/[jscoverage]/trunk/js/jsobj.cpp

Diff of /trunk/js/jsobj.cpp

Parent Directory | Revision Log | View Patch Patch

-revision 459 by siliconforks,
Tue Dec  9 03:37:47 2008 UTC
+revision 460 by siliconforks,
Sat Sep 26 23:15:22 2009 UTC
 Line 1
  /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
-  * vim: set ts=8 sw=4 et tw=78:
+  * vim: set ts=8 sw=4 et tw=79:
   *
   * ***** BEGIN LICENSE BLOCK *****
   * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 Line 69
  #include "jsparse.h"
  #include "jsscope.h"
  #include "jsscript.h"
- #include "jsstr.h"
- #include "jsdbgapi.h"   /* whether or not JS_HAS_OBJ_WATCHPOINT */
  #include "jsstaticcheck.h"
+ #include "jsstr.h"
+ #include "jstracer.h"
+ #include "jsdbgapi.h"
  #if JS_HAS_GENERATORS
  #include "jsiter.h"
-Line 101
+Line 102
  #endif
  JS_FRIEND_DATA(JSObjectOps) js_ObjectOps = {
-     js_NewObjectMap,        js_DestroyObjectMap,
+     NULL,
      js_LookupProperty,      js_DefineProperty,
      js_GetProperty,         js_SetProperty,
      js_GetAttributes,       js_SetAttributes,
-Line 109
+Line 110
      js_Enumerate,           js_CheckAccess,
      NULL,                   NATIVE_DROP_PROPERTY,
      js_Call,                js_Construct,
-     NULL,                   js_HasInstance,
+     js_HasInstance,         js_TraceObject,
-     js_SetProtoOrParent,    js_SetProtoOrParent,
+     js_Clear,               js_GetRequiredSlot,
-     js_TraceObject,         js_Clear,
+     js_SetRequiredSlot
-     js_GetRequiredSlot,     js_SetRequiredSlot
  };
  JSClass js_ObjectClass = {
 Line 169
      uintN attrs;
      JSObject *pobj;
      JSClass *clasp;
-     JSExtendedClass *xclasp;
      slot = (uint32) JSVAL_TO_INT(id);
      if (id == INT_TO_JSVAL(JSSLOT_PROTO)) {
-Line 190
+Line 189
          if (clasp == &js_CallClass || clasp == &js_BlockClass) {
              /* Censor activations and lexical scopes per ECMA-262. */
              *vp = JSVAL_NULL;
-         } else if (clasp->flags & JSCLASS_IS_EXTENDED) {
+         } else {
-             xclasp = (JSExtendedClass *) clasp;
+             /*
-             if (xclasp->outerObject) {
+              * DeclEnv only exists as a parent for a Call object which we
-                 pobj = xclasp->outerObject(cx, pobj);
+              * censor. So it cannot escape to scripts.
+              */
+             JS_ASSERT(clasp != &js_DeclEnvClass);
+             if (pobj->map->ops->thisObject) {
+                 pobj = pobj->map->ops->thisObject(cx, pobj);
                  if (!pobj)
                      return JS_FALSE;
                  *vp = OBJECT_TO_JSVAL(pobj);
-Line 237
+Line 240
          return JS_FALSE;
      }
-     return js_SetProtoOrParent(cx, obj, slot, pobj);
+     return js_SetProtoOrParent(cx, obj, slot, pobj, JS_TRUE);
  }
  static JSBool
-Line 276
+Line 279
  #endif /* !JS_HAS_OBJ_PROTO_PROP */
  JSBool
- js_SetProtoOrParent(JSContext *cx, JSObject *obj, uint32 slot, JSObject *pobj)
+ js_SetProtoOrParent(JSContext *cx, JSObject *obj, uint32 slot, JSObject *pobj,
+                     JSBool checkForCycles)
  {
-     JSSetSlotRequest ssr;
+     JS_ASSERT(slot == JSSLOT_PARENT || slot == JSSLOT_PROTO);
-     JSRuntime *rt;
+     JS_ASSERT_IF(!checkForCycles, obj != pobj);
-     /* Optimize the null case to avoid the unnecessary overhead of js_GC. */
+     if (slot == JSSLOT_PROTO) {
-     if (!pobj) {
+         if (OBJ_IS_NATIVE(obj)) {
-         JS_LOCK_OBJ(cx, obj);
+             JS_LOCK_OBJ(cx, obj);
-         if (slot == JSSLOT_PROTO && !js_GetMutableScope(cx, obj)) {
+             bool ok = !!js_GetMutableScope(cx, obj);
              JS_UNLOCK_OBJ(cx, obj);
-             return JS_FALSE;
+             if (!ok)
+                 return JS_FALSE;
+         }
+         /*
+          * Regenerate property cache shape ids for all of the scopes along the
+          * old prototype chain to invalidate their property cache entries, in
+          * case any entries were filled by looking up starting from obj.
