlen * 2;
2108
2109 /* Here len == 2 * (newlen + undefs + number_of_holes). */
2110 if (fval == JSVAL_NULL) {
2111 /*
2112 * Sort using the default comparator converting all elements to
2113 * strings.
2114 */
2115 if (all_strings) {
2116 elemsize = sizeof(jsval);
2117 } else {
2118 /*
2119 * To avoid string conversion on each compare we do it only once
2120 * prior to sorting. But we also need the space for the original
2121 * values to recover the sorting result. To reuse
2122 * sort_compare_strings we move the original values to the odd
2123 * indexes in vec, put the string conversion results in the even
2124 * indexes and pass 2 * sizeof(jsval) as an element size to the
2125 * sorting function. In this way sort_compare_strings will only
2126 * see the string values when it casts the compare arguments as
2127 * pointers to jsval.
2128 *
2129 * This requires doubling the temporary storage including the
2130 * scratch space for the merge sort. Since vec already contains
2131 * the rooted scratch space for newlen elements at the tail, we
2132 * can use it to rearrange and convert to strings first and try
2133 * realloc only when we know that we successfully converted all
2134 * the elements.
2135 */
2136 #if JS_BITS_PER_WORD == 32
2137 if ((size_t)newlen > ~(size_t)0 / (4 * sizeof(jsval))) {
2138 js_ReportAllocationOverflow(cx);
2139 ok = JS_FALSE;
2140 goto out;
2141 }
2142 #endif
2143
2144 /*
2145 * Rearrange and string-convert the elements of the vector from
2146 * the tail here and, after sorting, move the results back
2147 * starting from the start to prevent overwrite the existing
2148 * elements.
2149 */
2150 i = newlen;
2151 do {
2152 --i;
2153 ok = JS_CHECK_OPERATION_LIMIT(cx);
2154 if (!ok)
2155 goto out;
2156 v = vec[i];
2157 str = js_ValueToString(cx, v);
2158 if (!str) {
2159 ok = JS_FALSE;
2160 goto out;
2161 }
2162 vec[2 * i] = STRING_TO_JSVAL(str);
2163 vec[2 * i + 1] = v;
2164 } while (i != 0);
2165
2166 JS_ASSERT(tvr.u.array == vec);
2167 vec = (jsval *) JS_realloc(cx, vec,
2168 4 * (size_t) newlen * sizeof(jsval));
2169 if (!vec) {
2170 vec = tvr.u.array;
2171 ok = JS_FALSE;
2172 goto out;
2173 }
2174 tvr.u.array = vec;
2175 mergesort_tmp = vec + 2 * newlen;
2176 memset(mergesort_tmp, 0, newlen * 2 * sizeof(jsval));
2177 tvr.count = newlen * 4;
2178 elemsize = 2 * sizeof(jsval);
2179 }
2180 ok = js_MergeSort(vec, (size_t) newlen, elemsize,
2181 sort_compare_strings, cx, mergesort_tmp);
2182 if (!ok)
2183 goto out;
2184 if (!all_strings) {
2185 /*
2186 * We want to make the following loop fast and to unroot the
2187 * cached results of toString invocations before the operation
2188 * callback has a chance to run the GC. For this reason we do
2189 * not call JS_CHECK_OPERATION_LIMIT in the loop.
2190 */
2191 i = 0;
2192 do {
2193 vec[i] = vec[2 * i + 1];
2194 } while (++i != newlen);
2195 }
2196 } else {
2197 void *mark;
2198
2199 ca.context = cx;
2200 ca.fval = fval;
2201 ca.elemroot = js_AllocStack(cx, 2 + 2, &mark);
2202 if (!ca.elemroot) {
2203 ok = JS_FALSE;
2204 goto out;
2205 }
2206 ok = js_MergeSort(vec, (size_t) newlen, sizeof(jsval),
2207 sort_compare, &ca, mergesort_tmp);
2208 js_FreeStack(cx, mark);
2209 if (!ok)
2210 goto out;
2211 }
2212
2213 /*
2214 * We no longer need to root the scratch space for the merge sort, so
2215 * unroot it now to make the job of a potential GC under InitArrayElements
2216 * easier.
2217 */
2218 tvr.count = newlen;
2219 ok = InitArrayElements(cx, obj, 0, newlen, vec);
2220 if (!ok)
2221 goto out;
2222
2223 out:
2224 JS_POP_TEMP_ROOT(cx, &tvr);
2225 JS_free(cx, vec);
2226 if (!ok)
2227 return JS_FALSE;
2228
2229 /* Set undefs that sorted after the rest of elements. */
2230 while (undefs != 0) {
2231 --undefs;
2232 if (!JS_CHECK_OPERATION_LIMIT(cx) ||
2233 !SetArrayElement(cx, obj, newlen++, JSVAL_VOID)) {
2234 return JS_FALSE;
2235 }
2236 }
2237
2238 /* Re-create any holes that sorted to the end of the array. */
2239 while (len > newlen) {
2240 if (!JS_CHECK_OPERATION_LIMIT(cx) ||
2241 !DeleteArrayElement(cx, obj, --len)) {
2242 return JS_FALSE;
2243 }
2244 }
2245 *vp = OBJECT_TO_JSVAL(obj);
2246 return JS_TRUE;
2247 }
2248
2249 /*
2250 * Perl-inspired push, pop, shift, unshift, and splice methods.
