/[jscoverage]/trunk/js/jsfun.cpp

Diff of /trunk/js/jsfun.cpp

Parent Directory | Revision Log | View Patch Patch

-revision 506 by siliconforks,
Sat Sep 26 23:15:22 2009 UTC
+revision 507 by siliconforks,
Sun Jan 10 07:23:34 2010 UTC
 Line 1
- /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
   * vim: set ts=8 sw=4 et tw=99:
   *
   * ***** BEGIN LICENSE BLOCK *****
 Line 41
  /*
   * JS function support.
   */
- #include "jsstddef.h"
  #include <string.h>
  #include "jstypes.h"
+ #include "jsstdint.h"
  #include "jsbit.h"
  #include "jsutil.h" /* Added by JSIFY */
  #include "jsapi.h"
  #include "jsarray.h"
  #include "jsatom.h"
+ #include "jsbool.h"
  #include "jsbuiltins.h"
  #include "jscntxt.h"
  #include "jsversion.h"
-Line 68
+Line 69
  #include "jsstr.h"
  #include "jsexn.h"
  #include "jsstaticcheck.h"
+ #include "jstracer.h"
  #if JS_HAS_GENERATORS
  # include "jsiter.h"
-Line 77
+Line 79
  # include "jsxdrapi.h"
  #endif
- /* Generic function/call/arguments tinyids -- also reflected bit numbers. */
+ #include "jsatominlines.h"
- enum {
-     CALL_ARGUMENTS  = -1,       /* predefined arguments local variable */
-     ARGS_LENGTH     = -2,       /* number of actual args, arity if inactive */
-     ARGS_CALLEE     = -3,       /* reference from arguments to active funobj */
-     FUN_ARITY       = -4,       /* number of formal parameters; desired argc */
-     FUN_NAME        = -5,       /* function name, "" if anonymous */
-     FUN_CALLER      = -6        /* Function.prototype.caller, backward compat */
- };
- #if JSFRAME_OVERRIDE_BITS < 8
+ static inline void
- # error "not enough override bits in JSStackFrame.flags!"
+ SetOverriddenArgsLength(JSObject *obj)
- #endif
+ {
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
+     jsval v = obj->fslots[JSSLOT_ARGS_LENGTH];
+     v = INT_TO_JSVAL(JSVAL_TO_INT(v) | 1);
+     JS_ASSERT(JSVAL_IS_INT(v));
+     obj->fslots[JSSLOT_ARGS_LENGTH] = v;
+ }
+ static inline void
+ InitArgsLengthSlot(JSObject *obj, uint32 argc)
+ {
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
+     JS_ASSERT(argc <= JS_ARGS_LENGTH_MAX);
+     JS_ASSERT(obj->fslots[JSSLOT_ARGS_LENGTH] == JSVAL_VOID);
+     obj->fslots[JSSLOT_ARGS_LENGTH] = INT_TO_JSVAL(argc << 1);
+     JS_ASSERT(!js_IsOverriddenArgsLength(obj));
+ }
+ static inline uint32
+ GetArgsLength(JSObject *obj)
+ {
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
- #define TEST_OVERRIDE_BIT(fp, tinyid) \
+     uint32 argc = uint32(JSVAL_TO_INT(obj->fslots[JSSLOT_ARGS_LENGTH])) >> 1;
-     ((fp)->flags & JS_BIT(JSFRAME_OVERRIDE_SHIFT - ((tinyid) + 1)))
+     JS_ASSERT(argc <= JS_ARGS_LENGTH_MAX);
+     return argc;
+ }
- #define SET_OVERRIDE_BIT(fp, tinyid) \
+ static inline void
-     ((fp)->flags |= JS_BIT(JSFRAME_OVERRIDE_SHIFT - ((tinyid) + 1)))
+ SetArgsPrivateNative(JSObject *argsobj, js_ArgsPrivateNative *apn)
+ {
+     JS_ASSERT(STOBJ_GET_CLASS(argsobj) == &js_ArgumentsClass);
+     uintptr_t p = (uintptr_t) apn;
+     argsobj->setPrivate((void*) (p | 2));
+ }
  JSBool
  js_GetArgsValue(JSContext *cx, JSStackFrame *fp, jsval *vp)
  {
      JSObject *argsobj;
-     if (TEST_OVERRIDE_BIT(fp, CALL_ARGUMENTS)) {
+     if (fp->flags & JSFRAME_OVERRIDE_ARGS) {
          JS_ASSERT(fp->callobj);
-         return OBJ_GET_PROPERTY(cx, fp->callobj,
+         jsid id = ATOM_TO_JSID(cx->runtime->atomState.argumentsAtom);
-                                 ATOM_TO_JSID(cx->runtime->atomState
+         return fp->callobj->getProperty(cx, id, vp);
-                                              .argumentsAtom),
-                                 vp);
      }
      argsobj = js_GetArgsObject(cx, fp);
      if (!argsobj)
-Line 116
+Line 137
      return JS_TRUE;
  }
- static JSBool
- MarkArgDeleted(JSContext *cx, JSStackFrame *fp, uintN slot)
- {
-     JSObject *argsobj;
-     jsval bmapval, bmapint;
-     size_t nbits, nbytes;
-     jsbitmap *bitmap;
-     argsobj = fp->argsobj;
-     (void) JS_GetReservedSlot(cx, argsobj, 0, &bmapval);
-     nbits = fp->argc;
-     JS_ASSERT(slot < nbits);
-     if (JSVAL_IS_VOID(bmapval)) {
-         if (nbits <= JSVAL_INT_BITS) {
-             bmapint = 0;
-             bitmap = (jsbitmap *) &bmapint;
-         } else {
-             nbytes = JS_HOWMANY(nbits, JS_BITS_PER_WORD) * sizeof(jsbitmap);
-             bitmap = (jsbitmap *) JS_malloc(cx, nbytes);
-             if (!bitmap)
-                 return JS_FALSE;
-             memset(bitmap, 0, nbytes);
-             bmapval = PRIVATE_TO_JSVAL(bitmap);
-             JS_SetReservedSlot(cx, argsobj, 0, bmapval);
-         }
-     } else {
-         if (nbits <= JSVAL_INT_BITS) {
-             bmapint = JSVAL_TO_INT(bmapval);
-             bitmap = (jsbitmap *) &bmapint;
-         } else {
-             bitmap = (jsbitmap *) JSVAL_TO_PRIVATE(bmapval);
-         }
-     }
-     JS_SET_BIT(bitmap, slot);
-     if (bitmap == (jsbitmap *) &bmapint) {
-         bmapval = INT_TO_JSVAL(bmapint);
-         JS_SetReservedSlot(cx, argsobj, 0, bmapval);
-     }
-     return JS_TRUE;
- }
- /* NB: Infallible predicate, false does not mean error/exception. */
- static JSBool
- ArgWasDeleted(JSContext *cx, JSStackFrame *fp, uintN slot)
- {
-     JSObject *argsobj;
-     jsval bmapval, bmapint;
-     jsbitmap *bitmap;
-     argsobj = fp->argsobj;
-     (void) JS_GetReservedSlot(cx, argsobj, 0, &bmapval);
-     if (JSVAL_IS_VOID(bmapval))
-         return JS_FALSE;
-     if (fp->argc <= JSVAL_INT_BITS) {
-         bmapint = JSVAL_TO_INT(bmapval);
-         bitmap = (jsbitmap *) &bmapint;
-     } else {
-         bitmap = (jsbitmap *) JSVAL_TO_PRIVATE(bmapval);
-     }
-     return JS_TEST_BIT(bitmap, slot) != 0;
- }
  JSBool
  js_GetArgsProperty(JSContext *cx, JSStackFrame *fp, jsid id, jsval *vp)
  {
-     jsval val;
+     if (fp->flags & JSFRAME_OVERRIDE_ARGS) {
-     JSObject *obj;
-     uintN slot;
-     if (TEST_OVERRIDE_BIT(fp, CALL_ARGUMENTS)) {
          JS_ASSERT(fp->callobj);
-         if (!OBJ_GET_PROPERTY(cx, fp->callobj,
-                               ATOM_TO_JSID(cx->runtime->atomState
+         jsid argumentsid = ATOM_TO_JSID(cx->runtime->atomState.argumentsAtom);
-                                            .argumentsAtom),
+         jsval v;
-                               &val)) {
+         if (!fp->callobj->getProperty(cx, argumentsid, &v))
-             return JS_FALSE;
+             return false;
-         }
-         if (JSVAL_IS_PRIMITIVE(val)) {
+         JSObject *obj;
-             obj = js_ValueToNonNullObject(cx, val);
+         if (JSVAL_IS_PRIMITIVE(v)) {
+             obj = js_ValueToNonNullObject(cx, v);
              if (!obj)
-                 return JS_FALSE;
+                 return false;
          } else {
-             obj = JSVAL_TO_OBJECT(val);
+             obj = JSVAL_TO_OBJECT(v);
          }
-         return OBJ_GET_PROPERTY(cx, obj, id, vp);
+         return obj->getProperty(cx, id, vp);
      }
      *vp = JSVAL_VOID;
      if (JSID_IS_INT(id)) {
-         slot = (uintN) JSID_TO_INT(id);
+         uint32 arg = uint32(JSID_TO_INT(id));
-         if (slot < fp->argc) {
+         JSObject *argsobj = JSVAL_TO_OBJECT(fp->argsobj);
-             if (fp->argsobj && ArgWasDeleted(cx, fp, slot))
+         if (arg < fp->argc) {
-                 return OBJ_GET_PROPERTY(cx, fp->argsobj, id, vp);
+             if (argsobj) {
-             *vp = fp->argv[slot];
+                 jsval v = OBJ_GET_SLOT(cx, argsobj, JSSLOT_ARGS_COPY_START+arg);
+                 if (v == JSVAL_HOLE)
+                     return argsobj->getProperty(cx, id, vp);
+             }
+             *vp = fp->argv[arg];
          } else {
              /*
               * Per ECMA-262 Ed. 3, 10.1.8, last bulleted item, do not share
-Line 223
+Line 183
               * is null at this point, as it would be in the example, return
               * undefined in *vp.
