| blob | 026ddee28ea2a21cb2e8562c7eeee03d458d865d |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set sw=4 ts=8 et tw=78:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS array class.
43 *
44 * Array objects begin as "dense" arrays, optimized for index-only property
45 * access over a vector of slots (obj->dslots) with high load factor. Array
46 * methods optimize for denseness by testing that the object's class is
47 * &js_ArrayClass, and can then directly manipulate the slots for efficiency.
48 *
49 * We track these pieces of metadata for arrays in dense mode:
50 * - the array's length property as a uint32, in JSSLOT_ARRAY_LENGTH,
51 * - the number of indices that are filled (non-holes), in JSSLOT_ARRAY_COUNT,
52 * - the net number of slots starting at dslots (capacity), in dslots[-1] if
53 * dslots is non-NULL.
54 *
55 * In dense mode, holes in the array are represented by JSVAL_HOLE. The final
56 * slot in fslots is unused.
57 *
58 * NB: the capacity and length of a dense array are entirely unrelated! The
59 * length may be greater than, less than, or equal to the capacity. See
60 * array_length_setter for an explanation of how the first, most surprising
61 * case may occur.
62 *
63 * Arrays are converted to use js_SlowArrayClass when any of these conditions
64 * are met:
65 * - the load factor (COUNT / capacity) is less than 0.25, and there are
66 * more than MIN_SPARSE_INDEX slots total
67 * - a property is set that is not indexed (and not "length"); or
68 * - a property is defined that has non-default property attributes.
69 *
70 * Dense arrays do not track property creation order, so unlike other native
71 * objects and slow arrays, enumerating an array does not necessarily visit the
72 * properties in the order they were created. We could instead maintain the
73 * scope to track property enumeration order, but still use the fast slot
74 * access. That would have the same memory cost as just using a
75 * js_SlowArrayClass, but have the same performance characteristics as a dense
76 * array for slot accesses, at some cost in code complexity.
77 */
78 #include <stdlib.h>
79 #include <string.h>
109 /* 2^32 - 1 as a number and a string */
110 #define MAXINDEX 4294967295u
113 /* Small arrays are dense, no matter what. */
114 #define MIN_SPARSE_INDEX 256
118 {
120 }
122 #define INDEX_TOO_SPARSE(array, index) \
123 (INDEX_TOO_BIG(index) || \
124 ((index) > js_DenseArrayCapacity(array) && (index) >= MIN_SPARSE_INDEX && \
125 (index) > (uint32)((array)->fslots[JSSLOT_ARRAY_COUNT] + 1) * 4))
129 #define ENSURE_SLOW_ARRAY(cx, obj) \
130 (OBJ_GET_CLASS(cx, obj) == &js_SlowArrayClass || js_MakeArraySlow(cx, obj))
132 /*
133 * Determine if the id represents an array index or an XML property index.
134 *
135 * An id is an array index according to ECMA by (15.4):
136 *
137 * "Array objects give special treatment to a certain class of property names.
138 * A property name P (in the form of a string value) is an array index if and
139 * only if ToString(ToUint32(P)) is equal to P and ToUint32(P) is not equal
140 * to 2^32-1."
141 *
142 * In our implementation, it would be sufficient to check for JSVAL_IS_INT(id)
143 * except that by using signed 32-bit integers we miss the top half of the
144 * valid range. This function checks the string representation itself; note
145 * that calling a standard conversion routine might allow strings such as
146 * "08" or "4.0" as array indices, which they are not.
147 */
148 JSBool
150 {
155 jsint i;
161 }
163 /* NB: id should be a string, but jsxml.c may call us with an object id. */
178 cp++;
179 }
180 }
182 /* Ensure that all characters were consumed and we didn't overflow. */
186 {
189 }
190 }
192 }
194 static jsuint
196 {
197 jsint i;
198 jsdouble d;
199 jsuint length;
206 }
219 error:
221 JSMSG_BAD_ARRAY_LENGTH);
224 }
226 JSBool
228 {
232 }
241 }
245 }
247 static JSBool
249 {
251 }
253 JSBool JS_FASTCALL
255 {
261 }
266 }
268 static JSBool
271 {
286 /*
287 * Skip the atomization if the class is known to store atoms corresponding
288 * to big indexes together with elements. In such case we know that the
289 * array does not have an element at the given index if its atom does not
290 * exist. Fast arrays (clasp == &js_ArrayClass) don't use atoms for
291 * any indexes, though it would be rare to see them have a big index
292 * in any case.