2251 */
2252 static JSBool
2253 array_push_slowly(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
2254 {
2255 jsuint length;
2256
2257 if (!js_GetLengthProperty(cx, obj, &length))
2258 return JS_FALSE;
2259 if (!InitArrayElements(cx, obj, length, argc, argv))
2260 return JS_FALSE;
2261
2262 /* Per ECMA-262, return the new array length. */
2263 jsdouble newlength = length + jsdouble(argc);
2264 if (!IndexToValue(cx, newlength, rval))
2265 return JS_FALSE;
2266 return js_SetLengthProperty(cx, obj, newlength);
2267 }
2268
2269 static JSBool
2270 array_push1_dense(JSContext* cx, JSObject* obj, jsval v, jsval *rval)
2271 {
2272 uint32 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
2273 if (INDEX_TOO_SPARSE(obj, length)) {
2274 if (!js_MakeArraySlow(cx, obj))
2275 return JS_FALSE;
2276 return array_push_slowly(cx, obj, 1, &v, rval);
2277 }
2278
2279 if (!EnsureCapacity(cx, obj, length + 1))
2280 return JS_FALSE;
2281 obj->fslots[JSSLOT_ARRAY_LENGTH] = length + 1;
2282
2283 JS_ASSERT(obj->dslots[length] == JSVAL_HOLE);
2284 obj->fslots[JSSLOT_ARRAY_COUNT]++;
2285 obj->dslots[length] = v;
2286 return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], rval);
2287 }
2288
2289 JSBool JS_FASTCALL
2290 js_ArrayCompPush(JSContext *cx, JSObject *obj, jsval v)
2291 {
2292 JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj));
2293 uint32_t length = (uint32_t) obj->fslots[JSSLOT_ARRAY_LENGTH];
2294 JS_ASSERT(length <= js_DenseArrayCapacity(obj));
2295
2296 if (length == js_DenseArrayCapacity(obj)) {
2297 if (length >= ARRAY_INIT_LIMIT) {
2298 JS_ReportErrorNumberUC(cx, js_GetErrorMessage, NULL,
2299 JSMSG_ARRAY_INIT_TOO_BIG);
2300 return JS_FALSE;
2301 }
2302
2303 if (!EnsureCapacity(cx, obj, length + 1))
2304 return JS_FALSE;
2305 }
2306 obj->fslots[JSSLOT_ARRAY_LENGTH] = length + 1;
2307 obj->fslots[JSSLOT_ARRAY_COUNT]++;
2308 obj->dslots[length] = v;
2309 return JS_TRUE;
2310 }
2311
2312 #ifdef JS_TRACER
2313 static jsval FASTCALL
2314 Array_p_push1(JSContext* cx, JSObject* obj, jsval v)
2315 {
2316 JSAutoTempValueRooter tvr(cx, v);
2317 if (OBJ_IS_DENSE_ARRAY(cx, obj)
2318 ? array_push1_dense(cx, obj, v, tvr.addr())
2319 : array_push_slowly(cx, obj, 1, tvr.addr(), tvr.addr())) {
2320 return tvr.value();
2321 }
2322 cx->builtinStatus |= JSBUILTIN_ERROR;
2323 return JSVAL_VOID;
2324 }
2325 #endif
2326
2327 static JSBool
2328 array_push(JSContext *cx, uintN argc, jsval *vp)
2329 {
2330 JSObject *obj;
2331
2332 /* Insist on one argument and obj of the expected class. */
2333 obj = JS_THIS_OBJECT(cx, vp);
2334 if (!obj)
2335 return JS_FALSE;
2336 if (argc != 1 || !OBJ_IS_DENSE_ARRAY(cx, obj))
2337 return array_push_slowly(cx, obj, argc, vp + 2, vp);
2338
2339 return array_push1_dense(cx, obj, vp[2], vp);
2340 }
2341
2342 static JSBool
2343 array_pop_slowly(JSContext *cx, JSObject* obj, jsval *vp)
2344 {
2345 jsuint index;
2346 JSBool hole;
2347
2348 if (!js_GetLengthProperty(cx, obj, &index))
2349 return JS_FALSE;
2350 if (index == 0) {
2351 *vp = JSVAL_VOID;
2352 } else {
2353 index--;
2354
2355 /* Get the to-be-deleted property's value into vp. */
2356 if (!GetArrayElement(cx, obj, index, &hole, vp))
2357 return JS_FALSE;
2358 if (!hole && !DeleteArrayElement(cx, obj, index))
2359 return JS_FALSE;
2360 }
2361 return js_SetLengthProperty(cx, obj, index);
2362 }
2363
2364 static JSBool
2365 array_pop_dense(JSContext *cx, JSObject* obj, jsval *vp)
2366 {
2367 jsuint index;
2368 JSBool hole;
2369
2370 index = obj->fslots[JSSLOT_ARRAY_LENGTH];
2371 if (index == 0) {
2372 *vp = JSVAL_VOID;
2373 return JS_TRUE;
2374 }
2375 index--;
2376 if (!GetArrayElement(cx, obj, index, &hole, vp))
2377 return JS_FALSE;
2378 if (!hole && !DeleteArrayElement(cx, obj, index))
2379 return JS_FALSE;
2380 obj->fslots[JSSLOT_ARRAY_LENGTH] = index;
2381 return JS_TRUE;
2382 }
2383
2384 #ifdef JS_TRACER
2385 static jsval FASTCALL
2386 Array_p_pop(JSContext* cx, JSObject* obj)
2387 {
2388 JSAutoTempValueRooter tvr(cx);
2389 if (OBJ_IS_DENSE_ARRAY(cx, obj)
2390 ? array_pop_dense(cx, obj, tvr.addr())
2391 : array_pop_slowly(cx, obj, tvr.addr())) {
2392 return tvr.value();
2393 }
2394 cx->builtinStatus |= JSBUILTIN_ERROR;
2395 return JSVAL_VOID;
2396 }
2397 #endif
2398
2399 static JSBool
2400 array_pop(JSContext *cx, uintN argc, jsval *vp)
2401 {
2402 JSObject *obj;
2403
2404 obj = JS_THIS_OBJECT(cx, vp);
2405 if (!obj)
2406 return JS_FALSE;
2407 if (OBJ_IS_DENSE_ARRAY(cx, obj))
2408 return array_pop_dense(cx, obj, vp);
2409 return array_pop_slowly(cx, obj, vp);
2410 }
2411
2412 static JSBool
2413 array_shift(JSContext *cx, uintN argc, jsval *vp)
2414 {
2415 JSObject *obj;
2416 jsuint length, i;
2417 JSBool hole, ok;
2418 JSTempValueRooter tvr;
2419
2420 obj = JS_THIS_OBJECT(cx, vp);
2421 if (!obj || !js_GetLengthProperty(cx, obj, &length))
2422 return JS_FALSE;
2423 if (length == 0) {
2424 *vp = JSVAL_VOID;
2425 } else {
2426 length--;
2427
2428 /* Get the to-be-deleted property's value into vp ASAP. */
2429 if (!GetArrayElement(cx, obj, 0, &hole, vp))
2430 return JS_FALSE;
2431
2432 /* Slide down the array above the first element. */
2433 ok = JS_TRUE;
2434 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
2435 for (i = 0; i != length; i++) {
2436 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2437 GetArrayElement(cx, obj, i + 1, &hole, &tvr.u.value) &&
2438 SetOrDeleteArrayElement(cx, obj, i, hole, tvr.u.value);
2439 if (!ok)
2440 break;
2441 }
2442 JS_POP_TEMP_ROOT(cx, &tvr);
2443 if (!ok)
2444 return JS_FALSE;
2445
2446 /* Delete the only or last element when it exist. */
2447 if (!hole && !DeleteArrayElement(cx, obj, length))
2448 return JS_FALSE;
2449 }
2450 return js_SetLengthProperty(cx, obj, length);
2451 }
2452
2453 static JSBool
2454 array_unshift(JSContext *cx, uintN argc, jsval *vp)
2455 {
2456 JSObject *obj;
2457 jsval *argv;
2458 jsuint length;
2459 JSBool hole, ok;
2460 JSTempValueRooter tvr;
2461 jsdouble last, newlen;
2462
2463 obj = JS_THIS_OBJECT(cx, vp);
2464 if (!obj || !js_GetLengthProperty(cx, obj, &length))
2465 return JS_FALSE;
2466 newlen = length;
2467 if (argc > 0) {
2468 /* Slide up the array to make room for argc at the bottom. */
2469 argv = JS_ARGV(cx, vp);
2470 if (length > 0) {
2471 last = length;
2472 ok = JS_TRUE;
2473 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
2474 do {
2475 --last;
2476 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2477 GetArrayElement(cx, obj, last, &hole, &tvr.u.value) &&
2478 SetOrDeleteArrayElement(cx, obj, last + argc, hole,
2479 tvr.u.value);
2480 if (!ok)
2481 break;
2482 } while (last != 0);
2483 JS_POP_TEMP_ROOT(cx, &tvr);
2484 if (!ok)
2485 return JS_FALSE;
2486 }
2487
2488 /* Copy from argv to the bottom of the array. */
2489 if (!InitArrayElements(cx, obj, 0, argc, argv))
2490 return JS_FALSE;
2491
2492 newlen += argc;
2493 if (!js_SetLengthProperty(cx, obj, newlen))
2494 return JS_FALSE;
2495 }
2496
2497 /* Follow Perl by returning the new array length. */
2498 return IndexToValue(cx, newlen, vp);
2499 }
2500
2501 static JSBool
2502 array_splice(JSContext *cx, uintN argc, jsval *vp)
2503 {
2504 jsval *argv;
2505 JSObject *obj;
2506 jsuint length, begin, end, count, delta, last;
2507 jsdouble d;
2508 JSBool hole, ok;
2509 JSObject *obj2;
2510 JSTempValueRooter tvr;
2511
2512 /*
2513 * Create a new array value to return. Our ECMA v2 proposal specs
2514 * that splice always returns an array value, even when given no
2515 * arguments. We think this is best because it eliminates the need
2516 * for callers to do an extra test to handle the empty splice case.