               */
-             if (fp->argsobj)
+             if (argsobj)
-                 return OBJ_GET_PROPERTY(cx, fp->argsobj, id, vp);
+                 return argsobj->getProperty(cx, id, vp);
-         }
-     } else {
-         if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) {
-             if (fp->argsobj && TEST_OVERRIDE_BIT(fp, ARGS_LENGTH))
-                 return OBJ_GET_PROPERTY(cx, fp->argsobj, id, vp);
-             *vp = INT_TO_JSVAL((jsint) fp->argc);
          }
+     } else if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) {
+         JSObject *argsobj = JSVAL_TO_OBJECT(fp->argsobj);
+         if (argsobj && js_IsOverriddenArgsLength(argsobj))
+             return argsobj->getProperty(cx, id, vp);
+         *vp = INT_TO_JSVAL(jsint(fp->argc));
      }
-     return JS_TRUE;
+     return true;
+ }
+ static JSObject *
+ NewArguments(JSContext *cx, JSObject *parent, uint32 argc, JSObject *callee)
+ {
+     JSObject *argsobj = js_NewObject(cx, &js_ArgumentsClass, NULL, parent, 0);
+     if (!argsobj || !js_EnsureReservedSlots(cx, argsobj, argc))
+         return NULL;
+     argsobj->fslots[JSSLOT_ARGS_CALLEE] = OBJECT_TO_JSVAL(callee);
+     InitArgsLengthSlot(argsobj, argc);
+     return argsobj;
  }
+ static void
+ PutArguments(JSContext *cx, JSObject *argsobj, jsval *args)
+ {
+     uint32 argc = GetArgsLength(argsobj);
+     JS_LOCK_OBJ(cx, argsobj);
+     for (uint32 i = 0; i != argc; ++i) {
+         jsval v = STOBJ_GET_SLOT(argsobj, JSSLOT_ARGS_COPY_START + i);
+         if (v != JSVAL_HOLE)
+             STOBJ_SET_SLOT(argsobj, JSSLOT_ARGS_COPY_START + i, args[i]);
+     }
+     JS_UNLOCK_OBJ(cx, argsobj);
+ }
+ #ifdef OJI
+ JS_BEGIN_EXTERN_C
+ JS_EXPORT_API(JSObject *)
+ #else
  JSObject *
+ #endif
  js_GetArgsObject(JSContext *cx, JSStackFrame *fp)
  {
-     JSObject *argsobj, *global, *parent;
      /*
       * We must be in a function activation; the function must be lightweight
       * or else fp must have a variable object.
-Line 252
+Line 239
          fp = fp->down;
      /* Create an arguments object for fp only if it lacks one. */
-     argsobj = fp->argsobj;
+     JSObject *argsobj = JSVAL_TO_OBJECT(fp->argsobj);
      if (argsobj)
          return argsobj;
-     /* Link the new object to fp so it can get actual argument values. */
-     argsobj = js_NewObject(cx, &js_ArgumentsClass, NULL, NULL, 0);
-     if (!argsobj || !JS_SetPrivate(cx, argsobj, fp)) {
-         cx->weakRoots.newborn[GCX_OBJECT] = NULL;
-         return NULL;
-     }
      /*
       * Give arguments an intrinsic scope chain link to fp's global object.
       * Since the arguments object lacks a prototype because js_ArgumentsClass
-Line 274
+Line 254
       * js_GetClassPrototype not being able to find a global object containing
       * the standard prototype by starting from arguments and following parent.
       */
-     global = fp->scopeChain;
+     JSObject *parent, *global = fp->scopeChain;
      while ((parent = OBJ_GET_PARENT(cx, global)) != NULL)
          global = parent;
-     STOBJ_SET_PARENT(argsobj, global);
-     fp->argsobj = argsobj;
+     JS_ASSERT(fp->argv);
+     argsobj = NewArguments(cx, global, fp->argc, JSVAL_TO_OBJECT(fp->argv[-2]));
+     if (!argsobj)
+         return argsobj;
+     /* Link the new object to fp so it can get actual argument values. */
+     argsobj->setPrivate(fp);
+     fp->argsobj = OBJECT_TO_JSVAL(argsobj);
      return argsobj;
  }
- static JSBool
+ #ifdef OJI
- args_enumerate(JSContext *cx, JSObject *obj);
+ JS_EXPORT_API(void)
+ #else
- JS_FRIEND_API(JSBool)
+ void
+ #endif
  js_PutArgsObject(JSContext *cx, JSStackFrame *fp)
  {
-     JSObject *argsobj;
+     JSObject *argsobj = JSVAL_TO_OBJECT(fp->argsobj);
-     jsval bmapval, rval;
+     JS_ASSERT(argsobj->getPrivate() == fp);
-     JSBool ok;
+     PutArguments(cx, argsobj, fp->argv);
-     JSRuntime *rt;
+     argsobj->setPrivate(NULL);
+     fp->argsobj = JSVAL_NULL;
+ }
+ #ifdef OJI
+ JS_END_EXTERN_C
+ #endif
-     /*
+ /*
-      * Reuse args_enumerate here to reflect fp's actual arguments as indexed
+  * Traced versions of js_GetArgsObject and js_PutArgsObject.
-      * elements of argsobj.  Do this first, before clearing and freeing the
+  */
-      * deleted argument slot bitmap, because args_enumerate depends on that.
-      */
-     argsobj = fp->argsobj;
-     ok = args_enumerate(cx, argsobj);
-     /*
+ #ifdef JS_TRACER
-      * Now clear the deleted argument number bitmap slot and free the bitmap,
+ JSObject * JS_FASTCALL
-      * if one was actually created due to 'delete arguments[0]' or similar.
+ js_Arguments(JSContext *cx, JSObject *parent, uint32 argc, JSObject *callee,
-      */
+              double *argv, js_ArgsPrivateNative *apn)
-     (void) JS_GetReservedSlot(cx, argsobj, 0, &bmapval);
+ {
-     if (!JSVAL_IS_VOID(bmapval)) {
+     JSObject *argsobj = NewArguments(cx, parent, argc, callee);
-         JS_SetReservedSlot(cx, argsobj, 0, JSVAL_VOID);
+     if (!argsobj)
-         if (fp->argc > JSVAL_INT_BITS)
+         return NULL;
-             JS_free(cx, JSVAL_TO_PRIVATE(bmapval));
+     apn->argv = argv;
-     }
+     SetArgsPrivateNative(argsobj, apn);
+     return argsobj;
+ }
+ #endif
-     /*
+ JS_DEFINE_CALLINFO_6(extern, OBJECT, js_Arguments, CONTEXT, OBJECT, UINT32, OBJECT,
-      * Now get the prototype properties so we snapshot fp->fun and fp->argc
+                      DOUBLEPTR, APNPTR, 0, 0)
-      * before fp goes away.
-      */
-     rt = cx->runtime;
-     ok &= js_GetProperty(cx, argsobj, ATOM_TO_JSID(rt->atomState.calleeAtom),
-                          &rval);
-     ok &= js_SetProperty(cx, argsobj, ATOM_TO_JSID(rt->atomState.calleeAtom),
-                          &rval);
-     ok &= js_GetProperty(cx, argsobj, ATOM_TO_JSID(rt->atomState.lengthAtom),
-                          &rval);
-     ok &= js_SetProperty(cx, argsobj, ATOM_TO_JSID(rt->atomState.lengthAtom),
-                          &rval);
-     /*
+ /* FIXME change the return type to void. */
-      * Clear the private pointer to fp, which is about to go away (js_Invoke).
+ JSBool JS_FASTCALL
-      * Do this last because the args_enumerate and js_GetProperty calls above
+ js_PutArguments(JSContext *cx, JSObject *argsobj, jsval *args)
-      * need to follow the private slot to find fp.