293 */
302 }
307 }
311 }
313 static JSBool
316 {
323 }
325 }
330 }
343 }
346 }
348 /*
349 * When a dense array with CAPACITY_DOUBLING_MAX or fewer slots needs to grow,
350 * double its capacity, to push() N elements in amortized O(N) time.
351 *
352 * Above this limit, grow by 12.5% each time. Speed is still amortized O(N),
353 * with a higher constant factor, and we waste less space.
354 */
355 #define CAPACITY_DOUBLING_MAX (1024 * 1024)
357 /*
358 * Round up all large allocations to a multiple of this (1MB), so as not to
359 * waste space if malloc gives us 1MB-sized chunks (as jemalloc does).
360 */
361 #define CAPACITY_CHUNK (1024 * 1024 / sizeof(jsval))
363 static JSBool
366 {
370 /*
371 * If this overflows uint32, newcap is very large. nextsize will end
372 * up being less than newcap, the code below will thus disregard it,
373 * and ResizeSlots will fail.
374 *
375 * The way we use dslots[-1] forces a few +1s and -1s here. For
376 * example, (oldcap * 2 + 1) produces the sequence 7, 15, 31, 63, ...
377 * which makes the total allocation size (with dslots[-1]) a power
378 * of two.
379 */
392 /*
393 * Initialize the slots caller didn't actually ask for.
394 */
397 slots++) {
399 }
400 }
401 }
403 }
405 static bool
407 {
412 }
414 }
416 static bool
419 {
423 }
431 }
434 }
436 /*
437 * If the property at the given index exists, get its value into location
438 * pointed by vp and set *hole to false. Otherwise set *hole to true and *vp
439 * to JSVAL_VOID. This function assumes that the location pointed by vp is
440 * properly rooted and can be used as GC-protected storage for temporaries.
441 */
442 static JSBool
445 {
451 }
461 }
475 }
477 }
479 /*
480 * Set the value of the property at the given index to v assuming v is rooted.
481 */
482 static JSBool
484 {
488 /* Predicted/prefetched code should favor the remains-dense case. */
501 }
502 }
506 }
515 }
517 static JSBool
519 {
529 }
530 }
532 }
541 jsval junk;
543 }
545 /*
546 * When hole is true, delete the property at the given index. Otherwise set
547 * its value to v assuming v is rooted.
548 */
549 static JSBool
552 {
556 }
558 }
560 JSBool
562 {
563 jsval v;
564 jsid id;
570 }
572 JSBool
574 {
585 }
587 JSBool
589 {
598 }
600 }
602 /*
603 * The 'length' property of all native Array instances is a shared permanent
604 * property of Array.prototype, so it appears to be a direct property of each
605 * array instance delegating to that Array.prototype. It accesses the private
606 * slot reserved by js_ArrayClass.
607 *
608 * Since SpiderMonkey supports cross-class prototype-based delegation, we have
609 * to be careful about the length getter and setter being called on an object
610 * not of Array class. For the getter, we search obj's prototype chain for the
611 * array that caused this getter to be invoked. In the setter case to overcome
612 * the JSPROP_SHARED attribute, we must define a shadowing length property.
613 */
614 static JSBool
616 {
622 }
624 static JSBool
626 {
628 jsval junk;
630 JSTempValueRooter tvr;
631 JSBool ok;
637 }
653 }
656 /* Don't reallocate if we're not actually shrinking our slots. */
666 }
669 /*
670 * We are going to remove a lot of indexes in a presumably sparse
671 * array. So instead of looping through indexes between newlen and
672 * oldlen, we iterate through all properties and remove those that
673 * correspond to indexes in the half-open range [newlen, oldlen). See
674 * bug 322135.
675 */
680 /* Protect iter against GC under JSObject::deleteProperty. */
694 }
695 }
699 }
703 }
705 /*
706 * We have only indexed properties up to capacity (excepting holes), plus the
707 * length property. For all else, we delegate to the prototype.
708 */
711 {
714 uint32 i;
720 }
722 static JSBool
725 {
733 }
740 }
742 }
744 static void
746 {
748 }
750 JSBool
753 {
757 uint32 i;
761 }
764 }
766 static JSBool
768 {
769 uint32 i;
777 }
792 }
804 }
806 }
808 }
812 }
814 static JSBool
816 {
825 }
827 static JSBool
831 static JSType
833 {
835 }
837 /* The same as js_ObjectOps except for the .enumerate and .call hooks. */
839 NULL,
848 js_HasInstance, js_Clear
849 };
853 {
855 }
857 static JSBool
859 {
860 uint32 i;
872 }
883 }
885 JSBool
887 {
888 /*
889 * Walk up the prototype chain and see if this indexed element already
890 * exists. If we hit the end of the prototype chain, it's safe to set the
891 * element on the original object.