2517 */
2518 obj2 = js_NewArrayObject(cx, 0, NULL);
2519 if (!obj2)
2520 return JS_FALSE;
2521 *vp = OBJECT_TO_JSVAL(obj2);
2522
2523 /* Nothing to do if no args. Otherwise get length. */
2524 if (argc == 0)
2525 return JS_TRUE;
2526 argv = JS_ARGV(cx, vp);
2527 obj = JS_THIS_OBJECT(cx, vp);
2528 if (!obj || !js_GetLengthProperty(cx, obj, &length))
2529 return JS_FALSE;
2530
2531 /* Convert the first argument into a starting index. */
2532 d = js_ValueToNumber(cx, argv);
2533 if (JSVAL_IS_NULL(*argv))
2534 return JS_FALSE;
2535 d = js_DoubleToInteger(d);
2536 if (d < 0) {
2537 d += length;
2538 if (d < 0)
2539 d = 0;
2540 } else if (d > length) {
2541 d = length;
2542 }
2543 begin = (jsuint)d; /* d has been clamped to uint32 */
2544 argc--;
2545 argv++;
2546
2547 /* Convert the second argument from a count into a fencepost index. */
2548 delta = length - begin;
2549 if (argc == 0) {
2550 count = delta;
2551 end = length;
2552 } else {
2553 d = js_ValueToNumber(cx, argv);
2554 if (JSVAL_IS_NULL(*argv))
2555 return JS_FALSE;
2556 d = js_DoubleToInteger(d);
2557 if (d < 0)
2558 d = 0;
2559 else if (d > delta)
2560 d = delta;
2561 count = (jsuint)d;
2562 end = begin + count;
2563 argc--;
2564 argv++;
2565 }
2566
2567 MUST_FLOW_THROUGH("out");
2568 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
2569
2570 /* If there are elements to remove, put them into the return value. */
2571 if (count > 0) {
2572 for (last = begin; last < end; last++) {
2573 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2574 GetArrayElement(cx, obj, last, &hole, &tvr.u.value);
2575 if (!ok)
2576 goto out;
2577
2578 /* Copy tvr.u.value to new array unless it's a hole. */
2579 if (!hole) {
2580 ok = SetArrayElement(cx, obj2, last - begin, tvr.u.value);
2581 if (!ok)
2582 goto out;
2583 }
2584 }
2585
2586 ok = js_SetLengthProperty(cx, obj2, end - begin);
2587 if (!ok)
2588 goto out;
2589 }
2590
2591 /* Find the direction (up or down) to copy and make way for argv. */
2592 if (argc > count) {
2593 delta = (jsuint)argc - count;
2594 last = length;
2595 /* (uint) end could be 0, so can't use vanilla >= test */
2596 while (last-- > end) {
2597 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2598 GetArrayElement(cx, obj, last, &hole, &tvr.u.value) &&
2599 SetOrDeleteArrayElement(cx, obj, last + delta, hole,
2600 tvr.u.value);
2601 if (!ok)
2602 goto out;
2603 }
2604 length += delta;
2605 } else if (argc < count) {
2606 delta = count - (jsuint)argc;
2607 for (last = end; last < length; last++) {
2608 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2609 GetArrayElement(cx, obj, last, &hole, &tvr.u.value) &&
2610 SetOrDeleteArrayElement(cx, obj, last - delta, hole,
2611 tvr.u.value);
2612 if (!ok)
2613 goto out;
2614 }
2615 length -= delta;
2616 }
2617
2618 /* Copy from argv into the hole to complete the splice. */
2619 ok = InitArrayElements(cx, obj, begin, argc, argv);
2620 if (!ok)
2621 goto out;
2622
2623 /* Update length in case we deleted elements from the end. */
2624 ok = js_SetLengthProperty(cx, obj, length);
2625
2626 out:
2627 JS_POP_TEMP_ROOT(cx, &tvr);
2628 return ok;
2629 }
2630
2631 /*
2632 * Python-esque sequence operations.
2633 */
2634 static JSBool
2635 array_concat(JSContext *cx, uintN argc, jsval *vp)
2636 {
2637 jsval *argv, v;
2638 JSObject *aobj, *nobj;
2639 jsuint length, alength, slot;
2640 uintN i;
2641 JSBool hole, ok;
2642 JSTempValueRooter tvr;
2643
2644 /* Treat our |this| object as the first argument; see ECMA 15.4.4.4. */
2645 argv = JS_ARGV(cx, vp) - 1;
2646 JS_ASSERT(JS_THIS_OBJECT(cx, vp) == JSVAL_TO_OBJECT(argv[0]));
2647
2648 /* Create a new Array object and root it using *vp. */
2649 aobj = JS_THIS_OBJECT(cx, vp);
2650 if (OBJ_IS_DENSE_ARRAY(cx, aobj)) {
2651 /*
2652 * Clone aobj but pass the minimum of its length and capacity, to
2653 * handle a = [1,2,3]; a.length = 10000 "dense" cases efficiently. In
2654 * such a case we'll pass 8 (not 3) due to ARRAY_CAPACITY_MIN, which
2655 * will cause nobj to be over-allocated to 16. But in the normal case
2656 * where length is <= capacity, nobj and aobj will have the same
2657 * capacity.