+ {
-      */
+     JS_ASSERT(js_GetArgsPrivateNative(argsobj));
-     ok &= JS_SetPrivate(cx, argsobj, NULL);
+     PutArguments(cx, argsobj, args);
-     fp->argsobj = NULL;
+     argsobj->setPrivate(NULL);
-     return ok;
+     return true;
  }
+ JS_DEFINE_CALLINFO_3(extern, BOOL, js_PutArguments, CONTEXT, OBJECT, JSVALPTR, 0, 0)
  static JSBool
- args_delProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
+ args_delProperty(JSContext *cx, JSObject *obj, jsval idval, jsval *vp)
  {
-     jsint slot;
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
-     JSStackFrame *fp;
-     if (!JSVAL_IS_INT(id))
+     if (JSVAL_IS_INT(idval)) {
-         return JS_TRUE;
+         uintN arg = uintN(JSVAL_TO_INT(idval));
-     fp = (JSStackFrame *)
+         if (arg < GetArgsLength(obj))
-          JS_GetInstancePrivate(cx, obj, &js_ArgumentsClass, NULL);
+             OBJ_SET_SLOT(cx, obj, JSSLOT_ARGS_COPY_START + arg, JSVAL_HOLE);
-     if (!fp)
+     } else if (idval == ATOM_KEY(cx->runtime->atomState.lengthAtom)) {
-         return JS_TRUE;
+         SetOverriddenArgsLength(obj);
-     JS_ASSERT(fp->argsobj);
+     } else if (idval == ATOM_KEY(cx->runtime->atomState.calleeAtom)) {
+         obj->fslots[JSSLOT_ARGS_CALLEE] = JSVAL_HOLE;
-     slot = JSVAL_TO_INT(id);
-     switch (slot) {
-       case ARGS_CALLEE:
-       case ARGS_LENGTH:
-         SET_OVERRIDE_BIT(fp, slot);
-         break;
-       default:
-         if ((uintN)slot < fp->argc && !MarkArgDeleted(cx, fp, slot))
-             return JS_FALSE;
-         break;
      }
-     return JS_TRUE;
+     return true;
  }
  static JS_REQUIRES_STACK JSObject *
-Line 384
+Line 355
          return NULL;
      JSObject *wfunobj = js_NewObjectWithGivenProto(cx, &js_FunctionClass,
-                                                    funobj, scopeChain, 0);
+                                                    funobj, scopeChain);
      if (!wfunobj)
          return NULL;
      JSAutoTempValueRooter tvr(cx, wfunobj);
      JSFunction *wfun = (JSFunction *) wfunobj;
-     wfunobj->fslots[JSSLOT_PRIVATE] = PRIVATE_TO_JSVAL(wfun);
+     wfunobj->setPrivate(wfun);
      wfun->nargs = 0;
      wfun->flags = fun->flags | JSFUN_HEAVYWEIGHT;
      wfun->u.i.nvars = 0;
-Line 434
+Line 405
      }
      JSScript *script = fun->u.i.script;
-     jssrcnote *snbase = SCRIPT_NOTES(script);
+     jssrcnote *snbase = script->notes();
      jssrcnote *sn = snbase;
      while (!SN_IS_TERMINATOR(sn))
          sn = SN_NEXT(sn);
-Line 444
+Line 415
      JSScript *wscript = js_NewScript(cx, script->length, nsrcnotes,
                                       script->atomMap.length,
                                       (script->objectsOffset != 0)
-                                      ? JS_SCRIPT_OBJECTS(script)->length
+                                      ? script->objects()->length
                                       : 0,
                                       fun->u.i.nupvars,
                                       (script->regexpsOffset != 0)
-                                      ? JS_SCRIPT_REGEXPS(script)->length
+                                      ? script->regexps()->length
                                       : 0,
                                       (script->trynotesOffset != 0)
-                                      ? JS_SCRIPT_TRYNOTES(script)->length
+                                      ? script->trynotes()->length
                                       : 0);
      if (!wscript)
          return NULL;
-Line 459
+Line 430
      memcpy(wscript->code, script->code, script->length);
      wscript->main = wscript->code + (script->main - script->code);
-     memcpy(SCRIPT_NOTES(wscript), snbase, nsrcnotes);
+     memcpy(wscript->notes(), snbase, nsrcnotes * sizeof(jssrcnote));
      memcpy(wscript->atomMap.vector, script->atomMap.vector,
             wscript->atomMap.length * sizeof(JSAtom *));
      if (script->objectsOffset != 0) {
-         memcpy(JS_SCRIPT_OBJECTS(wscript)->vector, JS_SCRIPT_OBJECTS(script)->vector,
+         memcpy(wscript->objects()->vector, script->objects()->vector,
-                JS_SCRIPT_OBJECTS(wscript)->length * sizeof(JSObject *));
+                wscript->objects()->length * sizeof(JSObject *));
      }
      if (script->regexpsOffset != 0) {
-         memcpy(JS_SCRIPT_REGEXPS(wscript)->vector, JS_SCRIPT_REGEXPS(script)->vector,
+         memcpy(wscript->regexps()->vector, script->regexps()->vector,
-                JS_SCRIPT_REGEXPS(wscript)->length * sizeof(JSObject *));
+                wscript->regexps()->length * sizeof(JSObject *));
      }
      if (script->trynotesOffset != 0) {
-         memcpy(JS_SCRIPT_TRYNOTES(wscript)->vector, JS_SCRIPT_TRYNOTES(script)->vector,
+         memcpy(wscript->trynotes()->vector, script->trynotes()->vector,
-                JS_SCRIPT_TRYNOTES(wscript)->length * sizeof(JSTryNote));
+                wscript->trynotes()->length * sizeof(JSTryNote));
      }
      if (wfun->u.i.nupvars != 0) {
-         JS_ASSERT(wfun->u.i.nupvars == JS_SCRIPT_UPVARS(wscript)->length);
+         JS_ASSERT(wfun->u.i.nupvars == wscript->upvars()->length);
-         memcpy(JS_SCRIPT_UPVARS(wscript)->vector, JS_SCRIPT_UPVARS(script)->vector,
+         memcpy(wscript->upvars()->vector, script->upvars()->vector,
                 wfun->u.i.nupvars * sizeof(uint32));
      }
-Line 534
+Line 505
  }
  static JSBool
- args_getProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
+ ArgGetter(JSContext *cx, JSObject *obj, jsval idval, jsval *vp)
  {
-     jsint slot;
+     if (!JS_InstanceOf(cx, obj, &js_ArgumentsClass, NULL))
-     JSStackFrame *fp;
+         return true;
-     if (!JSVAL_IS_INT(id))
+     if (JSVAL_IS_INT(idval)) {
-         return JS_TRUE;
+         /*
-     fp = (JSStackFrame *)
+          * arg can exceed the number of arguments if a script changed the
-          JS_GetInstancePrivate(cx, obj, &js_ArgumentsClass, NULL);
+          * prototype to point to another Arguments object with a bigger argc.
-     if (!fp)
+          */
-         return JS_TRUE;
+         uintN arg = uintN(JSVAL_TO_INT(idval));
-     JS_ASSERT(fp->argsobj);
+         if (arg < GetArgsLength(obj)) {
+ #ifdef JS_TRACER
+             js_ArgsPrivateNative *argp = js_GetArgsPrivateNative(obj);
+             if (argp) {
+                 if (js_NativeToValue(cx, *vp, argp->typemap()[arg], &argp->argv[arg]))
+                     return true;
+                 js_LeaveTrace(cx);
+                 return false;
+             }
+ #endif
-     slot = JSVAL_TO_INT(id);
+             JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
-     switch (slot) {
+             if (fp) {
-       case ARGS_CALLEE:
+                 *vp = fp->argv[arg];
-         if (!TEST_OVERRIDE_BIT(fp, slot)) {
+             } else {
+                 jsval v = OBJ_GET_SLOT(cx, obj, JSSLOT_ARGS_COPY_START + arg);
+                 if (v != JSVAL_HOLE)
+                     *vp = v;
+             }
+         }
+     } else if (idval == ATOM_KEY(cx->runtime->atomState.lengthAtom)) {
+         if (!js_IsOverriddenArgsLength(obj))
+             *vp = INT_TO_JSVAL(GetArgsLength(obj));
+     } else {
+         JS_ASSERT(idval == ATOM_KEY(cx->runtime->atomState.calleeAtom));
+         jsval v = obj->fslots[JSSLOT_ARGS_CALLEE];
+         if (v != JSVAL_HOLE) {
              /*
               * If this function or one in it needs upvars that reach above it
               * in the scope chain, it must not be a null closure (it could be a
-Line 559
+Line 551
               * to reduce code size and tell debugger users the truth instead of
               * passing off a fibbing wrapper.
               */
-             if (fp->fun->needsWrapper()) {
+             if (GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(v))->needsWrapper()) {
                  JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                                       JSMSG_OPTIMIZED_CLOSURE_LEAK);
-                 return JS_FALSE;
+                 return false;
              }
-             *vp = OBJECT_TO_JSVAL(fp->callee);
+             *vp = v;
          }
-         break;
-       case ARGS_LENGTH:
-         if (!TEST_OVERRIDE_BIT(fp, slot))
-             *vp = INT_TO_JSVAL((jsint)fp->argc);
-         break;
-       default:
-         if ((uintN)slot < fp->argc && !ArgWasDeleted(cx, fp, slot))
-             *vp = fp->argv[slot];
-         break;
      }
-     return JS_TRUE;
+     return true;
  }
  static JSBool
- args_setProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
+ ArgSetter(JSContext *cx, JSObject *obj, jsval idval, jsval *vp)
  {
-     JSStackFrame *fp;
+ #ifdef JS_TRACER
-     jsint slot;
+     // To be able to set a property here on trace, we would have to make
+     // sure any updates also get written back to the trace native stack.
-     if (!JSVAL_IS_INT(id))
+     // For simplicity, we just leave trace, since this is presumably not
-         return JS_TRUE;
+     // a common operation.
-     fp = (JSStackFrame *)
+     if (JS_ON_TRACE(cx)) {
-          JS_GetInstancePrivate(cx, obj, &js_ArgumentsClass, NULL);
+         js_DeepBail(cx);
-     if (!fp)
+         return false;
-         return JS_TRUE;
+     }
-     JS_ASSERT(fp->argsobj);
+ #endif
-     slot = JSVAL_TO_INT(id);
-     switch (slot) {
-       case ARGS_CALLEE:
-       case ARGS_LENGTH:
-         SET_OVERRIDE_BIT(fp, slot);
-         break;
-       default:
+     if (!JS_InstanceOf(cx, obj, &js_ArgumentsClass, NULL))
-         if (FUN_INTERPRETED(fp->fun) &&
+         return true;
-             (uintN)slot < fp->argc &&
-             !ArgWasDeleted(cx, fp, slot)) {
+     if (JSVAL_IS_INT(idval)) {
-             fp->argv[slot] = *vp;
+         uintN arg = uintN(JSVAL_TO_INT(idval));
+         if (arg < GetArgsLength(obj)) {
+             JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
+             if (fp) {
+                 fp->argv[arg] = *vp;
+                 return true;
+             }
          }
-         break;
+     } else {
+         JS_ASSERT(idval == ATOM_KEY(cx->runtime->atomState.lengthAtom) ||
+                   idval == ATOM_KEY(cx->runtime->atomState.calleeAtom));
      }
-     return JS_TRUE;
+     /*
+      * For simplicity we use delete/set to replace the property with one
+      * backed by the default Object getter and setter. Note the we rely on
+      * args_delete to clear the corresponding reserved slot so the GC can
+      * collect its value.
