From a5c2961c4e8c0459959fc35e493e58be8e7763d6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 16 May 2019 00:50:49 +0000 Subject: Remove array header --- js/src/jsarray.cpp | 1 - 1 file changed, 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 7a67c0095..1c05704b8 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -45,7 +45,6 @@ #include "vm/Caches-inl.h" #include "vm/Interpreter-inl.h" #include "vm/NativeObject-inl.h" -#include "vm/UnboxedObject-inl.h" using namespace js; using namespace js::gc; -- cgit v1.2.3 From 543fa1674bcb4f8c40f0ef6e4c5514ea161def5a Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 16 May 2019 13:13:36 +0000 Subject: Remove Unboxed Objects from vm/ Part 1 + fix deprot --- js/src/jsarray.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 1c05704b8..7a67c0095 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -45,6 +45,7 @@ #include "vm/Caches-inl.h" #include "vm/Interpreter-inl.h" #include "vm/NativeObject-inl.h" +#include "vm/UnboxedObject-inl.h" using namespace js; using namespace js::gc; -- cgit v1.2.3 From 162e22a7de3026b676156a2aad29909fe3795dba Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 19 May 2019 23:11:17 +0200 Subject: Implement array.flat and array.flatMap Self-hosted implementation that adds both functions and adds them to @@unscopables as specced in ES2019. Resolves #1095 --- js/src/jsarray.cpp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 7a67c0095..3b4c957dc 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -3169,6 +3169,11 @@ static const JSFunctionSpec array_methods[] = { /* ES7 additions */ JS_SELF_HOSTED_FN("includes", "ArrayIncludes", 2,0), + + /* ES2019 additions */ + JS_SELF_HOSTED_FN("flat", "ArrayFlat", 0,0), + JS_SELF_HOSTED_FN("flatMap", "ArrayFlatMap", 1,0), + JS_FS_END }; @@ -3333,6 +3338,8 @@ array_proto_finish(JSContext* cx, JS::HandleObject ctor, JS::HandleObject proto) !DefineProperty(cx, unscopables, cx->names().fill, value) || !DefineProperty(cx, unscopables, cx->names().find, value) || !DefineProperty(cx, unscopables, cx->names().findIndex, value) || + !DefineProperty(cx, unscopables, cx->names().flat, value) || + !DefineProperty(cx, unscopables, cx->names().flatMap, value) || !DefineProperty(cx, unscopables, cx->names().includes, value) || !DefineProperty(cx, unscopables, cx->names().keys, value) || !DefineProperty(cx, unscopables, cx->names().values, value)) -- cgit v1.2.3 From c2b5f396eb4ed1bd9be5a6625bd823d7a3e63678 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 23 May 2019 02:48:13 +0000 Subject: Remove UnboxedArray code part 1 --- js/src/jsarray.cpp | 141 +++++++++++++++++++---------------------------------- 1 file changed, 50 insertions(+), 91 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 7a67c0095..190439d4b 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -64,7 +64,7 @@ using JS::ToUint32; bool JS::IsArray(JSContext* cx, HandleObject obj, IsArrayAnswer* answer) { - if (obj->is() || obj->is()) { + if (obj->is()) { *answer = IsArrayAnswer::Array; return true; } @@ -100,11 +100,6 @@ js::GetLengthProperty(JSContext* cx, HandleObject obj, uint32_t* lengthp) return true; } - if (obj->is()) { - *lengthp = obj->as().length(); - return true; - } - if (obj->is()) { ArgumentsObject& argsobj = obj->as(); if (!argsobj.hasOverriddenLength()) { @@ -284,7 +279,7 @@ ElementAdder::append(JSContext* cx, HandleValue v) MOZ_ASSERT(index_ < length_); if (resObj_) { DenseElementResult result = - SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, resObj_, index_, v.address(), 1); + SetOrExtendBoxedOrUnboxedDenseElements(cx, resObj_, index_, v.address(), 1); if (result == DenseElementResult::Failure) return false; if (result == DenseElementResult::Incomplete) { @@ -342,11 +337,11 @@ GetBoxedOrUnboxedDenseElements(JSObject* aobj, uint32_t length, Value* vp) { MOZ_ASSERT(!ObjectMayHaveExtraIndexedProperties(aobj)); - if (length > GetBoxedOrUnboxedInitializedLength(aobj)) + if (length > GetBoxedOrUnboxedInitializedLength(aobj)) return DenseElementResult::Incomplete; for (size_t i = 0; i < length; i++) { - vp[i] = GetBoxedOrUnboxedDenseElement(aobj, i); + vp[i] = GetBoxedOrUnboxedDenseElement(aobj, i); // No other indexed properties so hole => undefined. if (vp[i].isMagic(JS_ELEMENTS_HOLE)) @@ -398,7 +393,7 @@ SetArrayElement(JSContext* cx, HandleObject obj, double index, HandleValue v) { MOZ_ASSERT(index >= 0); - if ((obj->is() || obj->is()) && !obj->isIndexed() && index <= UINT32_MAX) { + if (obj->is() && !obj->isIndexed() && index <= UINT32_MAX) { DenseElementResult result = SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, obj, uint32_t(index), v.address(), 1); if (result != DenseElementResult::Incomplete) @@ -823,7 +818,7 @@ array_addProperty(JSContext* cx, HandleObject obj, HandleId id, HandleValue v) static inline bool ObjectMayHaveExtraIndexedOwnProperties(JSObject* obj) { - return (!obj->isNative() && !obj->is()) || + return !obj->isNative() || obj->isIndexed() || obj->is() || ClassMayResolveId(*obj->runtimeFromAnyThread()->commonNames, @@ -1288,10 +1283,6 @@ array_toLocaleString(JSContext* cx, unsigned argc, Value* vp) args.rval().setString(cx->names().empty); return true; } - if (obj->is() && obj->as().length() == 0) { - args.rval().setString(cx->names().empty); - return true; - } AutoCycleDetector detector(cx, obj); if (!detector.init()) @@ -1371,46 +1362,38 @@ ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) if (length == 0 || GetBoxedOrUnboxedInitializedLength(obj) == 0) return DenseElementResult::Success; - if (Type == JSVAL_TYPE_MAGIC) { - if (obj->as().denseElementsAreFrozen()) - return DenseElementResult::Incomplete; + if (obj->as().denseElementsAreFrozen()) + return DenseElementResult::Incomplete; - /* - * It's actually surprisingly complicated to reverse an array due to the - * orthogonality of array length and array capacity while handling - * leading and trailing holes correctly. Reversing seems less likely to - * be a common operation than other array mass-mutation methods, so for - * now just take a probably-small memory hit (in the absence of too many - * holes in the array at its start) and ensure that the capacity is - * sufficient to hold all the elements in the array if it were full. - */ - DenseElementResult result = obj->as().ensureDenseElements(cx, length, 0); - if (result != DenseElementResult::Success) - return result; + /* + * It's actually surprisingly complicated to reverse an array due to the + * orthogonality of array length and array capacity while handling + * leading and trailing holes correctly. Reversing seems less likely to + * be a common operation than other array mass-mutation methods, so for + * now just take a probably-small memory hit (in the absence of too many + * holes in the array at its start) and ensure that the capacity is + * sufficient to hold all the elements in the array if it were full. + */ + DenseElementResult result = obj->as().ensureDenseElements(cx, length, 0); + if (result != DenseElementResult::Success) + return result; - /* Fill out the array's initialized length to its proper length. */ - obj->as().ensureDenseInitializedLength(cx, length, 0); - } else { - // Unboxed arrays can only be reversed here if their initialized length - // matches their actual length. Otherwise the reversal will place holes - // at the beginning of the array, which we don't support. - if (length != obj->as().initializedLength()) - return DenseElementResult::Incomplete; - } + /* Fill out the array's initialized length to its proper length. */ + obj->as().ensureDenseInitializedLength(cx, length, 0); RootedValue origlo(cx), orighi(cx); uint32_t lo = 0, hi = length - 1; for (; lo < hi; lo++, hi--) { - origlo = GetBoxedOrUnboxedDenseElement(obj, lo); - orighi = GetBoxedOrUnboxedDenseElement(obj, hi); - SetBoxedOrUnboxedDenseElementNoTypeChange(obj, lo, orighi); + origlo = GetBoxedOrUnboxedDenseElement(obj, lo); + orighi = GetBoxedOrUnboxedDenseElement(obj, hi); + SetBoxedOrUnboxedDenseElementNoTypeChange(obj, lo, orighi); if (orighi.isMagic(JS_ELEMENTS_HOLE) && !SuppressDeletedProperty(cx, obj, INT_TO_JSID(lo))) { return DenseElementResult::Failure; } - SetBoxedOrUnboxedDenseElementNoTypeChange(obj, hi, origlo); + SetBoxedOrUnboxedDenseElementNoTypeChange(obj, hi, origlo); if (origlo.isMagic(JS_ELEMENTS_HOLE) && !SuppressDeletedProperty(cx, obj, INT_TO_JSID(hi))) { @@ -2082,8 +2065,8 @@ js::array_push(JSContext* cx, unsigned argc, Value* vp) if (!ObjectMayHaveExtraIndexedProperties(obj)) { DenseElementResult result = - SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, obj, length, - args.array(), args.length()); + SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, length, + args.array(), args.length()); if (result != DenseElementResult::Incomplete) { if (result == DenseElementResult::Failure) return false; @@ -2158,21 +2141,15 @@ template static inline DenseElementResult ShiftMoveBoxedOrUnboxedDenseElements(JSObject* obj) { - MOZ_ASSERT(HasBoxedOrUnboxedDenseElements(obj)); + MOZ_ASSERT(HasBoxedOrUnboxedDenseElements(obj)); /* * At this point the length and initialized length have already been * decremented and the result fetched, so just shift the array elements * themselves. */ - size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); - if (Type == JSVAL_TYPE_MAGIC) { - obj->as().moveDenseElementsNoPreBarrier(0, 1, initlen); - } else { - uint8_t* data = obj->as().elements(); - size_t elementSize = UnboxedTypeSize(Type); - memmove(data, data + elementSize, initlen * elementSize); - } + size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); + obj->as().moveDenseElementsNoPreBarrier(0, 1, initlen); return DenseElementResult::Success; } @@ -2202,19 +2179,19 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) if (MOZ_UNLIKELY(group->hasAllFlags(OBJECT_FLAG_ITERATED))) return DenseElementResult::Incomplete; - size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); + size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); if (initlen == 0) return DenseElementResult::Incomplete; - rval.set(GetBoxedOrUnboxedDenseElement(obj, 0)); + rval.set(GetBoxedOrUnboxedDenseElement(obj, 0)); if (rval.isMagic(JS_ELEMENTS_HOLE)) rval.setUndefined(); - DenseElementResult result = MoveBoxedOrUnboxedDenseElements(cx, obj, 0, 1, initlen - 1); + DenseElementResult result = MoveBoxedOrUnboxedDenseElements(cx, obj, 0, 1, initlen - 1); if (result != DenseElementResult::Success) return result; - SetBoxedOrUnboxedInitializedLength(cx, obj, initlen - 1); + SetBoxedOrUnboxedInitializedLength(cx, obj, initlen - 1); return DenseElementResult::Success; } @@ -2520,7 +2497,7 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI /* Steps 10-11. */ DebugOnly result = - CopyAnyBoxedOrUnboxedDenseElements(cx, arr, obj, 0, actualStart, actualDeleteCount); + CopyBoxedOrUnboxedDenseElements(cx, arr, obj, 0, actualStart, actualDeleteCount); MOZ_ASSERT(result.value == DenseElementResult::Success); /* Step 12 (implicit). */ @@ -2557,14 +2534,14 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI if (CanOptimizeForDenseStorage(obj, 0, len, cx)) { /* Steps 15.a-b. */ DenseElementResult result = - MoveAnyBoxedOrUnboxedDenseElements(cx, obj, targetIndex, sourceIndex, - len - sourceIndex); + MoveBoxedOrUnboxedDenseElements(cx, obj, targetIndex, sourceIndex, + len - sourceIndex); MOZ_ASSERT(result != DenseElementResult::Incomplete); if (result == DenseElementResult::Failure) return false; /* Steps 15.c-d. */ - SetAnyBoxedOrUnboxedInitializedLength(cx, obj, finalLength); + SetBoxedOrUnboxedInitializedLength(cx, obj, finalLength); } else { /* * This is all very slow if the length is very large. We don't yet @@ -2644,15 +2621,15 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI if (CanOptimizeForDenseStorage(obj, len, itemCount - actualDeleteCount, cx)) { DenseElementResult result = - MoveAnyBoxedOrUnboxedDenseElements(cx, obj, actualStart + itemCount, - actualStart + actualDeleteCount, - len - (actualStart + actualDeleteCount)); + MoveBoxedOrUnboxedDenseElements(cx, obj, actualStart + itemCount, + actualStart + actualDeleteCount, + len - (actualStart + actualDeleteCount)); MOZ_ASSERT(result != DenseElementResult::Incomplete); if (result == DenseElementResult::Failure) return false; /* Steps 16.a-b. */ - SetAnyBoxedOrUnboxedInitializedLength(cx, obj, len + itemCount - actualDeleteCount); + SetBoxedOrUnboxedInitializedLength(cx, obj, len + itemCount - actualDeleteCount); } else { RootedValue fromValue(cx); for (double k = len - actualDeleteCount; k > actualStart; k--) { @@ -3022,14 +2999,14 @@ ArraySliceDenseKernel(JSContext* cx, JSObject* obj, int32_t beginArg, int32_t en if (begin > end) begin = end; - size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); + size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); if (initlen > begin) { size_t count = Min(initlen - begin, end - begin); if (count) { - DenseElementResult rv = EnsureBoxedOrUnboxedDenseElements(cx, result, count); + DenseElementResult rv = EnsureBoxedOrUnboxedDenseElements(cx, result, count); if (rv != DenseElementResult::Success) return rv; - CopyBoxedOrUnboxedDenseElements(cx, result, obj, 0, begin, count); + CopyBoxedOrUnboxedDenseElements(cx, result, obj, 0, begin, count); } } @@ -3589,12 +3566,6 @@ NewArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length newKind = TenuredObject; RootedObject proto(cx, group->proto().toObject()); - if (group->maybeUnboxedLayout()) { - if (length > UnboxedArrayObject::MaximumCapacity) - return NewArray(cx, length, proto, newKind); - return UnboxedArrayObject::create(cx, group, length, newKind, maxLength); - } - ArrayObject* res = NewArray(cx, length, proto, newKind); if (!res) return nullptr; @@ -3701,8 +3672,8 @@ js::MaybeAnalyzeBeforeCreatingLargeArray(ExclusiveContext* cx, HandleObjectGroup if (!obj) return false; DebugOnly result = - SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, obj, 0, vp, nlength, - ShouldUpdateTypes::Update); + SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, 0, vp, nlength, + ShouldUpdateTypes::Update); MOZ_ASSERT(result.value == DenseElementResult::Success); } objects->maybeAnalyze(cx, group, /* forceAnalyze = */ true); @@ -3724,22 +3695,10 @@ js::NewCopiedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, return nullptr; DenseElementResult result = - SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, obj, 0, vp, length, updateTypes); + SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, 0, vp, length, updateTypes); if (result == DenseElementResult::Failure) return nullptr; - if (result == DenseElementResult::Success) - return obj; - - MOZ_ASSERT(obj->is()); - if (!UnboxedArrayObject::convertToNative(cx->asJSContext(), obj)) - return nullptr; - - result = SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, 0, vp, length, - updateTypes); - MOZ_ASSERT(result != DenseElementResult::Incomplete); - if (result == DenseElementResult::Failure) - return nullptr; - + MOZ_ASSERT(result == DenseElementResult::Success); return obj; } -- cgit v1.2.3 From c8300fbd6ae08925736c32f8b02c980ce1531f3f Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 23 May 2019 10:51:09 +0000 Subject: Remove UnboxedArray code part 2 --- js/src/jsarray.cpp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 190439d4b..fa5ef2ab3 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -395,7 +395,7 @@ SetArrayElement(JSContext* cx, HandleObject obj, double index, HandleValue v) if (obj->is() && !obj->isIndexed() && index <= UINT32_MAX) { DenseElementResult result = - SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, obj, uint32_t(index), v.address(), 1); + SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, uint32_t(index), v.address(), 1); if (result != DenseElementResult::Incomplete) return result == DenseElementResult::Success; } @@ -1068,12 +1068,12 @@ ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_ // length > initLength we rely on the second loop to add the // other elements. MOZ_ASSERT(*numProcessed == 0); - uint32_t initLength = Min(GetBoxedOrUnboxedInitializedLength(obj), length); + uint32_t initLength = Min(GetBoxedOrUnboxedInitializedLength(obj), length); while (*numProcessed < initLength) { if (!CheckForInterrupt(cx)) return DenseElementResult::Failure; - Value elem = GetBoxedOrUnboxedDenseElement(obj, *numProcessed); + Value elem = GetBoxedOrUnboxedDenseElement(obj, *numProcessed); if (elem.isString()) { if (!sb.append(elem.toString())) @@ -1320,7 +1320,7 @@ InitArrayElements(JSContext* cx, HandleObject obj, uint32_t start, if (!ObjectMayHaveExtraIndexedProperties(obj)) { DenseElementResult result = - SetOrExtendAnyBoxedOrUnboxedDenseElements(cx, obj, start, vector, count, updateTypes); + SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, start, vector, count, updateTypes); if (result != DenseElementResult::Incomplete) return result == DenseElementResult::Success; } @@ -1359,7 +1359,7 @@ DenseElementResult ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) { /* An empty array or an array with no elements is already reversed. */ - if (length == 0 || GetBoxedOrUnboxedInitializedLength(obj) == 0) + if (length == 0 || GetBoxedOrUnboxedInitializedLength(obj) == 0) return DenseElementResult::Success; if (obj->as().denseElementsAreFrozen()) @@ -2074,7 +2074,7 @@ js::array_push(JSContext* cx, unsigned argc, Value* vp) uint32_t newlength = length + args.length(); args.rval().setNumber(newlength); - // SetOrExtendAnyBoxedOrUnboxedDenseElements takes care of updating the + // SetOrExtendBoxedOrUnboxedDenseElements takes care of updating the // length for boxed and unboxed arrays. Handle updates to the length of // non-arrays here. bool isArray; @@ -2360,7 +2360,7 