2658 */
2659 length = aobj->fslots[JSSLOT_ARRAY_LENGTH];
2660 jsuint capacity = js_DenseArrayCapacity(aobj);
2661 nobj = js_NewArrayObject(cx, JS_MIN(length, capacity), aobj->dslots,
2662 aobj->fslots[JSSLOT_ARRAY_COUNT] !=
2663 (jsval) length);
2664 if (!nobj)
2665 return JS_FALSE;
2666 nobj->fslots[JSSLOT_ARRAY_LENGTH] = length;
2667 *vp = OBJECT_TO_JSVAL(nobj);
2668 if (argc == 0)
2669 return JS_TRUE;
2670 argc--;
2671 argv++;
2672 } else {
2673 nobj = js_NewArrayObject(cx, 0, NULL);
2674 if (!nobj)
2675 return JS_FALSE;
2676 *vp = OBJECT_TO_JSVAL(nobj);
2677 length = 0;
2678 }
2679
2680 MUST_FLOW_THROUGH("out");
2681 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
2682
2683 /* Loop over [0, argc] to concat args into nobj, expanding all Arrays. */
2684 for (i = 0; i <= argc; i++) {
2685 ok = JS_CHECK_OPERATION_LIMIT(cx);
2686 if (!ok)
2687 goto out;
2688 v = argv[i];
2689 if (!JSVAL_IS_PRIMITIVE(v)) {
2690 JSObject *wobj;
2691
2692 aobj = JSVAL_TO_OBJECT(v);
2693 wobj = js_GetWrappedObject(cx, aobj);
2694 if (OBJ_IS_ARRAY(cx, wobj)) {
2695 ok = OBJ_GET_PROPERTY(cx, aobj,
2696 ATOM_TO_JSID(cx->runtime->atomState
2697 .lengthAtom),
2698 &tvr.u.value);
2699 if (!ok)
2700 goto out;
2701 alength = ValueIsLength(cx, &tvr.u.value);
2702 ok = !JSVAL_IS_NULL(tvr.u.value);
2703 if (!ok)
2704 goto out;
2705 for (slot = 0; slot < alength; slot++) {
2706 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2707 GetArrayElement(cx, aobj, slot, &hole,
2708 &tvr.u.value);
2709 if (!ok)
2710 goto out;
2711
2712 /*
2713 * Per ECMA 262, 15.4.4.4, step 9, ignore non-existent
2714 * properties.
2715 */
2716 if (!hole) {
2717 ok = SetArrayElement(cx, nobj, length + slot,
2718 tvr.u.value);
2719 if (!ok)
2720 goto out;
2721 }
2722 }
2723 length += alength;
2724 continue;
2725 }
2726 }
2727
2728 ok = SetArrayElement(cx, nobj, length, v);
2729 if (!ok)
2730 goto out;
2731 length++;
2732 }
2733
2734 ok = js_SetLengthProperty(cx, nobj, length);
2735
2736 out:
2737 JS_POP_TEMP_ROOT(cx, &tvr);
2738 return ok;
2739 }
2740
2741 static JSBool
2742 array_slice(JSContext *cx, uintN argc, jsval *vp)
2743 {
2744 jsval *argv;
2745 JSObject *nobj, *obj;
2746 jsuint length, begin, end, slot;
2747 jsdouble d;
2748 JSBool hole, ok;
2749 JSTempValueRooter tvr;
2750
2751 argv = JS_ARGV(cx, vp);
2752
2753 obj = JS_THIS_OBJECT(cx, vp);
2754 if (!obj || !js_GetLengthProperty(cx, obj, &length))
2755 return JS_FALSE;
2756 begin = 0;
2757 end = length;
2758
2759 if (argc > 0) {
2760 d = js_ValueToNumber(cx, &argv[0]);
2761 if (JSVAL_IS_NULL(argv[0]))
2762 return JS_FALSE;
2763 d = js_DoubleToInteger(d);
2764 if (d < 0) {
2765 d += length;
2766 if (d < 0)
2767 d = 0;
2768 } else if (d > length) {
2769 d = length;
2770 }
2771 begin = (jsuint)d;
2772
2773 if (argc > 1) {
2774 d = js_ValueToNumber(cx, &argv[1]);
2775 if (JSVAL_IS_NULL(argv[1]))
2776 return JS_FALSE;
2777 d = js_DoubleToInteger(d);
2778 if (d < 0) {
2779 d += length;
2780 if (d < 0)
2781 d = 0;
2782 } else if (d > length) {
2783 d = length;
2784 }
2785 end = (jsuint)d;
2786 }
2787 }
2788
2789 if (begin > end)
2790 begin = end;
2791
2792 if (OBJ_IS_DENSE_ARRAY(cx, obj) && end <= js_DenseArrayCapacity(obj)) {
2793 nobj = js_NewArrayObject(cx, end - begin, obj->dslots + begin,
2794 obj->fslots[JSSLOT_ARRAY_COUNT] !=
2795 obj->fslots[JSSLOT_ARRAY_LENGTH]);
2796 if (!nobj)
2797 return JS_FALSE;
2798 *vp = OBJECT_TO_JSVAL(nobj);
2799 return JS_TRUE;
2800 }
2801
2802 /* Create a new Array object and root it using *vp. */
2803 nobj = js_NewArrayObject(cx, 0, NULL);
2804 if (!nobj)
2805 return JS_FALSE;
2806 *vp = OBJECT_TO_JSVAL(nobj);
2807
2808 MUST_FLOW_THROUGH("out");
2809 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
2810
2811 for (slot = begin; slot < end; slot++) {
2812 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
2813 GetArrayElement(cx, obj, slot, &hole, &tvr.u.value);
2814 if (!ok)
2815 goto out;
2816 if (!hole) {
2817 ok = SetArrayElement(cx, nobj, slot - begin, tvr.u.value);
2818 if (!ok)
2819 goto out;
2820 }
2821 }
2822 ok = js_SetLengthProperty(cx, nobj, end - begin);
2823
2824 out:
2825 JS_POP_TEMP_ROOT(cx, &tvr);
2826 return ok;
2827 }
2828
2829 #if JS_HAS_ARRAY_EXTRAS
2830
2831 static JSBool
2832 array_indexOfHelper(JSContext *cx, JSBool isLast, uintN argc, jsval *vp)
2833 {
2834 JSObject *obj;
2835 jsuint length, i, stop;
2836 jsval tosearch;
2837 jsint direction;
2838 JSBool hole;
2839
2840 obj = JS_THIS_OBJECT(cx, vp);
2841 if (!obj || !js_GetLengthProperty(cx, obj, &length))
2842 return JS_FALSE;
2843 if (length == 0)
2844 goto not_found;
2845
2846 if (argc <= 1) {
2847 i = isLast ? length - 1 : 0;
2848 tosearch = (argc != 0) ? vp[2] : JSVAL_VOID;
2849 } else {
2850 jsdouble start;
2851
2852 tosearch = vp[2];
2853 start = js_ValueToNumber(cx, &vp[3]);