+      */
+     jsid id;
+     if (!JS_ValueToId(cx, idval, &id))
+         return false;
+     JSAutoTempValueRooter tvr(cx);
+     return js_DeleteProperty(cx, obj, id, tvr.addr()) &&
+            js_SetProperty(cx, obj, id, vp);
  }
  static JSBool
- args_resolve(JSContext *cx, JSObject *obj, jsval id, uintN flags,
+ args_resolve(JSContext *cx, JSObject *obj, jsval idval, uintN flags,
               JSObject **objp)
  {
-     JSStackFrame *fp;
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
-     uintN slot;
-     JSString *str;
-     JSAtom *atom;
-     intN tinyid;
-     jsval value;
      *objp = NULL;
-     fp = (JSStackFrame *)
+     jsid id = 0;
-          JS_GetInstancePrivate(cx, obj, &js_ArgumentsClass, NULL);
+     if (JSVAL_IS_INT(idval)) {
-     if (!fp)
+         uint32 arg = uint32(JSVAL_TO_INT(idval));
-         return JS_TRUE;
+         if (arg < GetArgsLength(obj) &&
-     JS_ASSERT(fp->argsobj);
+             OBJ_GET_SLOT(cx, obj, JSSLOT_ARGS_COPY_START + arg) != JSVAL_HOLE) {
+             id = INT_JSVAL_TO_JSID(idval);
-     if (JSVAL_IS_INT(id)) {
+         }
-         slot = JSVAL_TO_INT(id);
+     } else if (idval == ATOM_KEY(cx->runtime->atomState.lengthAtom)) {
-         if (slot < fp->argc && !ArgWasDeleted(cx, fp, slot)) {
+         if (!js_IsOverriddenArgsLength(obj))
-             /* XXX ECMA specs DontEnum, contrary to other array-like objects */
+             id = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
-             if (!js_DefineProperty(cx, obj, INT_JSVAL_TO_JSID(id),
-                                    fp->argv[slot],
+     } else if (idval == ATOM_KEY(cx->runtime->atomState.calleeAtom)) {
-                                    args_getProperty, args_setProperty,
+         if (obj->fslots[JSSLOT_ARGS_CALLEE] != JSVAL_HOLE)
-, NULL)) {
+             id = ATOM_TO_JSID(cx->runtime->atomState.calleeAtom);
-                 return JS_FALSE;
-             }
-             *objp = obj;
-         }
-     } else if (JSVAL_IS_STRING(id)) {
-         str = JSVAL_TO_STRING(id);
-         atom = cx->runtime->atomState.lengthAtom;
-         if (str == ATOM_TO_STRING(atom)) {
-             tinyid = ARGS_LENGTH;
-             value = INT_TO_JSVAL(fp->argc);
-         } else {
-             atom = cx->runtime->atomState.calleeAtom;
-             if (str == ATOM_TO_STRING(atom)) {
-                 tinyid = ARGS_CALLEE;
-                 value = OBJECT_TO_JSVAL(fp->callee);
-             } else {
-                 atom = NULL;
-                 /* Quell GCC overwarnings. */
-                 tinyid = 0;
-                 value = JSVAL_NULL;
-             }
-         }
-         if (atom && !TEST_OVERRIDE_BIT(fp, tinyid)) {
-             if (!js_DefineNativeProperty(cx, obj, ATOM_TO_JSID(atom), value,
-                                          args_getProperty, args_setProperty, 0,
-                                          SPROP_HAS_SHORTID, tinyid, NULL)) {
-                 return JS_FALSE;
-             }
-             *objp = obj;
-         }
      }
-     return JS_TRUE;
+     if (id != 0) {
+         /*
+          * XXX ECMA specs DontEnum even for indexed properties, contrary to
+          * other array-like objects.
+          */
+         if (!js_DefineProperty(cx, obj, id, JSVAL_VOID, ArgGetter, ArgSetter, JSPROP_SHARED))
+             return JS_FALSE;
+         *objp = obj;
+     }
+     return true;
  }
  static JSBool
  args_enumerate(JSContext *cx, JSObject *obj)
  {
-     JSStackFrame *fp;
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
-     JSObject *pobj;
-     JSProperty *prop;
-     uintN slot, argc;
-     fp = (JSStackFrame *)
-          JS_GetInstancePrivate(cx, obj, &js_ArgumentsClass, NULL);
-     if (!fp)
-         return JS_TRUE;
-     JS_ASSERT(fp->argsobj);
      /*
-      * Trigger reflection with value snapshot in args_resolve using a series
+      * Trigger reflection in args_resolve using a series of js_LookupProperty
-      * of js_LookupProperty calls.  We handle length, callee, and the indexed
+      * calls.
-      * argument properties.  We know that args_resolve covers all these cases
-      * and creates direct properties of obj, but that it may fail to resolve
-      * length or callee if overridden.
       */
-     if (!js_LookupProperty(cx, obj,
+     int argc = int(GetArgsLength(obj));
-                            ATOM_TO_JSID(cx->runtime->atomState.lengthAtom),
+     for (int i = -2; i != argc; i++) {
-                            &pobj, &prop)) {
+         jsid id = (i == -2)
-         return JS_FALSE;
+                   ? ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)
-     }
+                   : (i == -1)
-     if (prop)
+                   ? ATOM_TO_JSID(cx->runtime->atomState.calleeAtom)
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+                   : INT_JSVAL_TO_JSID(INT_TO_JSVAL(i));
-     if (!js_LookupProperty(cx, obj,
+         JSObject *pobj;
-                            ATOM_TO_JSID(cx->runtime->atomState.calleeAtom),
+         JSProperty *prop;
-                            &pobj, &prop)) {
+         if (!js_LookupProperty(cx, obj, id, &pobj, &prop))
-         return JS_FALSE;
+             return false;
-     }
-     if (prop)
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
-     argc = fp->argc;
+         /* prop is null when the property was deleted. */
-     for (slot = 0; slot < argc; slot++) {
-         if (!js_LookupProperty(cx, obj, INT_TO_JSID((jsint)slot), &pobj, &prop))
-             return JS_FALSE;
          if (prop)
-             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             pobj->dropProperty(cx, prop);
      }
-     return JS_TRUE;
+     return true;
  }
  #if JS_HAS_GENERATORS
-Line 731
+Line 680
  static void
  args_or_call_trace(JSTracer *trc, JSObject *obj)
  {
-     JSStackFrame *fp;
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass ||
+               STOBJ_GET_CLASS(obj) == &js_CallClass);
+     if (STOBJ_GET_CLASS(obj) == &js_ArgumentsClass && js_GetArgsPrivateNative(obj))
+         return;
-     fp = (JSStackFrame *) JS_GetPrivate(trc->context, obj);
+     JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
      if (fp && (fp->flags & JSFRAME_GENERATOR)) {
          JS_CALL_OBJECT_TRACER(trc, FRAME_TO_GENERATOR(fp)->obj,
                                "FRAME_TO_GENERATOR(fp)->obj");
-Line 743
+Line 695
  # define args_or_call_trace NULL
  #endif
+ static uint32
+ args_reserveSlots(JSContext *cx, JSObject *obj)
+ {
+     JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_ArgumentsClass);
+     return GetArgsLength(obj);
+ }
  /*
   * The Arguments class is not initialized via JS_InitClass, and must not be,
   * because its name is "Object".  Per ECMA, that causes instances of it to
-Line 756
+Line 715
   */
  JSClass js_ArgumentsClass = {
      js_Object_str,
-     JSCLASS_HAS_PRIVATE | JSCLASS_NEW_RESOLVE | JSCLASS_HAS_RESERVED_SLOTS(1) |
+     JSCLASS_HAS_PRIVATE | JSCLASS_NEW_RESOLVE |
+     JSCLASS_HAS_RESERVED_SLOTS(ARGS_CLASS_FIXED_RESERVED_SLOTS) |
      JSCLASS_MARK_IS_TRACE | JSCLASS_HAS_CACHED_PROTO(JSProto_Object),
      JS_PropertyStub,    args_delProperty,
-     args_getProperty,   args_setProperty,
+     JS_PropertyStub,    JS_PropertyStub,
      args_enumerate,     (JSResolveOp) args_resolve,
-     JS_ConvertStub,     JS_FinalizeStub,
+     JS_ConvertStub,     NULL,
      NULL,               NULL,
      NULL,               NULL,
      NULL,               NULL,
-     JS_CLASS_TRACE(args_or_call_trace), NULL
+     JS_CLASS_TRACE(args_or_call_trace), args_reserveSlots
  };
- #define JSSLOT_CALLEE                    (JSSLOT_PRIVATE + 1)
+ const uint32 JSSLOT_CALLEE =                    JSSLOT_PRIVATE + 1;
- #define JSSLOT_CALL_ARGUMENTS            (JSSLOT_PRIVATE + 2)
+ const uint32 JSSLOT_CALL_ARGUMENTS =            JSSLOT_PRIVATE + 2;
- #define CALL_CLASS_FIXED_RESERVED_SLOTS  2
+ const uint32 CALL_CLASS_FIXED_RESERVED_SLOTS =  2;
  /*
   * A Declarative Environment object stores its active JSStackFrame pointer in
-Line 780
+Line 740
      js_Object_str,
      JSCLASS_HAS_PRIVATE | JSCLASS_HAS_CACHED_PROTO(JSProto_Object),
      JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,
-     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   JS_FinalizeStub,
+     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   NULL,
      JSCLASS_NO_OPTIONAL_MEMBERS
  };
- static JS_REQUIRES_STACK JSBool
+ static JSBool
  CheckForEscapingClosure(JSContext *cx, JSObject *obj, jsval *vp)
  {
      JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_CallClass ||
-Line 803
+Line 763
           * still has an active stack frame associated with it.