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co return false; /* There's no optimizing possible if it's not an array. */ - if (!arr->is() && !arr->is()) + if (!arr->is()) return false; /* If it's a frozen array, always pick the slow path */ @@ -2863,7 +2863,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be if (count) { DebugOnly result = - CopyAnyBoxedOrUnboxedDenseElements(cx, narr, obj, 0, begin, count); + CopyBoxedOrUnboxedDenseElements(cx, narr, obj, 0, begin, count); MOZ_ASSERT(result.value == DenseElementResult::Success); } arr.set(narr); @@ -3608,7 +3608,7 @@ static inline JSObject* NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, NewObjectKind newKind = GenericObject) { - if (!obj->is() && !obj->is()) + if (!obj->is()) return NewArray(cx, length, nullptr, newKind); if (obj->staticPrototype() != cx->global()->maybeGetArrayPrototype()) -- cgit v1.2.3 From e34920575d6dac353cb3d8a5d1b9c11ae05c5a8c Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 10 Jun 2019 16:49:47 +0000 Subject: Inline combined methods for NativeObject and UnboxedArrayObject accesses. --- js/src/jsarray.cpp | 117 +++++++++++++++++++++++++++++------------------------ 1 file changed, 65 insertions(+), 52 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index a8bd3f028..da692c1b5 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -248,18 +248,20 @@ static bool GetElement(JSContext* cx, HandleObject obj, HandleObject receiver, uint32_t index, bool* hole, MutableHandleValue vp) { - AssertGreaterThanZero(index); - if (index < GetAnyBoxedOrUnboxedInitializedLength(obj)) { - vp.set(GetAnyBoxedOrUnboxedDenseElement(obj, uint32_t(index))); - if (!vp.isMagic(JS_ELEMENTS_HOLE)) { - *hole = false; - return true; + if (obj->isNative()) { + NativeObject* nobj = &obj->as(); + if (index < nobj->getDenseInitializedLength()) { + vp.set(nobj->getDenseElement(size_t(index))); + if (!vp.isMagic(JS_ELEMENTS_HOLE)) { + *hole = false; + return true; + } } - } - if (obj->is()) { - if (obj->as().maybeGetElement(uint32_t(index), vp)) { - *hole = false; - return true; + if (nobj->is() && index <= UINT32_MAX) { + if (nobj->as().maybeGetElement(uint32_t(index), vp)) { + *hole = false; + return true; + } } } @@ -337,11 +339,11 @@ GetBoxedOrUnboxedDenseElements(JSObject* aobj, uint32_t length, Value* vp) { MOZ_ASSERT(!ObjectMayHaveExtraIndexedProperties(aobj)); - if (length > GetBoxedOrUnboxedInitializedLength(aobj)) + if (length > aobj->as().getDenseInitializedLength()) return DenseElementResult::Incomplete; for (size_t i = 0; i < length; i++) { - vp[i] = GetBoxedOrUnboxedDenseElement(aobj, i); + vp[i] = aobj->as().getDenseElement(i); // No other indexed properties so hole => undefined. if (vp[i].isMagic(JS_ELEMENTS_HOLE)) @@ -849,7 +851,7 @@ js::ObjectMayHaveExtraIndexedProperties(JSObject* obj) if (ObjectMayHaveExtraIndexedOwnProperties(obj)) return true; - if (GetAnyBoxedOrUnboxedInitializedLength(obj) != 0) + if (obj->as().getDenseInitializedLength() != 0) return true; } while (true); } @@ -1068,12 +1070,13 @@ ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_ // length > initLength we rely on the second loop to add the // other elements. MOZ_ASSERT(*numProcessed == 0); - uint32_t initLength = Min(GetBoxedOrUnboxedInitializedLength(obj), length); + uint32_t initLength = Min(obj->as().getDenseInitializedLength(), + length); while (*numProcessed < initLength) { if (!CheckForInterrupt(cx)) return DenseElementResult::Failure; - Value elem = GetBoxedOrUnboxedDenseElement(obj, *numProcessed); + Value elem = obj->as().getDenseElement(*numProcessed); if (elem.isString()) { if (!sb.append(elem.toString())) @@ -1207,11 +1210,14 @@ js::array_join(JSContext* cx, unsigned argc, Value* vp) // An optimized version of a special case of steps 7-11: when length==1 and // the 0th element is a string, ToString() of that element is a no-op and // so it can be immediately returned as the result. - if (length == 1 && GetAnyBoxedOrUnboxedInitializedLength(obj) == 1) { - Value elem0 = GetAnyBoxedOrUnboxedDenseElement(obj, 0); - if (elem0.isString()) { - args.rval().set(elem0); - return true; + if (length == 1 && obj->isNative()) { + NativeObject* nobj = &obj->as(); + if (nobj->getDenseInitializedLength() == 1) { + Value elem0 = nobj->getDenseElement(0); + if (elem0.isString()) { + args.rval().set(elem0); + return true; + } } } @@ -1359,7 +1365,7 @@ DenseElementResult ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) { /* An empty array or an array with no elements is already reversed. */ - if (length == 0 || GetBoxedOrUnboxedInitializedLength(obj) == 0) + if (length == 0 || obj->as().getDenseInitializedLength() == 0) return DenseElementResult::Success; if (obj->as().denseElementsAreFrozen()) @@ -1385,15 +1391,15 @@ ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) uint32_t lo = 0, hi = length - 1; for (; lo < hi; lo++, hi--) { - origlo = GetBoxedOrUnboxedDenseElement(obj, lo); - orighi = GetBoxedOrUnboxedDenseElement(obj, hi); - SetBoxedOrUnboxedDenseElementNoTypeChange(obj, lo, orighi); + origlo = obj->as().getDenseElement(lo); + orighi = obj->as().getDenseElement(hi); + obj->as().setDenseElement(lo, orighi); if (orighi.isMagic(JS_ELEMENTS_HOLE) && !SuppressDeletedProperty(cx, obj, INT_TO_JSID(lo))) { return DenseElementResult::Failure; } - SetBoxedOrUnboxedDenseElementNoTypeChange(obj, hi, origlo); + obj->as().setDenseElement(hi, origlo); if (origlo.isMagic(JS_ELEMENTS_HOLE) && !SuppressDeletedProperty(cx, obj, INT_TO_JSID(hi))) { @@ -2074,14 +2080,8 @@ js::array_push(JSContext* cx, unsigned argc, Value* vp) uint32_t newlength = length + args.length(); args.rval().setNumber(newlength); - // SetOrExtendBoxedOrUnboxedDenseElements takes care of updating the - // length for boxed and unboxed arrays. Handle updates to the length of - // non-arrays here. - bool isArray; - if (!IsArray(cx, obj, &isArray)) - return false; - - if (!isArray) + // Handle updates to the length of non-arrays here. + if (!obj->is()) return SetLengthProperty(cx, obj, newlength); return true; @@ -2141,14 +2141,15 @@ template static inline DenseElementResult ShiftMoveBoxedOrUnboxedDenseElements(JSObject* obj) { - MOZ_ASSERT(HasBoxedOrUnboxedDenseElements(obj)); + MOZ_ASSERT(obj->isNative()); + + size_t initlen = obj->as().getDenseInitializedLength(); /* * At this point the length and initialized length have already been * decremented and the result fetched, so just shift the array elements * themselves. */ - size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); obj->as().moveDenseElementsNoPreBarrier(0, 1, initlen); return DenseElementResult::Success; @@ -2165,6 +2166,15 @@ js::ArrayShiftMoveElements(JSObject* obj) JS_ALWAYS_TRUE(CallBoxedOrUnboxedSpecialization(functor, obj) == DenseElementResult::Success); } +static inline void +SetInitializedLength(JSContext* cx, NativeObject* obj, size_t initlen) +{ + size_t oldInitlen = obj->getDenseInitializedLength(); + obj->setDenseInitializedLength(initlen); + if (initlen < oldInitlen) + obj->shrinkElements(cx, initlen); +} + template DenseElementResult ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) @@ -2179,11 +2189,11 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) if (MOZ_UNLIKELY(group->hasAllFlags(OBJECT_FLAG_ITERATED))) return DenseElementResult::Incomplete; - size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); + size_t initlen = obj->as().getDenseInitializedLength(); if (initlen == 0) return DenseElementResult::Incomplete; - rval.set(GetBoxedOrUnboxedDenseElement(obj, 0)); + rval.set(obj->as().getDenseElement(0)); if (rval.isMagic(JS_ELEMENTS_HOLE)) rval.setUndefined(); @@ -2191,7 +2201,7 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) if (result != DenseElementResult::Success) return result; - SetBoxedOrUnboxedInitializedLength(cx, obj, initlen - 1); + SetInitializedLength(cx, obj.as(), initlen - 1); return DenseElementResult::Success; } @@ -2364,7 +2374,7 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co return false; /* If it's a frozen array, always pick the slow path */ - if (arr->is() && arr->as().denseElementsAreFrozen()) + if (arr->as().denseElementsAreFrozen()) return false; /* @@ -2396,7 +2406,7 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co * is subsumed by the initializedLength comparison.) */ return !ObjectMayHaveExtraIndexedProperties(arr) && - startingIndex + count <= GetAnyBoxedOrUnboxedInitializedLength(arr); + startingIndex + count <= arr->as().getDenseInitializedLength(); } /* ES 2016 draft Mar 25, 2016 22.1.3.26. */ @@ -2541,7 +2551,7 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI return false; /* Steps 15.c-d. */ - SetBoxedOrUnboxedInitializedLength(cx, obj, finalLength); + SetInitializedLength(cx, obj.as(), finalLength); } else { /* * This is all very slow if the length is very large. We don't yet @@ -2629,7 +2639,7 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI return false; /* Steps 16.a-b. */ - SetBoxedOrUnboxedInitializedLength(cx, obj, len + itemCount - actualDeleteCount); + SetInitializedLength(cx, obj.as(), len + itemCount - actualDeleteCount); } else { RootedValue fromValue(cx); for (double k = len - actualDeleteCount; k > actualStart; k--) { @@ -2851,7 +2861,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be begin = end; if (!ObjectMayHaveExtraIndexedProperties(obj)) { - size_t initlen = GetAnyBoxedOrUnboxedInitializedLength(obj); + size_t initlen = obj->as().getDenseInitializedLength(); size_t count = 0; if (initlen > begin) count = Min(initlen - begin, end - begin); @@ -2859,7 +2869,9 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be RootedObject narr(cx, NewFullyAllocatedArrayTryReuseGroup(cx, obj, count)); if (!narr) return false; - SetAnyBoxedOrUnboxedArrayLength(cx, narr, end - begin); + + MOZ_ASSERT(count >= narr->as().length()); + narr->as().setLength(cx, count); if (count) { DebugOnly result = @@ -2991,7 +3003,7 @@ template DenseElementResult ArraySliceDenseKernel(JSContext* cx, JSObject* obj, int32_t beginArg, int32_t endArg, JSObject* result) { - int32_t length = GetAnyBoxedOrUnboxedArrayLength(obj); + int32_t length = obj->as().length(); uint32_t begin = NormalizeSliceTerm(beginArg, length); uint32_t end = NormalizeSliceTerm(endArg, length); @@ -2999,18 +3011,19 @@ ArraySliceDenseKernel(JSContext* cx, JSObject* obj, int32_t beginArg, int32_t en if (begin > end) begin = end; - size_t initlen = GetBoxedOrUnboxedInitializedLength(obj); + size_t initlen = obj->as().getDenseInitializedLength(); + size_t count = Min(initlen - begin, end - begin); if (initlen > begin) { - size_t count = Min(initlen - begin, end - begin); if (count) { - DenseElementResult rv = EnsureBoxedOrUnboxedDenseElements(cx, result, count); - if (rv != DenseElementResult::Success) - return rv; + if (!result->as().ensureElements(cx, count)) + return DenseElementResult::Failure; CopyBoxedOrUnboxedDenseElements(cx, result, obj, 0, begin, count); } } - SetAnyBoxedOrUnboxedArrayLength(cx, result, end - begin); + MOZ_ASSERT(count >= result->as().length()); + result->as().setLength(cx, count); + return DenseElementResult::Success; } -- cgit v1.2.3 From e95089d84ac71276bd059e52293ab42c2259d89e Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 12 Jun 2019 03:19:09 +0000 Subject: Make use of ArrayObjects in favor of generic JS objects. ArrayObjects has been a thing for years but been under-used. About time they are used where prudent. --- js/src/jsarray.cpp | 68 +++++++++++++++--------------------------------------- 1 file changed, 18 insertions(+), 50 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index da692c1b5..0d6f78fcf 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2811,7 +2811,7 @@ SliceSlowly(JSContext* cx, HandleObject obj, HandleObject receiver, } static bool -SliceSparse(JSContext* cx, HandleObject obj, uint32_t begin, uint32_t end, HandleObject result) +SliceSparse(JSContext* cx, HandleObject obj, uint32_t begin, uint32_t end, HandleArrayObject result) { MOZ_ASSERT(begin <= end); @@ -2866,7 +2866,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be if (initlen > begin) count = Min(initlen - begin, end - begin); - RootedObject narr(cx, NewFullyAllocatedArrayTryReuseGroup(cx, obj, count)); + RootedArrayObject narr(cx, NewFullyAllocatedArrayTryReuseGroup(cx, obj, count)); if (!narr) return false; @@ -2882,7 +2882,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be return true; } - RootedObject narr(cx, NewPartlyAllocatedArrayTryReuseGroup(cx, obj, end - begin)); + RootedArrayObject narr(cx, NewPartlyAllocatedArrayTryReuseGroup(cx, obj, end - begin)); if (!narr) return false; @@ -3069,7 +3069,7 @@ array_isArray(JSContext* cx, unsigned argc, Value* vp) static bool ArrayFromCallArgs(JSContext* cx, CallArgs& args, HandleObject proto = nullptr) { - JSObject* obj = NewCopiedArrayForCallingAllocationSite(cx, args.array(), args.length(), proto); + ArrayObject* obj = NewCopiedArrayForCallingAllocationSite(cx, args.array(), args.length(), proto); if (!obj) return false; @@ -3234,7 +3234,7 @@ ArrayConstructorImpl(JSContext* cx, CallArgs& args, bool isConstructor) } } - JSObject* obj = NewPartlyAllocatedArrayForCallingAllocationSite(cx, length, proto); + ArrayObject* obj = NewPartlyAllocatedArrayForCallingAllocationSite(cx, length, proto); if (!obj) return false; @@ -3260,7 +3260,7 @@ js::array_construct(JSContext* cx, unsigned argc, Value* vp) return ArrayConstructorImpl(cx, args, /* isConstructor = */ false); } -JSObject* +ArrayObject* js::ArrayConstructorOneArg(JSContext* cx, HandleObjectGroup group, int32_t lengthInt) { if (lengthInt < 0) { @@ -3555,7 +3555,7 @@ js::NewDenseFullyAllocatedArrayWithTemplate(JSContext* cx, uint32_t length, JSOb return arr; } -JSObject* +ArrayObject* js::NewDenseCopyOnWriteArray(JSContext* cx, HandleArrayObject templateObject, gc::InitialHeap heap) { MOZ_ASSERT(!gc::IsInsideNursery(templateObject)); @@ -3573,7 +3573,7 @@ js::NewDenseCopyOnWriteArray(JSContext* cx, HandleArrayObject templateObject, gc // specified group cannot be used, ensure that the created array at least has // the given [[Prototype]]. template -static inline JSObject* +static inline ArrayObject* NewArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length, NewObjectKind newKind = GenericObject) { @@ -3603,14 +3603,14 @@ NewArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length return res; } -JSObject* +ArrayObject* js::NewFullyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length, NewObjectKind newKind) { return NewArrayTryUseGroup(cx, group, length, newKind); } -JSObject* +ArrayObject* js::NewPartlyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length) { return NewArrayTryUseGroup(cx, group, length); @@ -3624,7 +3624,7 @@ js::NewPartlyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup g // |length| is larger than the input object's initialized length (in which case // UnboxedArrayObject::MaximumCapacity might be exceeded). template -static inline JSObject* +static inline ArrayObject* NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, NewObjectKind newKind = GenericObject) { @@ -3641,20 +3641,20 @@ NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, return NewArrayTryUseGroup(cx, group, length, newKind); } -JSObject* +ArrayObject* js::NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, NewObjectKind newKind) { return NewArrayTryReuseGroup(cx, obj, length, newKind); } -JSObject* +ArrayObject* js::NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length) { return NewArrayTryReuseGroup(cx, obj, length); } -JSObject* +ArrayObject* js::NewFullyAllocatedArrayForCallingAllocationSite(JSContext* cx, size_t length, NewObjectKind newKind) { @@ -3664,7 +3664,7 @@ js::NewFullyAllocatedArrayForCallingAllocationSite(JSContext* cx, size_t length, return NewArrayTryUseGroup(cx, group, length, newKind); } -JSObject* +ArrayObject* js::NewPartlyAllocatedArrayForCallingAllocationSite(JSContext* cx, size_t length, HandleObject proto) { RootedObjectGroup group(cx, ObjectGroup::callingAllocationSiteGroup(cx, JSProto_Array, proto)); @@ -3673,44 +3673,12 @@ js::NewPartlyAllocatedArrayForCallingAllocationSite(JSContext* cx, size_t length return NewArrayTryUseGroup(cx, group, length); } -bool -js::MaybeAnalyzeBeforeCreatingLargeArray(ExclusiveContext* cx, HandleObjectGroup group, - const Value* vp, size_t length) -{ - static const size_t EagerPreliminaryObjectAnalysisThreshold = 800; - - // Force analysis to see if an unboxed array can be used when making a - // sufficiently large array, to avoid excessive analysis and copying later - // on. If this is the first array of its group that is being created, first - // make a dummy array with the initial elements of the array we are about - // to make, so there is some basis for the unboxed array analysis. - if (length > EagerPreliminaryObjectAnalysisThreshold) { - if (PreliminaryObjectArrayWithTemplate* objects = group->maybePreliminaryObjects()) { - if (objects->empty()) { - size_t nlength = Min(length, 100); - JSObject* obj = NewFullyAllocatedArrayTryUseGroup(cx, group, nlength); - if (!obj) - return false; - DebugOnly result = - SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, 0, vp, nlength, - ShouldUpdateTypes::Update); - MOZ_ASSERT(result.value == DenseElementResult::Success); - } - objects->maybeAnalyze(cx, group, /* forceAnalyze = */ true); - } - } - return true; -} - -JSObject* +ArrayObject* js::NewCopiedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, const Value* vp, size_t length, NewObjectKind newKind, ShouldUpdateTypes updateTypes) { - if (!MaybeAnalyzeBeforeCreatingLargeArray(cx, group, vp, length)) - return nullptr; - - JSObject* obj = NewFullyAllocatedArrayTryUseGroup(cx, group, length, newKind); + ArrayObject* obj = NewFullyAllocatedArrayTryUseGroup(cx, group, length, newKind); if (!obj) return nullptr; @@ -3722,7 +3690,7 @@ js::NewCopiedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, return obj; } -JSObject* +ArrayObject* js::NewCopiedArrayForCallingAllocationSite(JSContext* cx, const Value* vp, size_t length, HandleObject proto /* = nullptr */) { -- cgit v1.2.3 From ef8e0ce6075150ed4501edad1376e4046cd8e3cb Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 12 Jun 2019 11:03:35 +0000 Subject: Remove functors for array natives. --- js/src/jsarray.cpp | 166 +++++++++++++++++++---------------------------------- 1 file changed, 58 insertions(+), 108 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 0d6f78fcf..9abc99e34 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -333,37 +333,31 @@ js::GetElementsWithAdder(JSContext* cx, HandleObject obj, HandleObject receiver, return true; } -template -DenseElementResult -GetBoxedOrUnboxedDenseElements(JSObject* aobj, uint32_t length, Value* vp) +static bool +GetDenseElements(NativeObject* aobj, uint32_t length, Value* vp) { MOZ_ASSERT(!ObjectMayHaveExtraIndexedProperties(aobj)); - if (length > aobj->as().getDenseInitializedLength()) - return DenseElementResult::Incomplete; + if (length > aobj->getDenseInitializedLength()) + return false; for (size_t i = 0; i < length; i++) { - vp[i] = aobj->as().getDenseElement(i); + vp[i] = aobj->getDenseElement(i); // No other indexed properties so hole => undefined. if (vp[i].isMagic(JS_ELEMENTS_HOLE)) vp[i] = UndefinedValue(); } - return DenseElementResult::Success; + return true; } -DefineBoxedOrUnboxedFunctor3(GetBoxedOrUnboxedDenseElements, - JSObject*, uint32_t, Value*); - bool js::GetElements(JSContext* cx, HandleObject aobj, uint32_t length, Value* vp) { if (!ObjectMayHaveExtraIndexedProperties(aobj)) { - GetBoxedOrUnboxedDenseElementsFunctor functor(aobj, length, vp); - DenseElementResult result = CallBoxedOrUnboxedSpecialization(functor, aobj); - if (result != DenseElementResult::Incomplete) - return result == DenseElementResult::Success; + if (GetDenseElements(&aobj->as(), length, vp)) + return true; } if (aobj->is()) { @@ -1061,32 +1055,32 @@ struct StringSeparatorOp } }; -template -static DenseElementResult -ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_t length, +template +static bool +ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleNativeObject obj, uint64_t length, StringBuffer& sb, uint32_t* numProcessed) { // This loop handles all elements up to initializedLength. If // length > initLength we rely on the second loop to add the // other elements. MOZ_ASSERT(*numProcessed == 0); - uint32_t initLength = Min(obj->as().getDenseInitializedLength(), + uint32_t initLength = Min(obj->getDenseInitializedLength(), length); while (*numProcessed < initLength) { if (!CheckForInterrupt(cx)) - return DenseElementResult::Failure; + return false; Value elem = obj->as().getDenseElement(*numProcessed); if (elem.isString()) { if (!sb.append(elem.toString())) - return DenseElementResult::Failure; + return false; } else if (elem.isNumber()) { if (!NumberValueToStringBuffer(cx, elem, sb)) - return DenseElementResult::Failure; + return false; } else if (elem.isBoolean()) { if (!BooleanToStringBuffer(elem.toBoolean(), sb)) - return DenseElementResult::Failure; + return false; } else if (elem.isObject() || elem.isSymbol()) { /* * Object stringifying could modify the initialized length or make @@ -1102,32 +1096,12 @@ ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_ } if (++(*numProcessed) != length && !sepOp(cx, sb)) - return DenseElementResult::Failure; + return false; } - return DenseElementResult::Incomplete; + return true; } -template -struct ArrayJoinDenseKernelFunctor { - JSContext* cx; - SeparatorOp sepOp; - HandleObject obj; - uint32_t length; - StringBuffer& sb; - uint32_t* numProcessed; - - ArrayJoinDenseKernelFunctor(JSContext* cx, SeparatorOp sepOp, HandleObject obj, - uint32_t length, StringBuffer& sb, uint32_t* numProcessed) - : cx(cx), sepOp(sepOp), obj(obj), length(length), sb(sb), numProcessed(numProcessed) - {} - - template - DenseElementResult operator()() { - return ArrayJoinDenseKernel(cx, sepOp, obj, length, sb, numProcessed); - } -}; - template static bool ArrayJoinKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_t length, @@ -1136,10 +1110,10 @@ ArrayJoinKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_t len uint32_t i = 0; if (!ObjectMayHaveExtraIndexedProperties(obj)) { - ArrayJoinDenseKernelFunctor functor(cx, sepOp, obj, length, sb, &i); - DenseElementResult result = CallBoxedOrUnboxedSpecialization(functor, obj); - if (result == DenseElementResult::Failure) + if (!ArrayJoinDenseKernel(cx, sepOp, obj.as(), length, sb, &i)) + { return false; + } } if (i != length) { @@ -1260,7 +1234,7 @@ js::array_join(JSContext* cx, unsigned argc, Value* vp) } // Step 11 - JSString *str = sb.finishString(); + JSString* str = sb.finishString(); if (!str) return false; @@ -1360,15 +1334,14 @@ InitArrayElements(JSContext* cx, HandleObject obj, uint32_t start, return true; } -template -DenseElementResult -ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) +static DenseElementResult +ArrayReverseDenseKernel(JSContext* cx, HandleNativeObject obj, uint32_t length) { /* An empty array or an array with no elements is already reversed. */ - if (length == 0 || obj->as().getDenseInitializedLength() == 0) + if (length == 0 || obj->getDenseInitializedLength() == 0) return DenseElementResult::Success; - if (obj->as().denseElementsAreFrozen()) + if (obj->denseElementsAreFrozen()) return DenseElementResult::Incomplete; /* @@ -1380,26 +1353,26 @@ ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) * holes in the array at its start) and ensure that the capacity is * sufficient to hold all the elements in the array if it were full. */ - DenseElementResult result = obj->as().ensureDenseElements(cx, length, 0); + DenseElementResult result = obj->ensureDenseElements(cx, length, 0); if (result != DenseElementResult::Success) return result; /* Fill out the array's initialized length to its proper length. */ - obj->as().ensureDenseInitializedLength(cx, length, 0); + obj->ensureDenseInitializedLength(cx, length, 0); RootedValue origlo(cx), orighi(cx); uint32_t lo = 0, hi = length - 1; for (; lo < hi; lo++, hi--) { - origlo = obj->as().getDenseElement(lo); - orighi = obj->as().getDenseElement(hi); - obj->as().setDenseElement(lo, orighi); + origlo = obj->getDenseElement(lo); + orighi = obj->getDenseElement(hi); + obj->setDenseElement(lo, orighi); if (orighi.isMagic(JS_ELEMENTS_HOLE) && !SuppressDeletedProperty(cx, obj, INT_TO_JSID(lo))) { return DenseElementResult::Failure; } - obj->as().setDenseElement(hi, origlo); + obj->setDenseElement(hi, origlo); if (origlo.isMagic(JS_ELEMENTS_HOLE) && !SuppressDeletedProperty(cx, obj, INT_TO_JSID(hi))) { @@ -1410,9 +1383,6 @@ ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length) return DenseElementResult::Success; } -DefineBoxedOrUnboxedFunctor3(ArrayReverseDenseKernel, - JSContext*, HandleObject, uint32_t); - bool js::array_reverse(JSContext* cx, unsigned argc, Value* vp) { @@ -1427,8 +1397,8 @@ js::array_reverse(JSContext* cx, unsigned argc, Value* vp) return false; if (!ObjectMayHaveExtraIndexedProperties(obj)) { - ArrayReverseDenseKernelFunctor functor(cx, obj, len); - DenseElementResult result = CallBoxedOrUnboxedSpecialization(functor, obj); + DenseElementResult result = + ArrayReverseDenseKernel(cx, obj.as(), uint32_t(len)); if (result != DenseElementResult::Incomplete) { /* * Per ECMA-262, don't update the length of the array, even if the new @@ -2137,33 +2107,20 @@ js::array_pop(JSContext* cx, unsigned argc, Value* vp) return SetLengthProperty(cx, obj, index); } -template -static inline DenseElementResult -ShiftMoveBoxedOrUnboxedDenseElements(JSObject* obj) +void +js::ArrayShiftMoveElements(NativeObject* obj) { - MOZ_ASSERT(obj->isNative()); + MOZ_ASSERT_IF(obj->is(), obj->as().lengthIsWritable()); - size_t initlen = obj->as().getDenseInitializedLength(); + size_t initlen = obj->getDenseInitializedLength(); + MOZ_ASSERT(initlen > 0); /* * At this point the length and initialized length have already been * decremented and the result fetched, so just shift the array elements * themselves. */ - obj->as().moveDenseElementsNoPreBarrier(0, 1, initlen); - - return DenseElementResult::Success; -} - -DefineBoxedOrUnboxedFunctor1(ShiftMoveBoxedOrUnboxedDenseElements, JSObject*); - -void -js::ArrayShiftMoveElements(JSObject* obj) -{ - MOZ_ASSERT_IF(obj->is(), obj->as().lengthIsWritable()); - - ShiftMoveBoxedOrUnboxedDenseElementsFunctor functor(obj); - JS_ALWAYS_TRUE(CallBoxedOrUnboxedSpecialization(functor, obj) == DenseElementResult::Success); + obj->moveDenseElementsNoPreBarrier(0, 1, initlen - 1); } static inline void @@ -2175,8 +2132,7 @@ SetInitializedLength(JSContext* cx, NativeObject* obj, size_t