+          */
+         JSObject *oldproto = obj;
+         while (oldproto && OBJ_IS_NATIVE(oldproto)) {
+             JS_LOCK_OBJ(cx, oldproto);
+             JSScope *scope = OBJ_SCOPE(oldproto);
+             js_MakeScopeShapeUnique(cx, scope);
+             JSObject *tmp = STOBJ_GET_PROTO(scope->object);
+             JS_UNLOCK_OBJ(cx, oldproto);
+             oldproto = tmp;
          }
-         LOCKED_OBJ_SET_SLOT(obj, slot, JSVAL_NULL);
-         JS_UNLOCK_OBJ(cx, obj);
-         return JS_TRUE;
      }
-     ssr.obj = obj;
+     if (!pobj || !checkForCycles) {
-     ssr.pobj = pobj;
+         if (slot == JSSLOT_PROTO)
-     ssr.slot = (uint16) slot;
+             STOBJ_SET_PROTO(obj, pobj);
-     ssr.errnum = (uint16) JSMSG_NOT_AN_ERROR;
+         else
+             STOBJ_SET_PARENT(obj, pobj);
-     rt = cx->runtime;
+     } else {
-     JS_LOCK_GC(rt);
+         /*
-     ssr.next = rt->setSlotRequests;
+          * Use the GC machinery to serialize access to all objects on the
-     rt->setSlotRequests = &ssr;
+          * prototype or parent chain.
-     for (;;) {
+          */
-         js_GC(cx, GC_SET_SLOT_REQUEST);
+         JSSetSlotRequest ssr;
-         JS_UNLOCK_GC(rt);
+         ssr.obj = obj;
-         if (!rt->setSlotRequests)
+         ssr.pobj = pobj;
-             break;
+         ssr.slot = (uint16) slot;
+         ssr.cycle = false;
+         JSRuntime *rt = cx->runtime;
          JS_LOCK_GC(rt);
-     }
+         ssr.next = rt->setSlotRequests;
+         rt->setSlotRequests = &ssr;
+         for (;;) {
+             js_GC(cx, GC_SET_SLOT_REQUEST);
+             JS_UNLOCK_GC(rt);
+             if (!rt->setSlotRequests)
+                 break;
+             JS_LOCK_GC(rt);
+         }
-     if (ssr.errnum != JSMSG_NOT_AN_ERROR) {
+         if (ssr.cycle) {
-         if (ssr.errnum == JSMSG_OUT_OF_MEMORY) {
+             JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
-             JS_ReportOutOfMemory(cx);
+                                  JSMSG_CYCLIC_VALUE,
-         } else {
-             JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, ssr.errnum,
  #if JS_HAS_OBJ_PROTO_PROP
                                   object_props[slot].name
  #else
-Line 322
+Line 348
                                                          : js_parent_str
  #endif
                                   );
+             return JS_FALSE;
          }
-         return JS_FALSE;
-     }
-     // Maintain the "any Array prototype has indexed properties hazard" flag.