2854 if (JSVAL_IS_NULL(vp[3]))
2855 return JS_FALSE;
2856 start = js_DoubleToInteger(start);
2857 if (start < 0) {
2858 start += length;
2859 if (start < 0) {
2860 if (isLast)
2861 goto not_found;
2862 i = 0;
2863 } else {
2864 i = (jsuint)start;
2865 }
2866 } else if (start >= length) {
2867 if (!isLast)
2868 goto not_found;
2869 i = length - 1;
2870 } else {
2871 i = (jsuint)start;
2872 }
2873 }
2874
2875 if (isLast) {
2876 stop = 0;
2877 direction = -1;
2878 } else {
2879 stop = length - 1;
2880 direction = 1;
2881 }
2882
2883 for (;;) {
2884 if (!JS_CHECK_OPERATION_LIMIT(cx) ||
2885 !GetArrayElement(cx, obj, (jsuint)i, &hole, vp)) {
2886 return JS_FALSE;
2887 }
2888 if (!hole && js_StrictlyEqual(cx, *vp, tosearch))
2889 return js_NewNumberInRootedValue(cx, i, vp);
2890 if (i == stop)
2891 goto not_found;
2892 i += direction;
2893 }
2894
2895 not_found:
2896 *vp = INT_TO_JSVAL(-1);
2897 return JS_TRUE;
2898 }
2899
2900 static JSBool
2901 array_indexOf(JSContext *cx, uintN argc, jsval *vp)
2902 {
2903 return array_indexOfHelper(cx, JS_FALSE, argc, vp);
2904 }
2905
2906 static JSBool
2907 array_lastIndexOf(JSContext *cx, uintN argc, jsval *vp)
2908 {
2909 return array_indexOfHelper(cx, JS_TRUE, argc, vp);
2910 }
2911
2912 /* Order is important; extras that take a predicate funarg must follow MAP. */
2913 typedef enum ArrayExtraMode {
2914 FOREACH,
2915 REDUCE,
2916 REDUCE_RIGHT,
2917 MAP,
2918 FILTER,
2919 SOME,
2920 EVERY
2921 } ArrayExtraMode;
2922
2923 #define REDUCE_MODE(mode) ((mode) == REDUCE || (mode) == REDUCE_RIGHT)
2924
2925 static JS_REQUIRES_STACK JSBool
2926 array_extra(JSContext *cx, ArrayExtraMode mode, uintN argc, jsval *vp)
2927 {
2928 JSObject *obj;
2929 jsuint length, newlen;
2930 jsval *argv, *elemroot, *invokevp, *sp;
2931 JSBool ok, cond, hole;
2932 JSObject *callable, *thisp, *newarr;
2933 jsint start, end, step, i;
2934 void *mark;
2935
2936 obj = JS_THIS_OBJECT(cx, vp);
2937 if (!obj || !js_GetLengthProperty(cx, obj, &length))
2938 return JS_FALSE;
2939
2940 /*
2941 * First, get or compute our callee, so that we error out consistently
2942 * when passed a non-callable object.
2943 */
2944 if (argc == 0) {
2945 js_ReportMissingArg(cx, vp, 0);
2946 return JS_FALSE;
2947 }
2948 argv = vp + 2;
2949 callable = js_ValueToCallableObject(cx, &argv[0], JSV2F_SEARCH_STACK);
2950 if (!callable)
2951 return JS_FALSE;
2952
2953 /*
2954 * Set our initial return condition, used for zero-length array cases
2955 * (and pre-size our map return to match our known length, for all cases).
2956 */
2957 #ifdef __GNUC__ /* quell GCC overwarning */
2958 newlen = 0;
2959 newarr = NULL;
2960 #endif
2961 start = 0, end = length, step = 1;
2962
2963 switch (mode) {
2964 case REDUCE_RIGHT:
2965 start = length - 1, end = -1, step = -1;
2966 /* FALL THROUGH */
2967 case REDUCE:
2968 if (length == 0 && argc == 1) {
2969 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
2970 JSMSG_EMPTY_ARRAY_REDUCE);
2971 return JS_FALSE;
2972 }
2973 if (argc >= 2) {
2974 *vp = argv[1];
2975 } else {
2976 do {
2977 if (!GetArrayElement(cx, obj, start, &hole, vp))
2978 return JS_FALSE;
2979 start += step;
2980 } while (hole && start != end);
2981
2982 if (hole && start == end) {
2983 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
2984 JSMSG_EMPTY_ARRAY_REDUCE);
2985 return JS_FALSE;
2986 }
2987 }
2988 break;
2989 case MAP:
2990 case FILTER:
2991 newlen = (mode == MAP) ? length : 0;
2992 newarr = js_NewArrayObject(cx, newlen, NULL);
2993 if (!newarr)
2994 return JS_FALSE;
2995 *vp = OBJECT_TO_JSVAL(newarr);
2996 break;
2997 case SOME:
2998 *vp = JSVAL_FALSE;
2999 break;
3000 case EVERY:
3001 *vp = JSVAL_TRUE;
3002 break;
3003 case FOREACH:
3004 *vp = JSVAL_VOID;
3005 break;
3006 }
3007
3008 if (length == 0)
3009 return JS_TRUE;
3010
3011 if (argc > 1 && !REDUCE_MODE(mode)) {
3012 if (!js_ValueToObject(cx, argv[1], &thisp))
3013 return JS_FALSE;
3014 argv[1] = OBJECT_TO_JSVAL(thisp);
3015 } else {
3016 thisp = NULL;
3017 }
3018
3019 /*
3020 * For all but REDUCE, we call with 3 args (value, index, array). REDUCE
3021 * requires 4 args (accum, value, index, array).
3022 */
3023 argc = 3 + REDUCE_MODE(mode);
3024 elemroot = js_AllocStack(cx, 1 + 2 + argc, &mark);
3025 if (!elemroot)
3026 return JS_FALSE;
3027
3028 MUST_FLOW_THROUGH("out");
3029 ok = JS_TRUE;
3030 invokevp = elemroot + 1;
3031
3032 for (i = start; i != end; i += step) {
3033 ok = JS_CHECK_OPERATION_LIMIT(cx) &&
3034 GetArrayElement(cx, obj, i, &hole, elemroot);
3035 if (!ok)
3036 goto out;
3037 if (hole)
3038 continue;
3039
3040 /*
3041 * Push callable and 'this', then args. We must do this for every
3042 * iteration around the loop since js_Invoke uses spbase[0] for return
3043 * value storage, while some native functions use spbase[1] for local
3044 * rooting.