892 */
894 /*
895 * If the prototype is a non-native object (possibly a dense array), or
896 * a native object (possibly a slow array) that has indexed properties,
897 * return true.
898 */
903 }
905 }
907 #ifdef JS_TRACER
911 {
912 /*
913 * Let the interpreter worry about negative array indexes.
914 */
917 /*
918 * Have to check for negative values bleeding through on 64-bit machines only,
919 * since we can't allocate large enough arrays for this on 32-bit machines.
920 */
923 }
925 /*
926 * If needed, grow the array as long it remains dense, otherwise fall off trace.
927 */
940 }
944 }
947 JSBool FASTCALL
949 {
952 }
955 JSBool FASTCALL
957 {
960 jsval v;
967 }
970 }
971 JS_DEFINE_CALLINFO_4(extern, BOOL, js_Array_dense_setelem_int, CONTEXT, OBJECT, INT32, INT32, 0, 0)
973 JSBool FASTCALL
975 {
978 jsval v;
979 jsint j;
986 }
989 }
990 JS_DEFINE_CALLINFO_4(extern, BOOL, js_Array_dense_setelem_double, CONTEXT, OBJECT, INT32, DOUBLE, 0, 0)
991 #endif
993 static JSBool
996 {
998 JSBool isIndex;
1004 if (!isIndex || attrs != JSPROP_ENUMERATE || !OBJ_IS_DENSE_ARRAY(cx, obj) || INDEX_TOO_SPARSE(obj, i)) {
1008 }
1011 }
1013 static JSBool
1016 {
1020 }
1022 static JSBool
1025 {
1027 JSMSG_CANT_SET_ARRAY_ATTRS);
1029 }
1031 static JSBool
1033 {
1034 uint32 i;
1042 }
1048 }
1052 }
1054 /*
1055 * JSObjectOps.enumerate implementation.
1056 *
1057 * For a fast array, JSENUMERATE_INIT captures in the enumeration state both
1058 * the length of the array and the bitmap indicating the positions of holes in
1059 * the array. This ensures that adding or deleting array elements does not
1060 * affect the sequence of indexes JSENUMERATE_NEXT returns.
1061 *
1062 * For a common case of an array without holes, to represent the state we pack
1063 * the (nextEnumerationIndex, arrayLength) pair as a pseudo-boolean jsval.
1064 * This is possible when length <= PACKED_UINT_PAIR_BITS. For arrays with
1065 * greater length or holes we allocate the JSIndexIterState structure and
1066 * store it as an int-tagged private pointer jsval. For a slow array we
1067 * delegate the enumeration implementation to js_Enumerate in
1068 * slowarray_enumerate.
1069 *
1070 * Array mutations can turn a fast array into a slow one after the enumeration
1071 * starts. When this happens, slowarray_enumerate receives a state created
1072 * when the array was fast. To distinguish such fast state from a slow state,
1073 * which is an int-tagged pointer that js_Enumerate creates, we set not one
1074 * but two lowest bits when tagging a JSIndexIterState pointer -- see
1075 * INDEX_ITER_TAG usage below. Thus, when slowarray_enumerate receives a state
1076 * tagged with JSVAL_SPECIAL or with two lowest bits set, it knows that this
1077 * is a fast state so it calls array_enumerate to continue enumerating the
1078 * indexes present in the original fast array.
1079 */
1081 #define PACKED_UINT_PAIR_BITS 14
1082 #define PACKED_UINT_PAIR_MASK JS_BITMASK(PACKED_UINT_PAIR_BITS)
1084 #define UINT_PAIR_TO_SPECIAL_JSVAL(i,j) \
1085 (JS_ASSERT((uint32) (i) <= PACKED_UINT_PAIR_MASK), \
1086 JS_ASSERT((uint32) (j) <= PACKED_UINT_PAIR_MASK), \
1087 ((jsval) (i) << (PACKED_UINT_PAIR_BITS + JSVAL_TAGBITS)) | \
1088 ((jsval) (j) << (JSVAL_TAGBITS)) | \
1089 (jsval) JSVAL_SPECIAL)
1091 #define SPECIAL_JSVAL_TO_UINT_PAIR(v,i,j) \
1092 (JS_ASSERT(JSVAL_IS_SPECIAL(v)), \
1093 (i) = (uint32) ((v) >> (PACKED_UINT_PAIR_BITS + JSVAL_TAGBITS)), \
1094 (j) = (uint32) ((v) >> JSVAL_TAGBITS) & PACKED_UINT_PAIR_MASK, \
1095 JS_ASSERT((i) <= PACKED_UINT_PAIR_MASK))
1100 uint32 index;
1101 uint32 length;
1102 JSBool hasHoles;
1104 /*
1105 * Variable-length bitmap representing array's holes. It must not be
1106 * accessed when hasHoles is false.