           */
          if (fun->needsWrapper()) {
-             JSStackFrame *fp = (JSStackFrame *) JS_GetPrivate(cx, obj);
+             js_LeaveTrace(cx);
+             JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
              if (fp) {
                  JSObject *wrapper = WrapEscapingClosure(cx, fp, funobj, fun);
                  if (!wrapper)
-Line 820
+Line 782
      return true;
  }
- static JS_REQUIRES_STACK JSBool
+ static JSBool
  CalleeGetter(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
  {
      return CheckForEscapingClosure(cx, obj, vp);
-Line 841
+Line 803
      /* A call object should be a frame's outermost scope chain element.  */
      JSClass *classp = OBJ_GET_CLASS(cx, fp->scopeChain);
      if (classp == &js_WithClass || classp == &js_BlockClass || classp == &js_CallClass)
-         JS_ASSERT(OBJ_GET_PRIVATE(cx, fp->scopeChain) != fp);
+         JS_ASSERT(fp->scopeChain->getPrivate() != fp);
  #endif
      /*
-Line 853
+Line 815
      JSAtom *lambdaName = (fp->fun->flags & JSFUN_LAMBDA) ? fp->fun->atom : NULL;
      if (lambdaName) {
          JSObject *env = js_NewObjectWithGivenProto(cx, &js_DeclEnvClass, NULL,
-                                                    fp->scopeChain, 0);
+                                                    fp->scopeChain);
          if (!env)
              return NULL;
-         env->fslots[JSSLOT_PRIVATE] = PRIVATE_TO_JSVAL(fp);
+         env->setPrivate(fp);
          /* Root env before js_DefineNativeProperty (-> JSClass.addProperty). */
          fp->scopeChain = env;
+         JS_ASSERT(fp->argv);
          if (!js_DefineNativeProperty(cx, fp->scopeChain, ATOM_TO_JSID(lambdaName),
-                                      OBJECT_TO_JSVAL(fp->callee),
+                                      fp->argv[-2],
                                       CalleeGetter, NULL,
                                       JSPROP_PERMANENT | JSPROP_READONLY,
 , 0, NULL)) {
-Line 869
+Line 832
          }
      }
-     callobj = js_NewObjectWithGivenProto(cx, &js_CallClass, NULL,
+     callobj = js_NewObjectWithGivenProto(cx, &js_CallClass, NULL, fp->scopeChain);
-                                          fp->scopeChain, 0);
+     if (!callobj ||
-     if (!callobj)
+         !js_EnsureReservedSlots(cx, callobj, fp->fun->countArgsAndVars())) {
          return NULL;
+     }
-     JS_SetPrivate(cx, callobj, fp);
+     callobj->setPrivate(fp);
-     JS_ASSERT(fp->fun == GET_FUNCTION_PRIVATE(cx, fp->callee));
+     JS_ASSERT(fp->argv);
-     STOBJ_SET_SLOT(callobj, JSSLOT_CALLEE, OBJECT_TO_JSVAL(fp->callee));
+     JS_ASSERT(fp->fun == GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(fp->argv[-2])));
+     STOBJ_SET_SLOT(callobj, JSSLOT_CALLEE, fp->argv[-2]);
      fp->callobj = callobj;
      /*
-Line 888
+Line 853
      return callobj;
  }
- static JSFunction *
+ JSFunction *
- GetCallObjectFunction(JSObject *obj)
+ js_GetCallObjectFunction(JSObject *obj)
  {
      jsval v;
-Line 903
+Line 868
      return GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(v));
  }
- JS_FRIEND_API(JSBool)
+ #ifdef OJI
+ JS_BEGIN_EXTERN_C
+ JS_EXPORT_API(void)
+ #else
+ void
+ #endif
  js_PutCallObject(JSContext *cx, JSStackFrame *fp)
  {
-     JSObject *callobj;
+     JSObject *callobj = fp->callobj;
-     JSBool ok;
+     JS_ASSERT(callobj);
-     JSFunction *fun;
-     uintN n;
+     /* Get the arguments object to snapshot fp's actual argument values. */
-     JSScope *scope;
+     if (fp->argsobj) {
+         if (!(fp->flags & JSFRAME_OVERRIDE_ARGS))
+             STOBJ_SET_SLOT(callobj, JSSLOT_CALL_ARGUMENTS, fp->argsobj);
+         js_PutArgsObject(cx, fp);
+     }
+     JSFunction *fun = fp->fun;
+     JS_ASSERT(fun == js_GetCallObjectFunction(callobj));
+     uintN n = fun->countArgsAndVars();
      /*
       * Since for a call object all fixed slots happen to be taken, we can copy
-Line 918
+Line 896
       */
      JS_STATIC_ASSERT(JS_INITIAL_NSLOTS - JSSLOT_PRIVATE ==
 + CALL_CLASS_FIXED_RESERVED_SLOTS);
-     callobj = fp->callobj;
-     if (!callobj)
-         return JS_TRUE;
-     /*
-      * Get the arguments object to snapshot fp's actual argument values.
-      */
-     ok = JS_TRUE;
-     if (fp->argsobj) {
-         if (!TEST_OVERRIDE_BIT(fp, CALL_ARGUMENTS)) {
-             STOBJ_SET_SLOT(callobj, JSSLOT_CALL_ARGUMENTS,
-                            OBJECT_TO_JSVAL(fp->argsobj));
-         }
-         ok &= js_PutArgsObject(cx, fp);
-     }
-     fun = fp->fun;
-     JS_ASSERT(fun == GetCallObjectFunction(callobj));
-     n = fun->countArgsAndVars();
      if (n != 0) {
-         JS_LOCK_OBJ(cx, callobj);
+         JS_ASSERT(STOBJ_NSLOTS(callobj) >= JS_INITIAL_NSLOTS + n);
          n += JS_INITIAL_NSLOTS;
-         if (n > STOBJ_NSLOTS(callobj))
+         JS_LOCK_OBJ(cx, callobj);
-             ok &= js_ReallocSlots(cx, callobj, n, JS_TRUE);
+         memcpy(callobj->dslots, fp->argv, fun->nargs * sizeof(jsval));
-         scope = OBJ_SCOPE(callobj);
+         memcpy(callobj->dslots + fun->nargs, fp->slots,
-         if (ok) {
+                fun->u.i.nvars * sizeof(jsval));
-             memcpy(callobj->dslots, fp->argv, fun->nargs * sizeof(jsval));
+         JS_UNLOCK_OBJ(cx, callobj);
-             memcpy(callobj->dslots + fun->nargs, fp->slots,
-                    fun->u.i.nvars * sizeof(jsval));
-             if (scope->object == callobj && n > scope->freeslot)
-                 scope->freeslot = n;
-         }
-         JS_UNLOCK_SCOPE(cx, scope);
      }
-     /*
+     /* Clear private pointers to fp, which is about to go away (js_Invoke). */
-      * Clear private pointers to fp, which is about to go away (js_Invoke).
-      * Do this last because js_GetProperty calls above need to follow the
-      * call object's private slot to find fp.