3045 */
3046 sp = invokevp;
3047 *sp++ = OBJECT_TO_JSVAL(callable);
3048 *sp++ = OBJECT_TO_JSVAL(thisp);
3049 if (REDUCE_MODE(mode))
3050 *sp++ = *vp;
3051 *sp++ = *elemroot;
3052 *sp++ = INT_TO_JSVAL(i);
3053 *sp++ = OBJECT_TO_JSVAL(obj);
3054
3055 /* Do the call. */
3056 ok = js_Invoke(cx, argc, invokevp, 0);
3057 if (!ok)
3058 break;
3059
3060 if (mode > MAP)
3061 cond = js_ValueToBoolean(*invokevp);
3062 #ifdef __GNUC__ /* quell GCC overwarning */
3063 else
3064 cond = JS_FALSE;
3065 #endif
3066
3067 switch (mode) {
3068 case FOREACH:
3069 break;
3070 case REDUCE:
3071 case REDUCE_RIGHT:
3072 *vp = *invokevp;
3073 break;
3074 case MAP:
3075 ok = SetArrayElement(cx, newarr, i, *invokevp);
3076 if (!ok)
3077 goto out;
3078 break;
3079 case FILTER:
3080 if (!cond)
3081 break;
3082 /* The filter passed *elemroot, so push it onto our result. */
3083 ok = SetArrayElement(cx, newarr, newlen++, *elemroot);
3084 if (!ok)
3085 goto out;
3086 break;
3087 case SOME:
3088 if (cond) {
3089 *vp = JSVAL_TRUE;
3090 goto out;
3091 }
3092 break;
3093 case EVERY:
3094 if (!cond) {
3095 *vp = JSVAL_FALSE;
3096 goto out;
3097 }
3098 break;
3099 }
3100 }
3101
3102 out:
3103 js_FreeStack(cx, mark);
3104 if (ok && mode == FILTER)
3105 ok = js_SetLengthProperty(cx, newarr, newlen);
3106 return ok;
3107 }
3108
3109 static JS_REQUIRES_STACK JSBool
3110 array_forEach(JSContext *cx, uintN argc, jsval *vp)
3111 {
3112 return array_extra(cx, FOREACH, argc, vp);
3113 }
3114
3115 static JS_REQUIRES_STACK JSBool
3116 array_map(JSContext *cx, uintN argc, jsval *vp)
3117 {
3118 return array_extra(cx, MAP, argc, vp);
3119 }
3120
3121 static JS_REQUIRES_STACK JSBool
3122 array_reduce(JSContext *cx, uintN argc, jsval *vp)
3123 {
3124 return array_extra(cx, REDUCE, argc, vp);
3125 }
3126
3127 static JS_REQUIRES_STACK JSBool
3128 array_reduceRight(JSContext *cx, uintN argc, jsval *vp)
3129 {
3130 return array_extra(cx, REDUCE_RIGHT, argc, vp);
3131 }
3132
3133 static JS_REQUIRES_STACK JSBool
3134 array_filter(JSContext *cx, uintN argc, jsval *vp)
3135 {
3136 return array_extra(cx, FILTER, argc, vp);
3137 }
3138
3139 static JS_REQUIRES_STACK JSBool
3140 array_some(JSContext *cx, uintN argc, jsval *vp)
3141 {
3142 return array_extra(cx, SOME, argc, vp);
3143 }
3144
3145 static JS_REQUIRES_STACK JSBool
3146 array_every(JSContext *cx, uintN argc, jsval *vp)
3147 {
3148 return array_extra(cx, EVERY, argc, vp);
3149 }
3150 #endif
3151
3152 static JSPropertySpec array_props[] = {
3153 {js_length_str, -1, JSPROP_SHARED | JSPROP_PERMANENT,
3154 array_length_getter, array_length_setter},
3155 {0,0,0,0,0}
3156 };
3157
3158 JS_DEFINE_TRCINFO_1(array_toString,
3159 (2, (static, STRING_FAIL, Array_p_toString, CONTEXT, THIS, 0, 0)))
3160 JS_DEFINE_TRCINFO_1(array_join,
3161 (3, (static, STRING_FAIL, Array_p_join, CONTEXT, THIS, STRING, 0, 0)))
3162 JS_DEFINE_TRCINFO_1(array_push,
3163 (3, (static, JSVAL_FAIL, Array_p_push1, CONTEXT, THIS, JSVAL, 0, 0)))
3164 JS_DEFINE_TRCINFO_1(array_pop,
3165 (2, (static, JSVAL_FAIL, Array_p_pop, CONTEXT, THIS, 0, 0)))
3166
3167 static JSFunctionSpec array_methods[] = {
3168 #if JS_HAS_TOSOURCE
3169 JS_FN(js_toSource_str, array_toSource, 0,0),
3170 #endif
3171 JS_TN(js_toString_str, array_toString, 0,0, array_toString_trcinfo),
3172 JS_FN(js_toLocaleString_str,array_toLocaleString,0,0),
3173
3174 /* Perl-ish methods. */
3175 JS_TN("join", array_join, 1,JSFUN_GENERIC_NATIVE, array_join_trcinfo),
3176 JS_FN("reverse", array_reverse, 0,JSFUN_GENERIC_NATIVE),
3177 JS_FN("sort", array_sort, 1,JSFUN_GENERIC_NATIVE),
3178 JS_TN("push", array_push, 1,JSFUN_GENERIC_NATIVE, array_push_trcinfo),
3179 JS_TN("pop", array_pop, 0,JSFUN_GENERIC_NATIVE, array_pop_trcinfo),
3180 JS_FN("shift", array_shift, 0,JSFUN_GENERIC_NATIVE),
3181 JS_FN("unshift", array_unshift, 1,JSFUN_GENERIC_NATIVE),
3182 JS_FN("splice", array_splice, 2,JSFUN_GENERIC_NATIVE),
3183
3184 /* Pythonic sequence methods. */
3185 JS_FN("concat", array_concat, 1,JSFUN_GENERIC_NATIVE),
3186 JS_FN("slice", array_slice, 2,JSFUN_GENERIC_NATIVE),
3187
3188 #if JS_HAS_ARRAY_EXTRAS
3189 JS_FN("indexOf", array_indexOf, 1,JSFUN_GENERIC_NATIVE),
3190 JS_FN("lastIndexOf", array_lastIndexOf, 1,JSFUN_GENERIC_NATIVE),
3191 JS_FN("forEach", array_forEach, 1,JSFUN_GENERIC_NATIVE),
3192 JS_FN("map", array_map, 1,JSFUN_GENERIC_NATIVE),
3193 JS_FN("reduce", array_reduce, 1,JSFUN_GENERIC_NATIVE),
3194 JS_FN("reduceRight", array_reduceRight, 1,JSFUN_GENERIC_NATIVE),
3195 JS_FN("filter", array_filter, 1,JSFUN_GENERIC_NATIVE),
3196 JS_FN("some", array_some, 1,JSFUN_GENERIC_NATIVE),
3197 JS_FN("every", array_every, 1,JSFUN_GENERIC_NATIVE),
3198 #endif
3199
3200 JS_FS_END
3201 };
3202
3203 JSBool
3204 js_Array(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
3205 {
3206 jsuint length;
3207 jsval *vector;
3208
3209 /* If called without new, replace obj with a new Array object. */
3210 if (!JS_IsConstructing(cx)) {
3211 obj = js_NewObject(cx, &js_ArrayClass, NULL, NULL, 0);
3212 if (!obj)
3213 return JS_FALSE;
3214 *rval = OBJECT_TO_JSVAL(obj);
3215 }
3216
3217 if (argc == 0) {
3218 length = 0;
3219 vector = NULL;
3220 } else if (argc > 1) {