1107 */
1111 #define INDEX_ITER_TAG 3
1115 static JSBool
1118 {
1139 }
1141 }
1142 }
1144 /* Array has no holes. */
1148 }
1154 }
1168 }
1174 /* Skip holes if any. */
1178 }
1182 }
1183 }
1184 }
1185 /* FALL THROUGH */
1192 }
1195 }
1197 }
1199 static JSBool
1202 {
1203 JSBool ok;
1205 /* Are we continuing an enumeration that started when we were dense? */
1210 }
1212 }
1216 }
1218 static void
1220 {
1224 }
1226 static void
1228 {
1229 uint32 capacity;
1231 jsval v;
1242 }
1243 }
1244 }
1250 JSObjectOps js_ArrayObjectOps = {
1260 js_HasInstance, NULL
1261 };
1265 {
1267 }
1269 JSClass js_ArrayClass = {
1273 JSCLASS_NEW_ENUMERATE,
1278 };
1280 JSClass js_SlowArrayClass = {
1282 JSCLASS_HAS_PRIVATE |
1288 };
1290 /*
1291 * Convert an array object from fast-and-dense to slow-and-flexible.
1292 */
1293 JSBool
1295 {
1298 /*
1299 * Create a native scope. All slow arrays other than Array.prototype get
1300 * the same initial shape.
1301 */
1302 uint32 emptyShape;
1305 /* obj is Array.prototype. */
1308 /* arrayProto is Array.prototype. */
1311 }
1313 emptyShape);
1323 }
1325 /* Create new properties pointing to existing values in dslots */
1327 jsid id;
1336 }
1339 JSPROP_ENUMERATE);
1342 }
1344 /*
1345 * Render our formerly-reserved count property GC-safe. If length fits in
1346 * a jsval, set our slow/sparse COUNT to the current length as a jsval, so
1347 * we can tell when only named properties have been added to a dense array
1348 * to make it slow-but-not-sparse.
1349 *
1350 * We do not need to make the length slot GC-safe as this slot is private
1351 * where the implementation can store an arbitrary value.
1352 */
1353 {
1360 }
1362 /* Make sure we preserve any flags borrowing bits in classword. */
1369 out_bad:
1372 }
1374 /* Transfer ownership of buffer to returned string. */
1377 {
1383 }
1385 #if JS_HAS_TOSOURCE
1386 static JSBool
1388 {
1396 }
1398 /* Find joins or cycles in the reachable object graph. */
1405 /* After this point, all paths exit through the 'out' label. */
1409 /*
1410 * This object will take responsibility for the jschar buffer until the
1411 * buffer is transferred to the returned JSString.
1412 */
1415 /* Cycles/joins are indicated by sharp objects. */
1416 #if JS_HAS_SHARP_VARS
1424 }
1425 #else
1431 }
1432 #endif
1437 jsuint length;
1442 /* Use vp to locally root each element value. */
1443 JSBool hole;
1447 }
1449 /* Get element's character string. */
1457 }
1463 /* Append element to buffer. */
1472 }
1473 }
1475 /* Finalize the buffer. */
1479 make_string:
1485 out:
1489 }
1490 #endif
1492 static JSBool
1495 {
1498 /*
1499 * Use HashTable entry as the cycle indicator. On first visit, create the
1500 * entry, and, when leaving, remove the entry.
1501 */
1504 uint32 genBefore;
1506 /* Not in hash table, so not a cycle. */
1510 }
1513 /* Cycle, so return empty string. */
1516 }
1520 /* After this point, all paths exit through the 'out' label. */
1524 /* Get characters to use for the separator. */
1533 }
1535 /*
1536 * This object will take responsibility for the jschar buffer until the
1537 * buffer is transferred to the returned JSString.
1538 */
1541 jsuint length;
1546 /* Use rval to locally root each element value. */
1547 JSBool hole;
1551 }
1553 /* Get element's character string. */
1556 /* Work on obj.toLocalString() instead. */
1565 }
1569 }
1571 /* Append the separator. */
1575 }
1576 }
1578 /* Finalize the buffer. */
1584 out:
1587 else
1590 }
1592 static JSBool
1594 {
1602 }
1605 }
1607 static JSBool
1609 {
1617 }
1619 /*
1620 * Passing comma here as the separator. Need a way to get a
1621 * locale-specific version.