initlen) obj->shrinkElements(cx, initlen); } -template -DenseElementResult +static DenseElementResult ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) { if (ObjectMayHaveExtraIndexedProperties(obj)) @@ -2205,9 +2161,6 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) return DenseElementResult::Success; } -DefineBoxedOrUnboxedFunctor3(ArrayShiftDenseKernel, - JSContext*, HandleObject, MutableHandleValue); - /* ES5 15.4.4.9 */ bool js::array_shift(JSContext* cx, unsigned argc, Value* vp) @@ -2239,8 +2192,7 @@ js::array_shift(JSContext* cx, unsigned argc, Value* vp) uint32_t newlen = len - 1; /* Fast paths. */ - ArrayShiftDenseKernelFunctor functor(cx, obj, args.rval()); - DenseElementResult result = CallBoxedOrUnboxedSpecialization(functor, obj); + DenseElementResult result = ArrayShiftDenseKernel(cx, obj, args.rval()); if (result != DenseElementResult::Incomplete) { if (result == DenseElementResult::Failure) return false; @@ -2999,11 +2951,10 @@ js::array_slice(JSContext* cx, unsigned argc, Value* vp) return true; } -template -DenseElementResult -ArraySliceDenseKernel(JSContext* cx, JSObject* obj, int32_t beginArg, int32_t endArg, JSObject* result) +static bool +ArraySliceDenseKernel(JSContext* cx, ArrayObject* arr, int32_t beginArg, int32_t endArg, ArrayObject* result) { - int32_t length = obj->as().length(); + int32_t length = arr->length(); uint32_t begin = NormalizeSliceTerm(beginArg, length); uint32_t end = NormalizeSliceTerm(endArg, length); @@ -3011,34 +2962,33 @@ ArraySliceDenseKernel(JSContext* cx, JSObject* obj, int32_t beginArg, int32_t en if (begin > end) begin = end; - size_t initlen = obj->as().getDenseInitializedLength(); + size_t initlen = arr->getDenseInitializedLength(); size_t count = Min(initlen - begin, end - begin); if (initlen > begin) { if (count) { - if (!result->as().ensureElements(cx, count)) - return DenseElementResult::Failure; - CopyBoxedOrUnboxedDenseElements(cx, result, obj, 0, begin, count); + if (!result->ensureElements(cx, count)) + return false; + CopyBoxedOrUnboxedDenseElements(cx, result, arr, 0, begin, count); } } - MOZ_ASSERT(count >= result->as().length()); - result->as().setLength(cx, count); + MOZ_ASSERT(count >= result->length()); + result->setLength(cx, count); - return DenseElementResult::Success; + return true; } -DefineBoxedOrUnboxedFunctor5(ArraySliceDenseKernel, - JSContext*, JSObject*, int32_t, int32_t, JSObject*); - JSObject* js::array_slice_dense(JSContext* cx, HandleObject obj, int32_t begin, int32_t end, HandleObject result) { if (result && IsArraySpecies(cx, obj)) { - ArraySliceDenseKernelFunctor functor(cx, obj, begin, end, result); - DenseElementResult rv = CallBoxedOrUnboxedSpecialization(functor, result); - MOZ_ASSERT(rv != DenseElementResult::Incomplete); - return rv == DenseElementResult::Success ? result : nullptr; + if (!ArraySliceDenseKernel(cx, &obj->as(), begin, end, + &result->as())) + { + return nullptr; + } + return result; } // Slower path if the JIT wasn't able to allocate an object inline. -- cgit v1.2.3 From 9153838ea299da3bd00767394ff021318c1e0f12 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 17 Jun 2019 15:09:05 +0000 Subject: Fix typo in ArrayShiftMoveElements --- js/src/jsarray.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 9abc99e34..7af7c9800 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2120,7 +2120,7 @@ js::ArrayShiftMoveElements(NativeObject* obj) * decremented and the result fetched, so just shift the array elements * themselves. */ - obj->moveDenseElementsNoPreBarrier(0, 1, initlen - 1); + obj->moveDenseElementsNoPreBarrier(0, 1, initlen); } static inline void -- cgit v1.2.3 From 3c878b1e3bbb043b22ab032bce1fe111b8062ca9 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 17 Jun 2019 18:37:23 +0000 Subject: Convert CopyBoxedOrUnboxedDenseElements to something that doesn't crash. --- js/src/jsarray.cpp | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 7af7c9800..159717fea 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2361,6 +2361,22 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co startingIndex + count <= arr->as().getDenseInitializedLength(); } +static inline DenseElementResult +CopyDenseElements(JSContext* cx, NativeObject* dst, NativeObject* src, + uint32_t dstStart, uint32_t srcStart, uint32_t length) +{ + MOZ_ASSERT(dst->getDenseInitializedLength() == dstStart); + MOZ_ASSERT(src->getDenseInitializedLength() >= srcStart + length); + MOZ_ASSERT(dst->getDenseCapacity() >= dstStart + length); + + dst->setDenseInitializedLength(dstStart + length); + + const Value* vp = src->getDenseElements() + srcStart; + dst->initDenseElements(dstStart, vp, length); + + return DenseElementResult::Success; +} + /* ES 2016 draft Mar 25, 2016 22.1.3.26. */ bool js::array_splice(JSContext* cx, unsigned argc, Value* vp) @@ -2459,7 +2475,9 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI /* Steps 10-11. */ DebugOnly result = - CopyBoxedOrUnboxedDenseElements(cx, arr, obj, 0, actualStart, actualDeleteCount); + CopyDenseElements(cx, &arr->as(), + &obj->as(), 0, + actualStart, actualDeleteCount); MOZ_ASSERT(result.value == DenseElementResult::Success); /* Step 12 (implicit). */ @@ -2827,7 +2845,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be if (count) { DebugOnly result = - CopyBoxedOrUnboxedDenseElements(cx, narr, obj, 0, begin, count); + CopyDenseElements(cx, &narr->as(), &obj->as(), 0, begin, count); MOZ_ASSERT(result.value == DenseElementResult::Success); } arr.set(narr); @@ -2968,7 +2986,7 @@ ArraySliceDenseKernel(JSContext* cx, ArrayObject* arr, int32_t beginArg, int32_t if (count) { if (!result->ensureElements(cx, count)) return false; - CopyBoxedOrUnboxedDenseElements(cx, result, arr, 0, begin, count); + CopyDenseElements(cx, &result->as(), &arr->as(), 0, begin, count); } } -- cgit v1.2.3 From 8d2929313f6f8be66770f1137fa54a0825a3c768 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 13 Jun 2019 11:42:21 +0000 Subject: Clean up and rename MoveBoxedOrUnboxedDenseElements. --- js/src/jsarray.cpp | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 159717fea..97f035fd9 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2132,6 +2132,20 @@ SetInitializedLength(JSContext* cx, NativeObject* obj, size_t initlen) obj->shrinkElements(cx, initlen); } +static DenseElementResult +MoveDenseElements(JSContext* cx, NativeObject* obj, uint32_t dstStart, uint32_t srcStart, + uint32_t length) +{ + if (obj->denseElementsAreFrozen()) + return DenseElementResult::Incomplete; + + if (!obj->maybeCopyElementsForWrite(cx)) + return DenseElementResult::Failure; + obj->moveDenseElements(dstStart, srcStart, length); + + return DenseElementResult::Success; +} + static DenseElementResult ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) { @@ -2153,7 +2167,7 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) if (rval.isMagic(JS_ELEMENTS_HOLE)) rval.setUndefined(); - DenseElementResult result = MoveBoxedOrUnboxedDenseElements(cx, obj, 0, 1, initlen - 1); + DenseElementResult result = MoveDenseElements(cx, &obj->as(), 0, 1, initlen - 1); if (result != DenseElementResult::Success) return result; @@ -2514,8 +2528,7 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI if (CanOptimizeForDenseStorage(obj, 0, len, cx)) { /* Steps 15.a-b. */ DenseElementResult result = - MoveBoxedOrUnboxedDenseElements(cx, obj, targetIndex, sourceIndex, - len - sourceIndex); + MoveDenseElements(cx, &obj->as(), targetIndex, sourceIndex, len - sourceIndex); MOZ_ASSERT(result != DenseElementResult::Incomplete); if (result == DenseElementResult::Failure) return false; @@ -2601,9 +2614,9 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI if (CanOptimizeForDenseStorage(obj, len, itemCount - actualDeleteCount, cx)) { DenseElementResult result = - MoveBoxedOrUnboxedDenseElements(cx, obj, actualStart + itemCount, - actualStart + actualDeleteCount, - len - (actualStart + actualDeleteCount)); + MoveDenseElements(cx, &obj->as(), actualStart + itemCount, + actualStart + actualDeleteCount, + len - (actualStart + actualDeleteCount)); MOZ_ASSERT(result != DenseElementResult::Incomplete); if (result == DenseElementResult::Failure) return false; -- cgit v1.2.3 From 85f9a95ddbc39a1b120eeb8280685e1ae40dc5dc Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 14 Jun 2019 11:33:28 +0000 Subject: Replace SetOrExtendBoxedOrUnboxedDenseElements with direct calls. --- js/src/jsarray.cpp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 97f035fd9..b77a5bce8 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -280,8 +280,8 @@ ElementAdder::append(JSContext* cx, HandleValue v) { MOZ_ASSERT(index_ < length_); if (resObj_) { - DenseElementResult result = - SetOrExtendBoxedOrUnboxedDenseElements(cx, resObj_, index_, v.address(), 1); + NativeObject* resObj = &resObj_->as(); + DenseElementResult result = resObj->setOrExtendDenseElements(cx, index_, v.address(), 1); if (result == DenseElementResult::Failure) return false; if (result == DenseElementResult::Incomplete) { @@ -390,8 +390,8 @@ SetArrayElement(JSContext* cx, HandleObject obj, double index, HandleValue v) MOZ_ASSERT(index >= 0); if (obj->is() && !obj->isIndexed() && index <= UINT32_MAX) { - DenseElementResult result = - SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, uint32_t(index), v.address(), 1); + NativeObject* nobj = &obj->as(); + DenseElementResult result = nobj->setOrExtendDenseElements(cx, uint32_t(index), v.address(), 1); if (result != DenseElementResult::Incomplete) return result == DenseElementResult::Success; } @@ -1299,8 +1299,9 @@ InitArrayElements(JSContext* cx, HandleObject obj, uint32_t start, return false; if (!ObjectMayHaveExtraIndexedProperties(obj)) { - DenseElementResult result = - SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, start, vector, count, updateTypes); + NativeObject* nobj = &obj->as(); + DenseElementResult result = nobj->setOrExtendDenseElements(cx, uint32_t(start), vector, + count, updateTypes); if (result != DenseElementResult::Incomplete) return result == DenseElementResult::Success; } @@ -2041,8 +2042,8 @@ js::array_push(JSContext* cx, unsigned argc, Value* vp) if (!ObjectMayHaveExtraIndexedProperties(obj)) { DenseElementResult result = - SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, length, - args.array(), args.length()); + obj->as().setOrExtendDenseElements(cx, uint32_t(length), + args.array(), args.length()); if (result != DenseElementResult::Incomplete) { if (result == DenseElementResult::Failure) return false; @@ -3663,8 +3664,7 @@ js::NewCopiedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, if (!obj) return nullptr; - DenseElementResult result = - SetOrExtendBoxedOrUnboxedDenseElements(cx, obj, 0, vp, length, updateTypes); + DenseElementResult result = obj->setOrExtendDenseElements(cx->asJSContext(), 0, vp, length, updateTypes); if (result == DenseElementResult::Failure) return nullptr; MOZ_ASSERT(result == DenseElementResult::Success); -- cgit v1.2.3 From e9aac71c6d7fa67c7581e2bd75accae5a9699165 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 16 Jun 2019 19:55:05 +0000 Subject: Remove and clean up more code. --- js/src/jsarray.cpp | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index b77a5bce8..6129b2b65 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2261,9 +2261,6 @@ js::array_unshift(JSContext* cx, unsigned argc, Value* vp) if (args.length() > 0) { /* Slide up the array to make room for all args at the bottom. */ if (length > 0) { - // Only include a fast path for boxed arrays. Unboxed arrays can'nt - // be optimized here because unshifting temporarily places holes at - // the start of the array. bool optimized = false; do { if (!obj->is()) @@ -2323,10 +2320,10 @@ js::array_unshift(JSContext* cx, unsigned argc, Value* vp) } /* - * Returns true if this is a dense or unboxed array whose |count| properties - * starting from |startingIndex| may be accessed (get, set, delete) directly - * through its contiguous vector of elements without fear of getters, setters, - * etc. along the prototype chain, or of enumerators requiring notification of + * Returns true if this is a dense array whose properties ending at |endIndex| + * (exclusive) may be accessed (get, set, delete) directly through its + * contiguous vector of elements without fear of getters, setters, etc. along + * the prototype chain, or of enumerators requiring notification of * modifications. */ static inline bool @@ -3550,10 +3547,10 @@ js::NewDenseCopyOnWriteArray(JSContext* cx, HandleArrayObject templateObject, gc return arr; } -// Return a new boxed or unboxed array with the specified length and allocated -// capacity (up to maxLength), using the specified group if possible. If the -// specified group cannot be used, ensure that the created array at least has -// the given [[Prototype]]. +// Return a new array with the specified length and allocated capacity (up to +// maxLength), using the specified group if possible. If the specified group +// cannot be used, ensure that the created array at least has the given +// [[Prototype]]. template static inline ArrayObject* NewArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length, @@ -3561,10 +3558,7 @@ NewArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length { MOZ_ASSERT(newKind != SingletonObject); - if (group->maybePreliminaryObjects()) - group->maybePreliminaryObjects()->maybeAnalyze(cx, group); - - if (group->shouldPreTenure() || group->maybePreliminaryObjects()) + if (group->shouldPreTenure()) newKind = TenuredObject; RootedObject proto(cx, group->proto().toObject()); @@ -3579,9 +3573,6 @@ NewArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length if (res->length() > INT32_MAX) res->setLength(cx, res->length()); - if (PreliminaryObjectArray* preliminaryObjects = group->maybePreliminaryObjects()) - preliminaryObjects->registerNewObject(res); - return res; } @@ -3601,10 +3592,7 @@ js::NewPartlyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup g // Return a new array with the default prototype and specified allocated // capacity and length. If possible, try to reuse the group of the input // object. The resulting array will either reuse the input object's group or -// will have unknown property types. Additionally, the result will have the -// same boxed/unboxed elements representation as the input object, unless -// |length| is larger than the input object's initialized length (in which case -// UnboxedArrayObject::MaximumCapacity might be exceeded). +// will have unknown property types. template static inline ArrayObject* NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, -- cgit v1.2.3 From ccb3f2b730992b65ce404e8c6fbdc297485413ac Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 16 Jun 2019 23:17:34 +0000 Subject: Remove/inline CanonicalizeArrayLengthValue. --- js/src/jsarray.cpp | 36 ++++++++++++++---------------------- 1 file changed, 14 insertions(+), 22 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 6129b2b65..a33735143 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -511,24 +511,6 @@ struct ReverseIndexComparator } }; -bool -js::CanonicalizeArrayLengthValue(JSContext* cx, HandleValue v, uint32_t* newLen) -{ - double d; - - if (!ToUint32(cx, v, newLen)) - return false; - - if (!ToNumber(cx, v, &d)) - return false; - - if (d == *newLen) - return true; - - JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH); - return false; -} - /* ES6 draft rev 34 (2015 Feb 20) 9.4.2.4 ArraySetLength */ bool js::ArraySetLength(JSContext* cx, Handle arr, HandleId id, @@ -550,12 +532,22 @@ js::ArraySetLength(JSContext* cx, Handle arr, HandleId id, } else { // Step 2 is irrelevant in our implementation. - // Steps 3-7. - MOZ_ASSERT_IF(attrs & JSPROP_IGNORE_VALUE, value.isUndefined()); - if (!CanonicalizeArrayLengthValue(cx, value, &newLen)) + // Step 3. + if (!ToUint32(cx, value, &newLen)) + return false; + + // Step 4. + double d; + if (!ToNumber(cx, value, &d)) return false; - // Step 8 is irrelevant in our implementation. + // Step 5. + if (d != newLen) { + JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH); + return false; + } + + // Steps 6-8 are irrelevant in our implementation. } // Steps 9-11. -- cgit v1.2.3 From fcc11b2fec61c37c90ffe40e8f406eba64654a9c Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 18 Jun 2019 12:59:22 +0000 Subject: Tabs -> Spaces (no code change) --- js/src/jsarray.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index a33735143..5854fda4c 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2480,8 +2480,8 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI /* Steps 10-11. */ DebugOnly result = CopyDenseElements(cx, &arr->as(), - &obj->as(), 0, - actualStart, actualDeleteCount); + &obj->as(), 0, + actualStart, actualDeleteCount); MOZ_ASSERT(result.value == DenseElementResult::Success); /* Step 12 (implicit). */ -- cgit v1.2.3 From c5b0e1f5e12f25613c95b0133883b774c22c8449 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 25 Jun 2019 11:15:11 +0000 Subject: Remove Unboxed Object code from /vm, Part 3. --- js/src/jsarray.cpp | 1 - 1 file changed, 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 5854fda4c..ec65bce64 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -45,7 +45,6 @@ #include "vm/Caches-inl.h" #include "vm/Interpreter-inl.h" #include "vm/NativeObject-inl.h" -#include "vm/UnboxedObject-inl.h" using namespace js; using namespace js::gc; -- cgit v1.2.3 From 20e3587ef5a97f190da7a4e674e988d7189c795c Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 8 Jul 2019 02:17:07 +0200 Subject: Avoid type confusion in ArrayJoinDenseKernel --- js/src/jsarray.