-      */
      if ((fun->flags & JSFUN_LAMBDA) && fun->atom) {
          JSObject *env = STOBJ_GET_PARENT(callobj);
          JS_ASSERT(STOBJ_GET_CLASS(env) == &js_DeclEnvClass);
-         JS_ASSERT(STOBJ_GET_PRIVATE(env) == fp);
+         JS_ASSERT(env->getPrivate() == fp);
-         JS_SetPrivate(cx, env, NULL);
+         env->setPrivate(NULL);
      }
-     JS_SetPrivate(cx, callobj, NULL);
+     callobj->setPrivate(NULL);
      fp->callobj = NULL;
-     return ok;
  }
+ #ifdef OJI
+ JS_END_EXTERN_C
+ #endif
  static JSBool
  call_enumerate(JSContext *cx, JSObject *obj)
-Line 984
+Line 934
      JSObject *pobj;
      JSProperty *prop;
-     fun = GetCallObjectFunction(obj);
+     fun = js_GetCallObjectFunction(obj);
      n = fun ? fun->countArgsAndVars() : 0;
      if (n == 0)
          return JS_TRUE;
-Line 1018
+Line 968
           */
          JS_ASSERT(prop);
          JS_ASSERT(pobj == obj);
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
      }
      ok = JS_TRUE;
-Line 1045
+Line 995
      if (STOBJ_GET_CLASS(obj) != &js_CallClass)
          return JS_TRUE;
-     fun = GetCallObjectFunction(obj);
+     fun = js_GetCallObjectFunction(obj);
-     fp = (JSStackFrame *) JS_GetPrivate(cx, obj);
+     fp = (JSStackFrame *) obj->getPrivate();
      if (kind == JSCPK_ARGUMENTS) {
          if (setter) {
              if (fp)
-                 SET_OVERRIDE_BIT(fp, CALL_ARGUMENTS);
+                 fp->flags |= JSFRAME_OVERRIDE_ARGS;
              STOBJ_SET_SLOT(obj, JSSLOT_CALL_ARGUMENTS, *vp);
          } else {
-             if (fp && !TEST_OVERRIDE_BIT(fp, CALL_ARGUMENTS)) {
+             if (fp && !(fp->flags & JSFRAME_OVERRIDE_ARGS)) {
                  JSObject *argsobj;
                  argsobj = js_GetArgsObject(cx, fp);
-Line 1117
+Line 1067
      return CallPropertyOp(cx, obj, id, vp, JSCPK_ARG, JS_FALSE);
  }
- static JSBool
+ JSBool
  SetCallArg(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
  {
      return CallPropertyOp(cx, obj, id, vp, JSCPK_ARG, JS_TRUE);
-Line 1138
+Line 1088
      return CheckForEscapingClosure(cx, obj, vp);
  }
- static JSBool
+ JSBool
  SetCallVar(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
  {
      return CallPropertyOp(cx, obj, id, vp, JSCPK_VAR, JS_TRUE);
  }
+ JSBool JS_FASTCALL
+ js_SetCallArg(JSContext *cx, JSObject *obj, jsid id, jsval v)
+ {
+     return CallPropertyOp(cx, obj, id, &v, JSCPK_ARG, JS_TRUE);
+ }
+ JSBool JS_FASTCALL
+ js_SetCallVar(JSContext *cx, JSObject *obj, jsid id, jsval v)
+ {
+     return CallPropertyOp(cx, obj, id, &v, JSCPK_VAR, JS_TRUE);
+ }
+ JS_DEFINE_CALLINFO_4(extern, BOOL, js_SetCallArg, CONTEXT, OBJECT, JSID, JSVAL, 0, 0)
+ JS_DEFINE_CALLINFO_4(extern, BOOL, js_SetCallVar, CONTEXT, OBJECT, JSID, JSVAL, 0, 0)
  static JSBool
  call_resolve(JSContext *cx, JSObject *obj, jsval idval, uintN flags,
               JSObject **objp)
-Line 1245
+Line 1210
  static JSBool
  call_convert(JSContext *cx, JSObject *obj, JSType type, jsval *vp)
  {
-     JSStackFrame *fp;
      if (type == JSTYPE_FUNCTION) {
-         fp = (JSStackFrame *) JS_GetPrivate(cx, obj);
+         JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
          if (fp) {
              JS_ASSERT(fp->fun);
-             *vp = OBJECT_TO_JSVAL(fp->callee);
+             JS_ASSERT(fp->argv);
+             *vp = fp->argv[-2];
          }
      }
      return JS_TRUE;
-Line 1262
+Line 1226
  {
      JSFunction *fun;
-     fun = GetCallObjectFunction(obj);
+     fun = js_GetCallObjectFunction(obj);
      return fun->countArgsAndVars();
  }
-Line 1274
+Line 1238
      JS_PropertyStub,    JS_PropertyStub,
      JS_PropertyStub,    JS_PropertyStub,
      call_enumerate,     (JSResolveOp)call_resolve,
-     call_convert,       JS_FinalizeStub,
+     call_convert,       NULL,
      NULL,               NULL,
      NULL,               NULL,
      NULL,               NULL,
      JS_CLASS_TRACE(args_or_call_trace), call_reserveSlots
  };
+ /* Generic function tinyids. */
+ enum {
+     FUN_ARGUMENTS   = -1,       /* predefined arguments local variable */
+     FUN_LENGTH      = -2,       /* number of actual args, arity if inactive */
+     FUN_ARITY       = -3,       /* number of formal parameters; desired argc */
+     FUN_NAME        = -4,       /* function name, "" if anonymous */
+     FUN_CALLER      = -5        /* Function.prototype.caller, backward compat */
+ };
  static JSBool
  fun_getProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
  {
-Line 1295
+Line 1268
      /*
       * Loop because getter and setter can be delegated from another class,
-      * but loop only for ARGS_LENGTH because we must pretend that f.length
+      * but loop only for FUN_LENGTH because we must pretend that f.length
       * is in each function instance f, per ECMA-262, instead of only in the
       * Function.prototype object (we use JSPROP_PERMANENT with JSPROP_SHARED
       * to make it appear so).
-Line 1305
+Line 1278
       *
       * It's important to allow delegating objects, even though they inherit
       * this getter (fun_getProperty), to override arguments, arity, caller,
-      * and name.  If we didn't return early for slot != ARGS_LENGTH, we would
+      * and name.  If we didn't return early for slot != FUN_LENGTH, we would
       * clobber *vp with the native property value, instead of letting script
       * override that value in delegating objects.
       *
-Line 1315
+Line 1288
       */
      while (!(fun = (JSFunction *)
                     JS_GetInstancePrivate(cx, obj, &js_FunctionClass, NULL))) {
-         if (slot != ARGS_LENGTH)
+         if (slot != FUN_LENGTH)
              return JS_TRUE;
          obj = OBJ_GET_PROTO(cx, obj);
          if (!obj)
-Line 1330
+Line 1303
      }
      switch (slot) {
-       case CALL_ARGUMENTS:
+       case FUN_ARGUMENTS:
          /* Warn if strict about f.arguments or equivalent unqualified uses. */
          if (!JS_ReportErrorFlagsAndNumber(cx,
                                            JSREPORT_WARNING | JSREPORT_STRICT,
-Line 1347
+Line 1320
          }
          break;
-       case ARGS_LENGTH:
+       case FUN_LENGTH:
        case FUN_ARITY:
              *vp = INT_TO_JSVAL((jsint)fun->nargs);
          break;
-Line 1375
+Line 1348
                  return JS_TRUE;
              }
-             *vp = OBJECT_TO_JSVAL(fp->down->callee);
+             JS_ASSERT(fp->down->argv);
+             *vp = fp->down->argv[-2];
          } else {
              *vp = JSVAL_NULL;
          }
-Line 1416
+Line 1390
  #define LENGTH_PROP_ATTRS (JSPROP_READONLY|JSPROP_PERMANENT|JSPROP_SHARED)
  static JSPropertySpec function_props[] = {
-     {js_length_str,    ARGS_LENGTH,    LENGTH_PROP_ATTRS, fun_getProperty, JS_PropertyStub},
+     {js_length_str,    FUN_LENGTH,    LENGTH_PROP_ATTRS, fun_getProperty, JS_PropertyStub},
      {0,0,0,0,0}
  };
-Line 1428
+Line 1402
  /* NB: no sentinel at the end -- use JS_ARRAY_LENGTH to bound loops. */
  static LazyFunctionProp lazy_function_props[] = {
-     {ATOM_OFFSET(arguments), CALL_ARGUMENTS, JSPROP_PERMANENT},
+     {ATOM_OFFSET(arguments), FUN_ARGUMENTS, JSPROP_PERMANENT},
      {ATOM_OFFSET(arity),     FUN_ARITY,      JSPROP_PERMANENT},
      {ATOM_OFFSET(caller),    FUN_CALLER,     JSPROP_PERMANENT},
      {ATOM_OFFSET(name),      FUN_NAME,       JSPROP_PERMANENT},
-Line 1442
+Line 1416
      JSProperty *prop;
      prototypeId = ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom);
-     if (!OBJ_LOOKUP_PROPERTY(cx, obj, prototypeId, &pobj, &prop))
+     if (!obj->lookupProperty(cx, prototypeId, &pobj, &prop))
          return JS_FALSE;
      if (prop)
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
      return JS_TRUE;
  }
-Line 1487
+Line 1461
           * Make the prototype object to have the same parent as the function
           * object itself.
           */
-         proto = js_NewObject(cx, &js_ObjectClass, NULL, OBJ_GET_PARENT(cx, obj),
+         proto = js_NewObject(cx, &js_ObjectClass, NULL, OBJ_GET_PARENT(cx, obj));
-);
          if (!proto)
              return JS_FALSE;
-Line 1499
+Line 1472
           * set the former here in fun_resolve, but eagerly define the latter
           * in JS_InitClass, with the right attributes.
           */
-         if (!js_SetClassPrototype(cx, obj, proto,
+         if (!js_SetClassPrototype(cx, obj, proto, JSPROP_PERMANENT))
-                                   JSPROP_ENUMERATE | JSPROP_PERMANENT)) {
-             cx->weakRoots.newborn[GCX_OBJECT] = NULL;
              return JS_FALSE;
-         }
          *objp = obj;
          return JS_TRUE;
      }
-Line 1750
+Line 1721
  fun_hasInstance(JSContext *cx, JSObject *obj, jsval v, JSBool *bp)
  {
      jsval pval;
+     jsid id = ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom);
-     if (!OBJ_GET_PROPERTY(cx, obj,
+     if (!obj->getProperty(cx, id, &pval))
-                           ATOM_TO_JSID(cx->runtime->atomState
-                                        .classPrototypeAtom),
-                           &pval)) {
          return JS_FALSE;
-     }
      if (JSVAL_IS_PRIMITIVE(pval)) {
          /*
-Line 1780
+Line 1747
  static void
  fun_trace(JSTracer *trc, JSObject *obj)
  {
-     JSFunction *fun;
      /* A newborn function object may have a not yet initialized private slot. */
-     fun = (JSFunction *) JS_GetPrivate(trc->context, obj);
+     JSFunction *fun = (JSFunction *) obj->getPrivate();
      if (!fun)
          return;
-Line 1804
+Line 1769
  static void
  fun_finalize(JSContext *cx, JSObject *obj)
  {
-     JSFunction *fun;
      /* Ignore newborn and cloned function objects. */
-     fun = (JSFunction *) JS_GetPrivate(cx, obj);
+     JSFunction *fun = (JSFunction *) obj->getPrivate();
      if (!fun || FUN_OBJECT(fun) != obj)
          return;
-Line 1822
+Line 1785
      }
  }
+ uint32
+ JSFunction::countInterpretedReservedSlots() const
+ {
+     JS_ASSERT(FUN_INTERPRETED(this));
+     uint32 nslots = (u.i.nupvars == 0)
+                     ? 0
+                     : u.i.script->upvars()->length;
+     if (u.i.script->regexpsOffset != 0)
+         nslots += u.i.script->regexps()->length;
+     return nslots;
+ }
  static uint32
  fun_reserveSlots(JSContext *cx, JSObject *obj)
  {
-     JSFunction *fun;
-     uint32 nslots;
      /*
-      * We use JS_GetPrivate and not GET_FUNCTION_PRIVATE because during
+      * We use getPrivate and not GET_FUNCTION_PRIVATE because during
       * js_InitFunctionClass invocation the function is called before the
       * private slot of the function object is set.