1622 */
1624 }
1627 TargetElementsAllHoles,
1628 TargetElementsMayContainValues
1629 };
1632 SourceVectorAllValues,
1633 SourceVectorMayContainHoles
1634 };
1636 static JSBool
1639 {
1642 /*
1643 * Optimize for dense arrays so long as adding the given set of elements
1644 * wouldn't otherwise make the array slow.
1645 */
1649 #ifdef DEBUG_jwalden
1650 {
1651 /* Verify that overwriteType and writeType were accurate. */
1663 }
1664 }
1665 }
1666 #endif
1681 valueCount++;
1682 }
1685 }
1693 valueCount++;
1694 }
1696 }
1699 }
1706 }
1707 }
1712 /* Finish out any remaining elements past the max array index. */
1729 }
1734 }
1736 static JSBool
1739 {
1756 }
1757 }
1761 }
1763 }
1765 #ifdef JS_TRACER
1768 {
1773 }
1775 }
1779 {
1784 }
1786 }
1787 #endif
1789 /*
1790 * Perl-inspired join, reverse, and sort.
1791 */
1792 static JSBool
1794 {
1805 }
1808 }
1810 static JSBool
1812 {
1813 jsuint len;
1820 /* An empty array or an array with no elements is already reversed. */
1824 /*
1825 * It's actually surprisingly complicated to reverse an array due to the
1826 * orthogonality of array length and array capacity while handling
1827 * leading and trailing holes correctly. Reversing seems less likely to
1828 * be a common operation than other array mass-mutation methods, so for
1829 * now just take a probably-small memory hit (in the absence of too many
1830 * holes in the array at its start) and ensure that the capacity is
1831 * sufficient to hold all the elements in the array if it were full.
1832 */
1842 }
1844 /*
1845 * Per ECMA-262, don't update the length of the array, even if the new
1846 * array has trailing holes (and thus the original array began with
1847 * holes).
1848 */
1850 }
1861 }
1862 }
1865 }
1869 JSComparator cmp;
1871 JSBool fastcopy;
1874 /* Helper function for js_MergeSort. */
1875 static JSBool
1877 {
1881 JSComparator cmp;
1882 JSBool fastcopy;
1891 #define CALL_CMP(a, b) \
1892 if (!cmp(arg, (a), (b), &cmp_result)) return JS_FALSE;
1894 /* Copy runs already in sorted order. */
1901 }
1903 #define COPY_ONE(p,q,n) \
1904 (fastcopy ? (void)(*(jsval*)(p) = *(jsval*)(q)) : (void)memcpy(p, q, n))
1913 }
1917 run1--;
1921 run2--;
1923 }
1925 }
1926 #undef COPY_ONE
1927 #undef CALL_CMP
1930 }
1932 /*
1933 * This sort is stable, i.e. sequence of equal elements is preserved.
1934 * See also bug #224128.
1935 */
1936 JSBool
1939 {
1941 MSortArgs msa;
1943 JSBool fastcopy;
1946 /* Avoid memcpy overhead for word-sized and word-aligned elements. */
1949 #define COPY_ONE(p,q,n) \
1950 (fastcopy ? (void)(*(jsval*)(p) = *(jsval*)(q)) : (void)memcpy(p, q, n))
1951 #define CALL_CMP(a, b) \
1952 if (!cmp(arg, (a), (b), &cmp_result)) return JS_FALSE;
1953 #define INS_SORT_INT 4
1955 /*
1956 * Apply insertion sort to small chunks to reduce the number of merge
1957 * passes needed.
1958 */
1968 /* "<=" instead of "<" insures the sort is stable */
1971 }
1973 /* Swap elements, using "tmp" as tmp storage */
1979 }
1980 }
1981 }
1982 #undef CALL_CMP
1983 #undef COPY_ONE
1999 }
2004 }
2005 }
2009 }
2014 }
2018 jsval fval;
2022 static JS_REQUIRES_STACK JSBool
2024 {
2029 jsdouble cmp;
2031 /**
2032 * array_sort deals with holes and undefs on its own and they should not
2033 * come here.
2034 */
2055 /* Clamp cmp to -1, 0, 1. */
2060 /*
2061 * XXX else report some kind of error here? ECMA talks about 'consistent
2062 * compare functions' that don't return NaN, but is silent about what the
2063 * result should be. So we currently ignore it.
2064 */
2067 }
2074 {
2076 }
2078 static int
2080 {
2090 }
2092 /*
2093 * The array_sort function below assumes JSVAL_NULL is zero in order to
2094 * perform initialization using memset. Other parts of SpiderMonkey likewise
2095 * "know" that JSVAL_NULL is zero; this static assertion covers all cases.