-     if (slot == JSSLOT_PROTO &&
-         OBJ_IS_ARRAY(cx, pobj) &&
-         pobj->fslots[JSSLOT_ARRAY_LENGTH] != 0) {
-         rt->anyArrayProtoHasElement = JS_TRUE;
      }
      return JS_TRUE;
  }
-Line 363
+Line 382
      JS_CHECK_RECURSION(cx, return NULL);
      map = &cx->sharpObjectMap;
+     JS_ASSERT(map->depth >= 1);
      table = map->table;
      hash = js_hash_object(obj);
      hep = JS_HashTableRawLookup(table, hash, obj);
-Line 376
+Line 396
              return NULL;
          }
-         /*
-          * Increment map->depth to protect js_EnterSharpObject from reentering
-          * itself badly.  Without this fix, if we reenter the basis case where
-          * map->depth == 0, when unwinding the inner call we will destroy the
-          * newly-created hash table and crash.
-          */
-         ++map->depth;
          ida = JS_Enumerate(cx, obj);
-         --map->depth;
          if (!ida)
              return NULL;
-Line 401
+Line 413
              if (ok) {
                  if (OBJ_IS_NATIVE(obj2) &&
                      (attrs & (JSPROP_GETTER | JSPROP_SETTER))) {
+                     JSScopeProperty *sprop = (JSScopeProperty *) prop;
                      val = JSVAL_NULL;
                      if (attrs & JSPROP_GETTER)
-                         val = (jsval) ((JSScopeProperty*)prop)->getter;
+                         val = js_CastAsObjectJSVal(sprop->getter);
                      if (attrs & JSPROP_SETTER) {
                          if (val != JSVAL_NULL) {
                              /* Mark the getter, then set val to setter. */
-Line 411
+Line 424
                                                     NULL)
                                    != NULL);
                          }
-                         val = (jsval) ((JSScopeProperty*)prop)->setter;
+                         val = js_CastAsObjectJSVal(sprop->setter);
                      }
                  } else {
                      ok = OBJ_GET_PROPERTY(cx, obj, id, &val);
-Line 459
+Line 472
      char buf[20];
      size_t len;
-     if (!JS_CHECK_OPERATION_LIMIT(cx, JSOW_ENTER_SHARP))
+     if (!JS_CHECK_OPERATION_LIMIT(cx))
          return NULL;
      /* Set to null in case we return an early error. */
-Line 480
+Line 493
      /* From this point the control must flow either through out: or bad:. */
      ida = NULL;
      if (map->depth == 0) {
+         /*
+          * Although MarkSharpObjects tries to avoid invoking getters,
+          * it ends up doing so anyway under some circumstances; for
+          * example, if a wrapped object has getters, the wrapper will
+          * prevent MarkSharpObjects from recognizing them as such.
+          * This could lead to js_LeaveSharpObject being called while
+          * MarkSharpObjects is still working.
+          *
+          * Increment map->depth while we call MarkSharpObjects, to
+          * ensure that such a call doesn't free the hash table we're
+          * still using.