3221 length = (jsuint) argc;
3222 vector = argv;
3223 } else if (!JSVAL_IS_NUMBER(argv[0])) {
3224 length = 1;
3225 vector = argv;
3226 } else {
3227 length = ValueIsLength(cx, &argv[0]);
3228 if (JSVAL_IS_NULL(argv[0]))
3229 return JS_FALSE;
3230 vector = NULL;
3231 }
3232 return InitArrayObject(cx, obj, length, vector);
3233 }
3234
3235 JS_STATIC_ASSERT(JSSLOT_PRIVATE == JSSLOT_ARRAY_LENGTH);
3236 JS_STATIC_ASSERT(JSSLOT_ARRAY_LENGTH + 1 == JSSLOT_ARRAY_COUNT);
3237
3238 #ifdef JS_TRACER
3239
3240 JSObject* FASTCALL
3241 js_FastNewArray(JSContext* cx, JSObject* proto)
3242 {
3243 JS_ASSERT(OBJ_IS_ARRAY(cx, proto));
3244
3245 JS_ASSERT(JS_ON_TRACE(cx));
3246 JSObject* obj = (JSObject*) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject));
3247 if (!obj)
3248 return NULL;
3249
3250 JSClass* clasp = &js_ArrayClass;
3251 obj->classword = jsuword(clasp);
3252
3253 obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
3254 obj->fslots[JSSLOT_PARENT] = proto->fslots[JSSLOT_PARENT];
3255
3256 obj->fslots[JSSLOT_ARRAY_LENGTH] = 0;
3257 obj->fslots[JSSLOT_ARRAY_COUNT] = 0;
3258 for (unsigned i = JSSLOT_ARRAY_COUNT + 1; i != JS_INITIAL_NSLOTS; ++i)
3259 obj->fslots[i] = JSVAL_VOID;
3260
3261 JSObjectOps* ops = clasp->getObjectOps(cx, clasp);
3262 obj->map = ops->newObjectMap(cx, 1, ops, clasp, obj);
3263 if (!obj->map)
3264 return NULL;
3265 obj->dslots = NULL;
3266 return obj;
3267 }
3268
3269 JSObject* FASTCALL
3270 js_FastNewArrayWithLength(JSContext* cx, JSObject* proto, uint32 i)
3271 {
3272 JS_ASSERT(JS_ON_TRACE(cx));
3273 JSObject* obj = js_FastNewArray(cx, proto);
3274 if (obj)
3275 obj->fslots[JSSLOT_ARRAY_LENGTH] = i;
3276 return obj;
3277 }
3278
3279 JSObject* FASTCALL
3280 js_NewUninitializedArray(JSContext* cx, JSObject* proto, uint32 len)
3281 {
3282 JSObject *obj = js_FastNewArrayWithLength(cx, proto, len);
3283 if (!obj || !ResizeSlots(cx, obj, 0, JS_MAX(len, ARRAY_CAPACITY_MIN)))
3284 return NULL;
3285 return obj;
3286 }
3287
3288 #define ARRAY_CTOR_GUTS(exact_len, newslots_code) \
3289 JS_ASSERT(JS_ON_TRACE(cx)); \
3290 JSObject* obj = js_FastNewArray(cx, proto); \
3291 if (obj) { \
3292 const uint32 len = ARRAY_CAPACITY_MIN; \
3293 jsval* newslots = (jsval*) JS_malloc(cx, sizeof (jsval) * (len + 1)); \
3294 if (newslots) { \
3295 obj->dslots = newslots + 1; \
3296 js_SetDenseArrayCapacity(obj, len); \
3297 {newslots_code} \
3298 while (++newslots < obj->dslots + len) \
3299 *newslots = JSVAL_HOLE; \
3300 obj->fslots[JSSLOT_ARRAY_LENGTH] = (exact_len); \
3301 return obj; \
3302 } \
3303 } \
3304 return NULL;
3305
3306 JSObject* FASTCALL
3307 js_Array_1str(JSContext* cx, JSObject* proto, JSString *str)
3308 {
3309 ARRAY_CTOR_GUTS(1, *++newslots = STRING_TO_JSVAL(str);)
3310 }
3311
3312 #endif /* JS_TRACER */
3313
3314 JSObject *
3315 js_InitArrayClass(JSContext *cx, JSObject *obj)
3316 {
3317 JSObject *proto;
3318
3319 /* Initialize the ops structure used by slow arrays */
3320 memcpy(&js_SlowArrayObjectOps, &js_ObjectOps, sizeof(JSObjectOps));
3321 js_SlowArrayObjectOps.trace = slowarray_trace;
3322 js_SlowArrayObjectOps.enumerate = slowarray_enumerate;
3323 js_SlowArrayObjectOps.call = NULL;
3324
3325 proto = JS_InitClass(cx, obj, NULL, &js_ArrayClass, js_Array, 1,
3326 array_props, array_methods, NULL, NULL);
3327
3328 /* Initialize the Array prototype object so it gets a length property. */
3329 if (!proto || !InitArrayObject(cx, proto, 0, NULL))
3330 return NULL;
3331 return proto;
3332 }
3333
3334 JSObject *
3335 js_NewArrayObject(JSContext *cx, jsuint length, jsval *vector, JSBool holey)
3336 {
3337 JSTempValueRooter tvr;
3338 JSObject *obj;
3339
3340 obj = js_NewObject(cx, &js_ArrayClass, NULL, NULL, 0);
3341 if (!obj)
3342 return NULL;
3343
3344 JS_PUSH_TEMP_ROOT_OBJECT(cx, obj, &tvr);
3345 if (!InitArrayObject(cx, obj, length, vector, holey))
3346 obj = NULL;
3347 JS_POP_TEMP_ROOT(cx, &tvr);
3348
3349 /* Set/clear newborn root, in case we lost it. */
3350 cx->weakRoots.newborn[GCX_OBJECT] = obj;
3351 return obj;
3352 }
3353
3354 JSObject *
3355 js_NewSlowArrayObject(JSContext *cx)
3356 {
3357 JSObject *obj = js_NewObject(cx, &js_SlowArrayClass, NULL, NULL, 0);
3358 if (obj)
3359 obj->fslots[JSSLOT_ARRAY_LENGTH] = 0;
3360 return obj;
3361 }
3362
3363 #ifdef DEBUG_ARRAYS
3364 JSBool
3365 js_ArrayInfo(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
3366 {
3367 uintN i;
3368 JSObject *array;
3369
3370 for (i = 0; i < argc; i++) {
3371 char *bytes;
3372
3373 bytes = js_DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, argv[i],
3374 NULL);
3375 if (!bytes)
3376 return JS_FALSE;
3377 if (JSVAL_IS_PRIMITIVE(argv[i]) ||
3378 !OBJ_IS_ARRAY(cx, (array = JSVAL_TO_OBJECT(argv[i])))) {
3379 fprintf(stderr, "%s: not array\n", bytes);
3380 JS_free(cx, bytes);
3381 continue;
3382 }
3383 fprintf(stderr, "%s: %s (len %lu", bytes,
3384 OBJ_IS_DENSE_ARRAY(cx, array) ? "dense" : "sparse",
3385 array->fslots[JSSLOT_ARRAY_LENGTH]);
3386 if (OBJ_IS_DENSE_ARRAY(cx, array)) {
3387 fprintf(stderr, ", count %lu, capacity %lu",
3388 array->fslots[JSSLOT_ARRAY_COUNT],
3389 js_DenseArrayCapacity(array));
3390 }
3391 fputs(")\n", stderr);