2096 */
2099 static JSBool
2101 {
2104 CompareArgs ca;
2106 JSTempValueRooter tvr;
2107 JSBool hole;
2108 JSBool ok;
2112 /*
2113 * Optimize the default compare function case if all of obj's elements
2114 * have values of type string.
2115 */
2116 JSBool all_strings;
2122 JSMSG_BAD_SORT_ARG);
2124 }
2128 }
2136 }
2138 /*
2139 * We need a temporary array of 2 * len jsvals to hold the array elements
2140 * and the scratch space for merge sort. Check that its size does not
2141 * overflow size_t, which would allow for indexing beyond the end of the
2142 * malloc'd vector.
2143 */
2144 #if JS_BITS_PER_WORD == 32
2148 }
2149 #endif
2154 /*
2155 * Initialize vec as a root. We will clear elements of vec one by
2156 * one while increasing tvr.count when we know that the property at
2157 * the corresponding index exists and its value must be rooted.
2158 *
2159 * In this way when sorting a huge mostly sparse array we will not
2160 * access the tail of vec corresponding to properties that do not
2161 * exist, allowing OS to avoiding committing RAM. See bug 330812.
2162 *
2163 * After this point control must flow through label out: to exit.
2164 */
2167 /*
2168 * By ECMA 262, 15.4.4.11, a property that does not exist (which we
2169 * call a "hole") is always greater than an existing property with
2170 * value undefined and that is always greater than any other property.
2171 * Thus to sort holes and undefs we simply count them, sort the rest
2172 * of elements, append undefs after them and then make holes after
2173 * undefs.
2174 */
2183 /* Clear vec[newlen] before including it in the rooted set. */
2196 }
2198 /* We know JSVAL_IS_STRING yields 0 or 1, so avoid a branch via &=. */
2202 }
2205 /* The array has only holes and undefs. */
2208 }
2210 /*
2211 * The first newlen elements of vec are copied from the array object
2212 * (above). The remaining newlen positions are used as GC-rooted scratch
2213 * space for mergesort. We must clear the space before including it to
2214 * the root set covered by tvr.count. We assume JSVAL_NULL==0 to optimize
2215 * initialization using memset.
2216 */
2221 /* Here len == 2 * (newlen + undefs + number_of_holes). */
2223 /*
2224 * Sort using the default comparator converting all elements to
2225 * strings.
2226 */
2230 /*
2231 * To avoid string conversion on each compare we do it only once
2232 * prior to sorting. But we also need the space for the original
2233 * values to recover the sorting result. To reuse
2234 * sort_compare_strings we move the original values to the odd
2235 * indexes in vec, put the string conversion results in the even
2236 * indexes and pass 2 * sizeof(jsval) as an element size to the
2237 * sorting function. In this way sort_compare_strings will only
2238 * see the string values when it casts the compare arguments as
2239 * pointers to jsval.
2240 *
2241 * This requires doubling the temporary storage including the
2242 * scratch space for the merge sort. Since vec already contains
2243 * the rooted scratch space for newlen elements at the tail, we
2244 * can use it to rearrange and convert to strings first and try
2245 * realloc only when we know that we successfully converted all
2246 * the elements.
2247 */
2248 #if JS_BITS_PER_WORD == 32
2253 }
2254 #endif
2256 /*
2257 * Rearrange and string-convert the elements of the vector from
2258 * the tail here and, after sorting, move the results back
2259 * starting from the start to prevent overwrite the existing
2260 * elements.
2261 */
2273 }
2285 }
2291 }
2297 /*
2298 * We want to make the following loop fast and to unroot the
2299 * cached results of toString invocations before the operation
2300 * callback has a chance to run the GC. For this reason we do
2301 * not call JS_CHECK_OPERATION_LIMIT in the loop.
2302 */
2307 }
2319 }
2326 }
2328 /*
2329 * We no longer need to root the scratch space for the merge sort, so
2330 * unroot it now to make the job of a potential GC under InitArrayElements
2331 * easier.
2332 */
2335 SourceVectorAllValues);
2339 out:
2345 /* Set undefs that sorted after the rest of elements. */
2351 }
2352 }
2354 /* Re-create any holes that sorted to the end of the array. */
2359 }
2360 }
2363 }
2365 /*
2366 * Perl-inspired push, pop, shift, unshift, and splice methods.