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index ec65bce64..ff581beec 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -1048,7 +1048,7 @@ struct StringSeparatorOp template static bool -ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleNativeObject obj, uint64_t length, +ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleNativeObject obj, uint32_t length, StringBuffer& sb, uint32_t* numProcessed) { // This loop handles all elements up to initializedLength. If -- cgit v1.2.3 From 739a81958035410ddd9b230354a56c909cc5c816 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sat, 8 Jun 2019 18:54:17 -0400 Subject: 1320408 - Part 2: Change JSFunction::getOrCreateScript to static method. --- js/src/jsarray.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index ff581beec..d28f5cb8e 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -1662,11 +1662,11 @@ MatchNumericComparator(JSContext* cx, const Value& v) if (!obj.is()) return Match_None; - JSFunction* fun = &obj.as(); + RootedFunction fun(cx, &obj.as()); if (!fun->isInterpreted() || fun->isClassConstructor()) return Match_None; - JSScript* script = fun->getOrCreateScript(cx); + JSScript* script = JSFunction::getOrCreateScript(cx, fun); if (!script) return Match_Failure; -- cgit v1.2.3 From af6768fb1f2e44b0bfe4136c79d8031028d073b1 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sat, 8 Jun 2019 19:20:00 -0400 Subject: 1320408 - Part 4: Change JSObject::getGroup to static method. --- js/src/jsarray.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index d28f5cb8e..c1a6dcfab 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -602,7 +602,7 @@ js::ArraySetLength(JSContext* cx, Handle arr, HandleId id, // for..in iteration over the array. Keys deleted before being reached // during the iteration must not be visited, and suppressing them here // would be too costly. - ObjectGroup* arrGroup = arr->getGroup(cx); + ObjectGroup* arrGroup = JSObject::getGroup(cx, arr); if (MOZ_UNLIKELY(!arrGroup)) return false; if (!arr->isIndexed() && !MOZ_UNLIKELY(arrGroup->hasAllFlags(OBJECT_FLAG_ITERATED))) { @@ -1285,7 +1285,7 @@ InitArrayElements(JSContext* cx, HandleObject obj, uint32_t start, if (count == 0) return true; - ObjectGroup* group = obj->getGroup(cx); + ObjectGroup* group = JSObject::getGroup(cx, obj); if (!group) return false; @@ -2144,7 +2144,7 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) if (ObjectMayHaveExtraIndexedProperties(obj)) return DenseElementResult::Incomplete; - RootedObjectGroup group(cx, obj->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj)); if (MOZ_UNLIKELY(!group)) return DenseElementResult::Failure; @@ -2340,7 +2340,7 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co * deleted if a hole is moved from one location to another location not yet * visited. See bug 690622. */ - ObjectGroup* arrGroup = arr->getGroup(cx); + ObjectGroup* arrGroup = JSObject::getGroup(cx, arr); if (!arrGroup) { cx->recoverFromOutOfMemory(); return false; @@ -3586,7 +3586,7 @@ js::NewPartlyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup g // will have unknown property types. template static inline ArrayObject* -NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, +NewArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length, NewObjectKind newKind = GenericObject) { if (!obj->is()) @@ -3595,7 +3595,7 @@ NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, if (obj->staticPrototype() != cx->global()->maybeGetArrayPrototype()) return NewArray(cx, length, nullptr, newKind); - RootedObjectGroup group(cx, obj->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj)); if (!group) return nullptr; @@ -3603,14 +3603,14 @@ NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, } ArrayObject* -js::NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, +js::NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length, NewObjectKind newKind) { return NewArrayTryReuseGroup(cx, obj, length, newKind); } ArrayObject* -js::NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length) +js::NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length) { return NewArrayTryReuseGroup(cx, obj, length); } -- cgit v1.2.3 From 1d0ab1c752c583c153b850af339edb86d23f6cc8 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sat, 8 Jun 2019 19:49:29 -0400 Subject: 1320408 - Part 9: Change JSObject::setFlags and depending methods to static method. --- js/src/jsarray.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index c1a6dcfab..aef98cc60 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -3266,7 +3266,7 @@ CreateArrayPrototype(JSContext* cx, JSProtoKey key) metadata)); if (!arrayProto || !JSObject::setSingleton(cx, arrayProto) || - !arrayProto->setDelegate(cx) || + !JSObject::setDelegate(cx, arrayProto) || !AddLengthProperty(cx, arrayProto)) { return nullptr; -- cgit v1.2.3 From 3a5176f4b25a2b90cefe14eb2c2de57113dc21ac Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sat, 8 Jun 2019 23:28:04 -0400 Subject: 1320408 - Part 14: Change some GlobalObject methods to static method. --- js/src/jsarray.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index aef98cc60..8bbcac320 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -3246,7 +3246,7 @@ static JSObject* CreateArrayPrototype(JSContext* cx, JSProtoKey key) { MOZ_ASSERT(key == JSProto_Array); - RootedObject proto(cx, cx->global()->getOrCreateObjectPrototype(cx)); + RootedObject proto(cx, GlobalObject::getOrCreateObjectPrototype(cx, cx->global())); if (!proto) return nullptr; -- cgit v1.2.3 From f39640128068a3816a9bfc28d619f8fa8f161435 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sun, 30 Jun 2019 01:52:56 -0400 Subject: Fix a thread assertion in NewCopiedArrayTryUseGroup --- js/src/jsarray.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 8bbcac320..33ff67f36 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -3643,7 +3643,7 @@ js::NewCopiedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, if (!obj) return nullptr; - DenseElementResult result = obj->setOrExtendDenseElements(cx->asJSContext(), 0, vp, length, updateTypes); + DenseElementResult result = obj->setOrExtendDenseElements(cx, 0, vp, length, updateTypes); if (result == DenseElementResult::Failure) return nullptr; MOZ_ASSERT(result == DenseElementResult::Success); -- cgit v1.2.3 From 85aeff765ea921ea2c947fa9d68756eb989b6287 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sun, 14 Jul 2019 19:04:52 -0400 Subject: 1344477 - Part 2: Optimize Array.prototype.splice with JSOP_NORVCALL. --- js/src/jsarray.cpp | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) (limited to 'js/src/jsarray.cpp') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 33ff67f36..e618c319f 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2380,13 +2380,6 @@ CopyDenseElements(JSContext* cx, NativeObject* dst, NativeObject* src, return DenseElementResult::Success; } -/* ES 2016 draft Mar 25, 2016 22.1.3.26. */ -bool -js::array_splice(JSContext* cx, unsigned argc, Value* vp) -{ - return array_splice_impl(cx, argc, vp, true); -} - static inline bool ArraySpliceCopy(JSContext* cx, HandleObject arr, HandleObject obj, uint32_t actualStart, uint32_t actualDeleteCount) @@ -2416,8 +2409,8 @@ ArraySpliceCopy(JSContext* cx, HandleObject arr, HandleObject obj, return SetLengthProperty(cx, arr, actualDeleteCount); } -bool -js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueIsUsed) +static bool +array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueIsUsed) { AutoSPSEntry pseudoFrame(cx->runtime(), "Array.prototype.splice"); CallArgs args = CallArgsFromVp(argc, vp); @@ -2667,6 +2660,19 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI return true; } +/* ES 2016 draft Mar 25, 2016 22.1.3.26. */ +bool +js::array_splice(JSContext* cx, unsigned argc, Value* vp) +{ + return array_splice_impl(cx, argc, vp, true); +} + +static bool +array_splice_noRetVal(JSContext* cx, unsigned argc, Value* vp) +{ + return array_splice_impl(cx, argc, vp, false); +} + struct SortComparatorIndexes { bool operator()(uint32_t a, uint32_t b, bool* lessOrEqualp) { @@ -3084,6 +3090,15 @@ array_of(JSContext* cx, unsigned argc, Value* vp) return true; } +const JSJitInfo js::array_splice_info = { + { (JSJitGetterOp)array_splice_noRetVal }, + { 0 }, /* unused */ + { 0 }, /* unused */ + JSJitInfo::IgnoresReturnValueNative, + JSJitInfo::AliasEverything, + JSVAL_TYPE_UNDEFINED, +}; + static const JSFunctionSpec array_methods[] = { #if JS_HAS_TOSOURCE JS_FN(js_toSource_str, array_toSource, 0,0), @@ -3099,7 +3114,7 @@ static const JSFunctionSpec array_methods[] = { JS_INLINABLE_FN("pop", array_pop, 0,0, ArrayPop), JS_INLINABLE_FN("shift", array_shift, 0,0, ArrayShift), JS_FN("unshift", array_unshift, 1,0), - JS_INLINABLE_FN("splice", array_splice, 2,0, ArraySplice), + JS_FNINFO("splice", array_splice, &array_splice_info, 2,0), /* Pythonic sequence methods. */ JS_SELF_HOSTED_FN("concat", "ArrayConcat", 1,0), -- cgit v1.2.3