3392 JS_free(cx, bytes);
3393 }
3394 return JS_TRUE;
3395 }
3396 #endif
3397
3398 JS_FRIEND_API(JSBool)
3399 js_ArrayToJSUint8Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3400 JSUint8 *dest)
3401 {
3402 uint32 length;
3403
3404 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3405 return JS_FALSE;
3406
3407 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3408 if (length < offset + count)
3409 return JS_FALSE;
3410
3411 jsval v;
3412 jsint vi;
3413
3414 JSUint8 *dp = dest;
3415 for (uintN i = offset; i < offset+count; i++) {
3416 v = obj->dslots[i];
3417 if (!JSVAL_IS_INT(v) || (vi = JSVAL_TO_INT(v)) < 0)
3418 return JS_FALSE;
3419
3420 *dp++ = (JSUint8) vi;
3421 }
3422
3423 return JS_TRUE;
3424 }
3425
3426 JS_FRIEND_API(JSBool)
3427 js_ArrayToJSUint16Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3428 JSUint16 *dest)
3429 {
3430 uint32 length;
3431
3432 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3433 return JS_FALSE;
3434
3435 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3436 if (length < offset + count)
3437 return JS_FALSE;
3438
3439 jsval v;
3440 jsint vi;
3441
3442 JSUint16 *dp = dest;
3443 for (uintN i = offset; i < offset+count; i++) {
3444 v = obj->dslots[i];
3445 if (!JSVAL_IS_INT(v) || (vi = JSVAL_TO_INT(v)) < 0)
3446 return JS_FALSE;
3447
3448 *dp++ = (JSUint16) vi;
3449 }
3450
3451 return JS_TRUE;
3452 }
3453
3454 JS_FRIEND_API(JSBool)
3455 js_ArrayToJSUint32Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3456 JSUint32 *dest)
3457 {
3458 uint32 length;
3459
3460 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3461 return JS_FALSE;
3462
3463 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3464 if (length < offset + count)
3465 return JS_FALSE;
3466
3467 jsval v;
3468 jsint vi;
3469
3470 JSUint32 *dp = dest;
3471 for (uintN i = offset; i < offset+count; i++) {
3472 v = obj->dslots[i];
3473 if (!JSVAL_IS_INT(v) || (vi = JSVAL_TO_INT(v)) < 0)
3474 return JS_FALSE;
3475
3476 *dp++ = (JSUint32) vi;
3477 }
3478
3479 return JS_TRUE;
3480 }
3481
3482 JS_FRIEND_API(JSBool)
3483 js_ArrayToJSInt8Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3484 JSInt8 *dest)
3485 {
3486 uint32 length;
3487
3488 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3489 return JS_FALSE;
3490
3491 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3492 if (length < offset + count)
3493 return JS_FALSE;
3494
3495 jsval v;
3496 JSInt8 *dp = dest;
3497 for (uintN i = offset; i < offset+count; i++) {
3498 v = obj->dslots[i];
3499 if (!JSVAL_IS_INT(v))
3500 return JS_FALSE;
3501
3502 *dp++ = (JSInt8) JSVAL_TO_INT(v);
3503 }
3504
3505 return JS_TRUE;
3506 }
3507
3508 JS_FRIEND_API(JSBool)
3509 js_ArrayToJSInt16Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3510 JSInt16 *dest)
3511 {
3512 uint32 length;
3513
3514 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3515 return JS_FALSE;
3516
3517 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3518 if (length < offset + count)
3519 return JS_FALSE;
3520
3521 jsval v;
3522 JSInt16 *dp = dest;
3523 for (uintN i = offset; i < offset+count; i++) {
3524 v = obj->dslots[i];
3525 if (!JSVAL_IS_INT(v))
3526 return JS_FALSE;
3527
3528 *dp++ = (JSInt16) JSVAL_TO_INT(v);
3529 }
3530
3531 return JS_TRUE;
3532 }
3533
3534 JS_FRIEND_API(JSBool)
3535 js_ArrayToJSInt32Buffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3536 JSInt32 *dest)
3537 {
3538 uint32 length;
3539
3540 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3541 return JS_FALSE;
3542
3543 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3544 if (length < offset + count)
3545 return JS_FALSE;
3546
3547 jsval v;
3548 JSInt32 *dp = dest;
3549 for (uintN i = offset; i < offset+count; i++) {
3550 v = obj->dslots[i];
3551 if (!JSVAL_IS_INT(v))
3552 return JS_FALSE;
3553
3554 *dp++ = (JSInt32) JSVAL_TO_INT(v);
3555 }
3556
3557 return JS_TRUE;
3558 }
3559
3560 JS_FRIEND_API(JSBool)
3561 js_ArrayToJSDoubleBuffer(JSContext *cx, JSObject *obj, jsuint offset, jsuint count,
3562 jsdouble *dest)
3563 {
3564 uint32 length;
3565
3566 if (!obj || !OBJ_IS_DENSE_ARRAY(cx, obj))
3567 return JS_FALSE;
3568
3569 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
3570 if (length < offset + count)
3571 return JS_FALSE;
3572
3573 jsval v;
3574 jsdouble *dp = dest;
3575 for (uintN i = offset; i < offset+count; i++) {
3576 v = obj->dslots[i];
3577 if (JSVAL_IS_INT(v))
3578 *dp++ = (jsdouble) JSVAL_TO_INT(v);
3579 else if (JSVAL_IS_DOUBLE(v))
3580 *dp++ = *(JSVAL_TO_DOUBLE(v));
3581 else
3582 return JS_FALSE;
3583 }
3584
3585 return JS_TRUE;
3586 }
3587
3588 JS_DEFINE_CALLINFO_4(extern, BOOL, js_Array_dense_setelem, CONTEXT, OBJECT, INT32, JSVAL, 0, 0)
3589 JS_DEFINE_CALLINFO_2(extern, OBJECT, js_FastNewArray, CONTEXT, OBJECT, 0, 0)
3590 JS_DEFINE_CALLINFO_3(extern, OBJECT, js_NewUninitializedArray, CONTEXT, OBJECT, UINT32, 0, 0)
3591 JS_DEFINE_CALLINFO_3(extern, OBJECT, js_FastNewArrayWithLength, CONTEXT, OBJECT, UINT32, 0, 0)
3592 JS_DEFINE_CALLINFO_3(extern, OBJECT, js_Array_1str, CONTEXT, OBJECT, STRING, 0, 0)
3593 JS_DEFINE_CALLINFO_3(extern, BOOL, js_ArrayCompPush, CONTEXT, OBJECT, JSVAL, 0, 0)
git mirror of mozilla-central