2367 */
2368 static JSBool
2370 {
2371 jsuint length;
2376 SourceVectorAllValues)) {
2378 }
2380 /* Per ECMA-262, return the new array length. */
2385 }
2387 static JSBool
2389 {
2395 }
2405 }
2407 JSBool JS_FASTCALL
2409 {
2417 JSMSG_ARRAY_INIT_TOO_BIG);
2419 }
2423 }
2428 }
2431 #ifdef JS_TRACER
2432 static jsval FASTCALL
2434 {
2440 }
2443 }
2444 #endif
2446 static JSBool
2448 {
2451 /* Insist on one argument and obj of the expected class. */
2459 }
2461 static JSBool
2463 {
2464 jsuint index;
2465 JSBool hole;
2472 index--;
2474 /* Get the to-be-deleted property's value into vp. */
2479 }
2481 }
2483 static JSBool
2485 {
2486 jsuint index;
2487 JSBool hole;
2493 }
2494 index--;
2501 }
2503 #ifdef JS_TRACER
2504 static jsval FASTCALL
2506 {
2512 }
2515 }
2516 #endif
2518 static JSBool
2520 {
2529 }
2531 static JSBool
2533 {
2536 JSBool hole;
2544 length--;
2552 else
2557 /*
2558 * We don't need to modify the indexed properties of an empty array
2559 * with an explicitly set non-zero length when shift() is called on
2560 * it, but note fallthrough to reduce the length by one.
2561 */
2564 }
2566 /* Get the to-be-deleted property's value into vp ASAP. */
2570 /* Slide down the array above the first element. */
2577 }
2578 }
2580 /* Delete the only or last element when it exists. */
2583 }
2584 }
2586 }
2588 static JSBool
2590 {
2593 jsuint length;
2594 JSBool hole;
2602 /* Slide up the array to make room for argc at the bottom. */
2623 }
2625 }
2626 }
2628 /* Copy from argv to the bottom of the array. */
2635 }
2637 /* Follow Perl by returning the new array length. */
2639 }
2641 static JSBool
2643 {
2647 jsdouble d;
2648 JSBool hole;
2651 /*
2652 * Create a new array value to return. Our ECMA v2 proposal specs
2653 * that splice always returns an array value, even when given no
2654 * arguments. We think this is best because it eliminates the need
2655 * for callers to do an extra test to handle the empty splice case.
2656 */
2662 /* Nothing to do if no args. Otherwise get length. */
2670 /* Convert the first argument into a starting index. */
2681 }
2683 argc--;
2684 argv++;
2686 /* Convert the second argument from a count into a fencepost index. */
2702 argc--;
2703 argv++;
2704 }
2708 /* If there are elements to remove, put them into the return value. */
2717 }
2723 }
2725 /* Copy tvr.value() to the new array unless it's a hole. */
2728 }
2732 }
2733 }
2735 /* Find the direction (up or down) to copy and make way for argv. */
2744 /* (uint) end could be 0, so we can't use a vanilla >= test. */
2751 }
2754 /* (uint) end could be 0, so we can't use a vanilla >= test. */
2760 }
2761 }
2762 }
2768 /* (uint) end could be 0, so we can't use a vanilla >= test. */
2775 }
2782 }
2783 }
2784 }
2786 }
2788 /*
2789 * Copy from argv into the hole to complete the splice, and update length in
2790 * case we deleted elements from the end.
2791 */
2793 SourceVectorAllValues) &&
2795 }
2797 /*
2798 * Python-esque sequence operations.
2799 */
2800 static JSBool
2802 {
2806 uintN i;
2807 JSBool hole;
2809 /* Treat our |this| object as the first argument; see ECMA 15.4.4.4. */
2813 /* Create a new Array object and root it using *vp. */
2816 /*
2817 * Clone aobj but pass the minimum of its length and capacity, to
2818 * handle a = [1,2,3]; a.length = 10000 "dense" cases efficiently. In
2819 * such a case we'll pass 8 (not 3) due to ARRAY_CAPACITY_MIN, which
2820 * will cause nobj to be over-allocated to 16. But in the normal case
2821 * where length is <= capacity, nobj and aobj will have the same
2822 * capacity.
2823 */
2835 argc--;
2836 argv++;
2843 }
2847 /* Loop over [0, argc] to concat args into nobj, expanding all Arrays. */
2868 }
2870 /*
2871 * Per ECMA 262, 15.4.4.4, step 9, ignore non-existent
2872 * properties.