       */
-     fun = (JSFunction *) JS_GetPrivate(cx, obj);
+     JSFunction *fun = (JSFunction *) obj->getPrivate();
-     nslots = 0;
+     return (fun && FUN_INTERPRETED(fun))
-     if (fun && FUN_INTERPRETED(fun) && fun->u.i.script) {
+            ? fun->countInterpretedReservedSlots()
-         if (fun->u.i.nupvars != 0)
+            : 0;
-             nslots = JS_SCRIPT_UPVARS(fun->u.i.script)->length;
-         if (fun->u.i.script->regexpsOffset != 0)
-             nslots += JS_SCRIPT_REGEXPS(fun->u.i.script)->length;
-     }
-     return nslots;
  }
  /*
-Line 1929
+Line 1897
  }
  #endif
- JS_REQUIRES_STACK JSBool
+ JSBool
  js_fun_call(JSContext *cx, uintN argc, jsval *vp)
  {
      JSObject *obj;
-Line 1938
+Line 1906
      void *mark;
      JSBool ok;
+     js_LeaveTrace(cx);
      obj = JS_THIS_OBJECT(cx, vp);
-     if (!obj || !OBJ_DEFAULT_VALUE(cx, obj, JSTYPE_FUNCTION, &vp[1]))
+     if (!obj || !obj->defaultValue(cx, JSTYPE_FUNCTION, &vp[1]))
          return JS_FALSE;
      fval = vp[1];
-Line 1988
+Line 1958
      return ok;
  }
- JS_REQUIRES_STACK JSBool
+ JSBool
  js_fun_apply(JSContext *cx, uintN argc, jsval *vp)
  {
      JSObject *obj, *aobj;
-Line 2004
+Line 1974
          return js_fun_call(cx, argc, vp);
      }
+     js_LeaveTrace(cx);
      obj = JS_THIS_OBJECT(cx, vp);
-     if (!obj || !OBJ_DEFAULT_VALUE(cx, obj, JSTYPE_FUNCTION, &vp[1]))
+     if (!obj || !obj->defaultValue(cx, JSTYPE_FUNCTION, &vp[1]))
          return JS_FALSE;
      fval = vp[1];
-Line 2055
+Line 2027
          return JS_FALSE;
      /* Allocate stack space for fval, obj, and the args. */
-     argc = (uintN)JS_MIN(length, ARRAY_INIT_LIMIT - 1);
+     argc = (uintN)JS_MIN(length, JS_ARGS_LENGTH_MAX);
      invokevp = js_AllocStack(cx, 2 + argc, &mark);
      if (!invokevp)
          return JS_FALSE;
-Line 2100
+Line 2072
      if (!js_GetLengthProperty(cx, aobj, &length))
          return JS_FALSE;
-     if (length >= ARRAY_INIT_LIMIT)
+     if (length > JS_ARGS_LENGTH_MAX)
-         length = ARRAY_INIT_LIMIT - 1;
+         length = JS_ARGS_LENGTH_MAX;
      invokevp = js_AllocStack(cx, 2 + length, &mark);
      if (!invokevp)
          return JS_FALSE;
-Line 2148
+Line 2120
      const char *filename;
      JSBool ok;
      JSString *str, *arg;
-     JSTokenStream ts;
+     JSTokenStream ts(cx);
      JSPrincipals *principals;
      jschar *collected_args, *cp;
      void *mark;
-Line 2156
+Line 2128
      JSTokenType tt;
      if (!JS_IsConstructing(cx)) {
-         obj = js_NewObject(cx, &js_FunctionClass, NULL, NULL, 0);
+         obj = js_NewObject(cx, &js_FunctionClass, NULL, NULL);
          if (!obj)
              return JS_FALSE;
          *rval = OBJECT_TO_JSVAL(obj);
      } else {
          /*
           * The constructor is called before the private slot is initialized so
-          * we must use JS_GetPrivate, not GET_FUNCTION_PRIVATE here.
+          * we must use getPrivate, not GET_FUNCTION_PRIVATE here.
           */
-         if (JS_GetPrivate(cx, obj))
+         if (obj->getPrivate())
              return JS_TRUE;
      }
-Line 2240
+Line 2212
               * JSString length fits in 2 fewer bits than size_t has.
               */
              old_args_length = args_length;
-             args_length = old_args_length + JSSTRING_LENGTH(arg);
+             args_length = old_args_length + arg->length();
              if (args_length < old_args_length) {
                  js_ReportAllocationOverflow(cx);
                  return JS_FALSE;
-Line 2275
+Line 2247
           */
          for (i = 0; i < n; i++) {
              arg = JSVAL_TO_STRING(argv[i]);
-             arg_length = JSSTRING_LENGTH(arg);
+             arg_length = arg->length();
-             (void) js_strncpy(cp, JSSTRING_CHARS(arg), arg_length);
+             (void) js_strncpy(cp, arg->chars(), arg_length);
              cp += arg_length;
              /* Add separating comma or terminating 0. */
-Line 2284
+Line 2256
          }
          /* Initialize a tokenstream that reads from the given string. */
-         if (!js_InitTokenStream(cx, &ts, collected_args, args_length,
+         if (!ts.init(cx, collected_args, args_length, NULL, filename, lineno)) {
-                                 NULL, filename, lineno)) {
              JS_ARENA_RELEASE(&cx->tempPool, mark);
              return JS_FALSE;
          }
-Line 2348
+Line 2319
              JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                                   JSMSG_BAD_FORMAL);
          }
-         js_CloseTokenStream(cx, &ts);
+         ts.close(cx);
          JS_ARENA_RELEASE(&cx->tempPool, mark);
          if (state != OK)
              return JS_FALSE;
-Line 2364
+Line 2335
      }
      return JSCompiler::compileFunctionBody(cx, fun, principals,
-                                            JSSTRING_CHARS(str), JSSTRING_LENGTH(str),
+                                            str->chars(), str->length(),
                                             filename, lineno);
  }
-Line 2380
+Line 2351
          return NULL;
      fun = js_NewFunction(cx, proto, NULL, 0, JSFUN_INTERPRETED, obj, NULL);
      if (!fun)
-         goto bad;
+         return NULL;
      fun->u.i.script = js_NewScript(cx, 1, 1, 0, 0, 0, 0, 0);
      if (!fun->u.i.script)
-         goto bad;
+         return NULL;
      fun->u.i.script->code[0] = JSOP_STOP;
-     *SCRIPT_NOTES(fun->u.i.script) = SRC_NULL;
+     *fun->u.i.script->notes() = SRC_NULL;
  #ifdef CHECK_SCRIPT_OWNER
      fun->u.i.script->owner = NULL;
  #endif
      return proto;
- bad:
-     cx->weakRoots.newborn[GCX_OBJECT] = NULL;
-     return NULL;
  }
  JSFunction *
-Line 2406
+Line 2373
          JS_ASSERT(HAS_FUNCTION_CLASS(funobj));
          OBJ_SET_PARENT(cx, funobj, parent);
      } else {
-         funobj = js_NewObject(cx, &js_FunctionClass, NULL, parent, 0);
+         funobj = js_NewObject(cx, &js_FunctionClass, NULL, parent);
          if (!funobj)
              return NULL;
      }
-     JS_ASSERT(JSVAL_IS_VOID(funobj->fslots[JSSLOT_PRIVATE]));
+     JS_ASSERT(!funobj->getPrivate());
      fun = (JSFunction *) funobj;
      /* Initialize all function members. */
      fun->nargs = nargs;
-     fun->flags = flags & (JSFUN_FLAGS_MASK | JSFUN_KINDMASK | JSFUN_TRACEABLE);
+     fun->flags = flags & (JSFUN_FLAGS_MASK | JSFUN_KINDMASK | JSFUN_TRCINFO);
      if ((flags & JSFUN_KINDMASK) >= JSFUN_INTERPRETED) {
          JS_ASSERT(!native);
          JS_ASSERT(nargs == 0);
-Line 2431
+Line 2398
          fun->u.n.extra = 0;
          fun->u.n.spare = 0;
          fun->u.n.clasp = NULL;
-         if (flags & JSFUN_TRACEABLE) {
+         if (flags & JSFUN_TRCINFO) {
  #ifdef JS_TRACER
-             JSTraceableNative *trcinfo =
+             JSNativeTraceInfo *trcinfo =
-                 JS_FUNC_TO_DATA_PTR(JSTraceableNative *, native);
+                 JS_FUNC_TO_DATA_PTR(JSNativeTraceInfo *, native);
              fun->u.n.native = (JSNative) trcinfo->native;
              fun->u.n.trcinfo = trcinfo;
  #else
-Line 2449
+Line 2416
      fun->atom = atom;
      /* Set private to self to indicate non-cloned fully initialized function. */
-     FUN_OBJECT(fun)->fslots[JSSLOT_PRIVATE] = PRIVATE_TO_JSVAL(fun);
+     FUN_OBJECT(fun)->setPrivate(fun);
      return fun;
  }
-Line 2460
+Line 2427
       * The cloned function object does not need the extra JSFunction members
       * beyond JSObject as it points to fun via the private slot.