2873 */
2877 }
2878 }
2881 }
2882 }
2886 length++;
2887 }
2890 }
2892 static JSBool
2894 {
2898 jsdouble d;
2899 JSBool hole;
2920 }
2934 }
2936 }
2937 }
2951 }
2953 /* Create a new Array object and root it using *vp. */
2964 }
2967 }
2970 }
2972 #if JS_HAS_ARRAY_EXTRAS
2974 static JSBool
2976 {
2979 jsval tosearch;
2980 jsint direction;
2981 JSBool hole;
2993 jsdouble start;
3008 }
3015 }
3016 }
3024 }
3030 }
3036 }
3038 not_found:
3041 }
3043 static JSBool
3045 {
3047 }
3049 static JSBool
3051 {
3053 }
3055 /* Order is important; extras that take a predicate funarg must follow MAP. */
3057 FOREACH,
3058 REDUCE,
3059 REDUCE_RIGHT,
3060 MAP,
3061 FILTER,
3062 SOME,
3063 EVERY
3066 #define REDUCE_MODE(mode) ((mode) == REDUCE || (mode) == REDUCE_RIGHT)
3068 static JSBool
3070 {
3083 /*
3084 * First, get or compute our callee, so that we error out consistently
3085 * when passed a non-callable object.
3086 */
3090 }
3096 /*
3097 * Set our initial return condition, used for zero-length array cases
3098 * (and pre-size our map return to match our known length, for all cases).
3099 */
3103 #endif
3109 /* FALL THROUGH */
3113 JSMSG_EMPTY_ARRAY_REDUCE);
3115 }
3127 JSMSG_EMPTY_ARRAY_REDUCE);
3129 }
3130 }
3149 }
3160 }
3162 /*
3163 * For all but REDUCE, we call with 3 args (value, index, array). REDUCE
3164 * requires 4 args (accum, value, index, array).
3165 */
3184 /*
3185 * Push callable and 'this', then args. We must do this for every
3186 * iteration around the loop since js_Invoke uses spbase[0] for return
3187 * value storage, while some native functions use spbase[1] for local
3188 * rooting.
3189 */
3199 /* Do the call. */
3207 else
3209 #endif
3226 /* The filter passed *elemroot, so push it onto our result. */
3235 }
3241 }
3243 }
3244 }
3246 out:
3251 }
3253 static JSBool
3255 {
3257 }
3259 static JSBool
3261 {
3263 }
3265 static JSBool
3267 {
3269 }
3271 static JSBool
3273 {
3275 }
3277 static JSBool
3279 {
3281 }
3283 static JSBool
3285 {
3287 }
3289 static JSBool
3291 {
3293 }
3294 #endif
3296 static JSBool
3298 {
3303 }
3309 };
3321 #if JS_HAS_TOSOURCE
3323 #endif
3327 /* Perl-ish methods. */
3337 /* Pythonic sequence methods. */
3341 #if JS_HAS_ARRAY_EXTRAS
3351 #endif
3353 JS_FS_END
3354 };
3358 JS_FS_END
3359 };
3361 JSBool
3363 {
3364 jsuint length;
3367 /* If called without new, replace obj with a new Array object. */
3373 }
3389 }
3391 }
3396 JSObject* JS_FASTCALL
3398 {
3405 /* Initialize all fields of JSObject. */
3417 }
3418 #ifdef JS_TRACER
3420 #endif
3422 JSObject* JS_FASTCALL
3424 {
3432 }
3433 #ifdef JS_TRACER
3435 #endif
3437 JSObject* JS_FASTCALL
3439 {
3447 }
3448 #ifdef JS_TRACER
3450 #endif
3452 JSObject *
3454 {
3458 /* Initialize the Array prototype object so it gets a length property. */
3462 }
3464 JSObject *
3466 {
3467 JSTempValueRooter tvr;
3474 /*
3475 * If this fails, the global object was not initialized and its class does
3476 * not have JSCLASS_IS_GLOBAL.
3477 */
3485 /* Set/clear newborn root, in case we lost it. */
3488 }
3490 JSObject *
3492 {
3497 }
3499 #ifdef DEBUG_ARRAYS
3500 JSBool
3502 {
3503 uintN i;
3510 NULL);
3518 }
3526 }
3529 }
3531 }
3532 #endif
3537 {
3538 uint32 length;
3565 /*
3566 * now val is rounded to nearest, ties rounded up. We want
3567 * rounded to nearest ties to even, so check whether we had a
3568 * tie.
3569 */
3571 /*
3572 * It was a tie (since adding 0.5 gave us the exact integer
3573 * we want). Since we rounded up, we either already have an
3574 * even number or we have an odd number but the number we
3575 * want is one less. So just unconditionally masking out the
3576 * ones bit should do the trick to get us the value we
3577 * want.
3578 */
3582 }
3583 }
3586 }
3587 }
3590 }
3594 {
3603 /* Set/clear newborn root, in case we lost it. */
3611 }