       */
-     JSObject *clone = js_NewObject(cx, &js_FunctionClass, NULL, parent,
+     JSObject *clone = js_NewObject(cx, &js_FunctionClass, NULL, parent, sizeof(JSObject));
-                                    sizeof(JSObject));
      if (!clone)
          return NULL;
-     clone->fslots[JSSLOT_PRIVATE] = PRIVATE_TO_JSVAL(fun);
+     clone->setPrivate(fun);
      return clone;
  }
- JSObject *
+ /*
- js_NewFlatClosure(JSContext *cx, JSFunction *fun)
+  * Create a new flat closure, but don't initialize the imported upvar
+  * values. The tracer calls this function and then initializes the upvar
+  * slots on trace.
+  */
+ JSObject * JS_FASTCALL
+ js_AllocFlatClosure(JSContext *cx, JSFunction *fun, JSObject *scopeChain)
  {
      JS_ASSERT(FUN_FLAT_CLOSURE(fun));
+     JS_ASSERT((fun->u.i.script->upvarsOffset
+                ? fun->u.i.script->upvars()->length
+                : 0) == fun->u.i.nupvars);
-     JSObject *closure = js_CloneFunctionObject(cx, fun, cx->fp->scopeChain);
+     JSObject *closure = js_CloneFunctionObject(cx, fun, scopeChain);
-     if (!closure || fun->u.i.script->upvarsOffset == 0)
+     if (!closure)
          return closure;
-     uint32 nslots = JSSLOT_FREE(&js_FunctionClass);
+     uint32 nslots = fun->countInterpretedReservedSlots();
-     JS_ASSERT(nslots == JS_INITIAL_NSLOTS);
+     if (!nslots)
-     nslots += fun_reserveSlots(cx, closure);
+         return closure;
-     if (!js_ReallocSlots(cx, closure, nslots, JS_TRUE))
+     if (!js_EnsureReservedSlots(cx, closure, nslots))
          return NULL;
-     JSUpvarArray *uva = JS_SCRIPT_UPVARS(fun->u.i.script);
+     return closure;
+ }
+ JS_DEFINE_CALLINFO_3(extern, OBJECT, js_AllocFlatClosure,
+                      CONTEXT, FUNCTION, OBJECT, 0, 0)
+ JSObject *
+ js_NewFlatClosure(JSContext *cx, JSFunction *fun)
+ {
+     JSObject *closure = js_AllocFlatClosure(cx, fun, cx->fp->scopeChain);
+     if (!closure || fun->u.i.nupvars == 0)
+         return closure;
+     JSUpvarArray *uva = fun->u.i.script->upvars();
      JS_ASSERT(uva->length <= size_t(closure->dslots[-1]));
      uintN level = fun->u.i.script->staticLevel;
-Line 2524
+Line 2511
      fun = js_NewFunction(cx, NULL, native, nargs, attrs, obj, atom);
      if (!fun)
          return NULL;
-     if (!OBJ_DEFINE_PROPERTY(cx, obj, ATOM_TO_JSID(atom),
+     if (!obj->defineProperty(cx, ATOM_TO_JSID(atom), OBJECT_TO_JSVAL(FUN_OBJECT(fun)),
-                              OBJECT_TO_JSVAL(FUN_OBJECT(fun)),
+                              gsop, gsop, attrs & ~JSFUN_FLAGS_MASK)) {
-                              gsop, gsop,
-                              attrs & ~JSFUN_FLAGS_MASK, NULL)) {
          return NULL;
      }
      return fun;
-Line 2548
+Line 2533
      if (JSVAL_IS_OBJECT(v)) {
          obj = JSVAL_TO_OBJECT(v);
          if (obj && OBJ_GET_CLASS(cx, obj) != &js_FunctionClass) {
-             if (!OBJ_DEFAULT_VALUE(cx, obj, JSTYPE_FUNCTION, &v))
+             if (!obj->defaultValue(cx, JSTYPE_FUNCTION, &v))
                  return NULL;
              obj = VALUE_IS_FUNCTION(cx, v) ? JSVAL_TO_OBJECT(v) : NULL;
          }
-Line 2619
+Line 2604
      if (flags & JSV2F_ITERATOR) {
          error = JSMSG_BAD_ITERATOR;
          name = js_iterator_str;
-         tvr.u.string = js_ValueToSource(cx, *vp);
+         JSString *src = js_ValueToSource(cx, *vp);
-         if (!tvr.u.string)
+         if (!src)
              goto out;
-         tvr.u.string = js_QuoteString(cx, tvr.u.string, 0);
+         tvr.u.value = STRING_TO_JSVAL(src);
-         if (!tvr.u.string)
+         JSString *qsrc = js_QuoteString(cx, src, 0);
+         if (!qsrc)
              goto out;
-         source = js_GetStringBytes(cx, tvr.u.string);
+         tvr.u.value = STRING_TO_JSVAL(qsrc);
+         source = js_GetStringBytes(cx, qsrc);
          if (!source)
              goto out;
      } else if (flags & JSV2F_CONSTRUCT) {
-Line 2695
+Line 2682
      for (dup = map->lastdup; dup; dup = next) {
          next = dup->link;
-         JS_free(cx, dup);
+         cx->free(dup);
      }
      JS_DHashTableFinish(&map->names);
-     JS_free(cx, map);
+     cx->free(map);
  }
  static JSBool
-Line 2725
+Line 2712
      }
      if (entry->name) {
          JS_ASSERT(entry->name == name);
-         JS_ASSERT(entry->localKind == JSLOCAL_ARG);
+         JS_ASSERT(entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG);
-         dup = (JSNameIndexPair *) JS_malloc(cx, sizeof *dup);
+         dup = (JSNameIndexPair *) cx->malloc(sizeof *dup);
          if (!dup)
              return JS_FALSE;
          dup->name = entry->name;
-Line 2772
+Line 2759
          if (n > 1) {
              array = fun->u.i.names.array;
          } else {
-             array = (jsuword *) JS_malloc(cx, MAX_ARRAY_LOCALS * sizeof *array);
+             array = (jsuword *) cx->malloc(MAX_ARRAY_LOCALS * sizeof *array);
              if (!array)
                  return JS_FALSE;
              array[0] = fun->u.i.names.taggedAtom;
-Line 2797
+Line 2784
          }
      } else if (n == MAX_ARRAY_LOCALS) {
          array = fun->u.i.names.array;
-         map = (JSLocalNameMap *) JS_malloc(cx, sizeof *map);
+         map = (JSLocalNameMap *) cx->malloc(sizeof *map);
          if (!map)
              return JS_FALSE;
          if (!JS_DHashTableInit(&map->names, JS_DHashGetStubOps(),
-Line 2805
+Line 2792
                                 JS_DHASH_DEFAULT_CAPACITY(MAX_ARRAY_LOCALS
                                                           * 2))) {
              JS_ReportOutOfMemory(cx);
-             JS_free(cx, map);
+             cx->free(map);
              return JS_FALSE;
          }
-Line 2838
+Line 2825
           * to replace fun->u.i.names with the built map.
           */
          fun->u.i.names.map = map;
-         JS_free(cx, array);
+         cx->free(array);
      } else {
          if (*indexp == JS_BITMASK(16)) {
              JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
-Line 2949
+Line 2936
      return JS_DHASH_NEXT;
  }
- jsuword *
+ JS_FRIEND_API(jsuword *)
  js_GetLocalNameArray(JSContext *cx, JSFunction *fun, JSArenaPool *pool)
  {
      uintN n;
-Line 3060
+Line 3047
      if (n <= 1)
          return;
      if (n <= MAX_ARRAY_LOCALS)
-         JS_free(cx, fun->u.i.names.array);
+         cx->free(fun->u.i.names.array);
      else
          FreeLocalNameHash(cx, fun->u.i.names.map);
  }
-Line 3076
+Line 3063
      n = fun->nargs + fun->u.i.nvars + fun->u.i.nupvars;
      if (2 <= n && n < MAX_ARRAY_LOCALS) {
          /* Shrink over-allocated array ignoring realloc failures. */
-         array = (jsuword *) JS_realloc(cx, fun->u.i.names.array,
+         array = (jsuword *) cx->realloc(fun->u.i.names.array,
-                                        n * sizeof *array);
+                                         n * sizeof *array);
          if (array)
              fun->u.i.names.array = array;
      }
  #ifdef DEBUG
- // XXX no JS_DHashMarkTableImmutable on 1.9.1
+     if (n > MAX_ARRAY_LOCALS)
- //    if (n > MAX_ARRAY_LOCALS)
+         JS_DHashMarkTableImmutable(&fun->u.i.names.map->names);
- //        JS_DHashMarkTableImmutable(&fun->u.i.names.map->names);
  #endif
  }

 Legend:



Removed from v.506
 


changed lines


 
Added in v.507
 Legend:



Removed from v.506
 


changed lines


 
Added in v.507
-Removed from v.506
+Added in v.507

	ViewVC Help
Powered by ViewVC 1.1.24