+          */
+         ++map->depth;
          he = MarkSharpObjects(cx, obj, &ida);
+         --map->depth;
          if (!he)
              goto bad;
          JS_ASSERT((JS_PTR_TO_UINT32(he->value) & SHARP_BIT) == 0);
-Line 752
+Line 779
              }
              if (OBJ_IS_NATIVE(obj2) &&
                  (attrs & (JSPROP_GETTER | JSPROP_SETTER))) {
+                 JSScopeProperty *sprop = (JSScopeProperty *) prop;
                  if (attrs & JSPROP_GETTER) {
-                     val[valcnt] = (jsval) ((JSScopeProperty *)prop)->getter;
+                     val[valcnt] = js_CastAsObjectJSVal(sprop->getter);
                      gsopold[valcnt] =
                          ATOM_TO_STRING(cx->runtime->atomState.getterAtom);
                      gsop[valcnt] =
-Line 762
+Line 790
                      valcnt++;
                  }
                  if (attrs & JSPROP_SETTER) {
-                     val[valcnt] = (jsval) ((JSScopeProperty *)prop)->setter;
+                     val[valcnt] = js_CastAsObjectJSVal(sprop->setter);
                      gsopold[valcnt] =
                          ATOM_TO_STRING(cx->runtime->atomState.setterAtom);
                      gsop[valcnt] =
-Line 1082
+Line 1110
      return !JSVAL_IS_NULL(*vp);
  }
+ #ifdef JS_TRACER
+ static jsval FASTCALL
+ Object_p_valueOf(JSContext* cx, JSObject* obj, JSString *hint)
+ {
+     return OBJECT_TO_JSVAL(obj);
+ }
+ #endif
  /*
   * Check whether principals subsumes scopeobj's principals, and return true
   * if so (or if scopeobj has no principals, for backward compatibility with
-Line 1167
+Line 1203
          return principals->codebase;
      }
-     if (caller->regs && *caller->regs->pc == JSOP_EVAL) {
+     jsbytecode *pc = caller->regs->pc;
-         JS_ASSERT(caller->regs->pc[JSOP_EVAL_LENGTH] == JSOP_LINENO);
+     if (caller->regs && js_GetOpcode(cx, caller->script, pc) == JSOP_EVAL) {
-         *linenop = GET_UINT16(caller->regs->pc + JSOP_EVAL_LENGTH);
+         JS_ASSERT(js_GetOpcode(cx, caller->script, pc + JSOP_EVAL_LENGTH) == JSOP_LINENO);
+         *linenop = GET_UINT16(pc + JSOP_EVAL_LENGTH);
      } else {
          *linenop = js_FramePCToLineNumber(cx, caller);
      }
      return caller->script->filename;
  }
+ #ifndef EVAL_CACHE_CHAIN_LIMIT
+ # define EVAL_CACHE_CHAIN_LIMIT 4
+ #endif
+ static inline JSScript **
+ EvalCacheHash(JSContext *cx, JSString *str)
+ {
+     const jschar *s;
+     size_t n;
+     uint32 h;
+     JSSTRING_CHARS_AND_LENGTH(str, s, n);
+     if (n > 100)
+         n = 100;
+     for (h = 0; n; s++, n--)
+         h = JS_ROTATE_LEFT32(h, 4) ^ *s;
+     h *= JS_GOLDEN_RATIO;
+     h >>= 32 - JS_EVAL_CACHE_SHIFT;
+     return &JS_SCRIPTS_TO_GC(cx)[h];
+ }
  static JSBool
  obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
  {
      JSStackFrame *fp, *caller;
      JSBool indirectCall;
-     JSObject *scopeobj;
+     uint32 tcflags;
-     JSString *str;
+     JSPrincipals *principals;
      const char *file;
      uintN line;
-     JSPrincipals *principals;
+     JSString *str;
-     uint32 tcflags;
      JSScript *script;
      JSBool ok;
+     JSScript **bucket = NULL;   /* avoid GCC warning with early decl&init */
  #if JS_HAS_EVAL_THIS_SCOPE
      JSObject *callerScopeChain = NULL, *callerVarObj = NULL;
      JSObject *setCallerScopeChain = NULL;
      JSBool setCallerVarObj = JS_FALSE;
  #endif
-     fp = cx->fp;
+     fp = js_GetTopStackFrame(cx);
-     caller = JS_GetScriptedCaller(cx, fp);
+     caller = js_GetScriptedCaller(cx, fp);
      indirectCall = (caller && caller->regs && *caller->regs->pc != JSOP_EVAL);
      /*
+      * This call to js_GetWrappedObject is safe because of the security checks
+      * we do below. However, the control flow below is confusing, so we double
+      * check. There are two cases:
+      * - Direct call: This object is never used. So unwrapping can't hurt.
+      * - Indirect call: If this object isn't already the scope chain (which
+      *   we're guaranteed to be allowed to access) then we do a security
+      *   check.
+      */
+     obj = js_GetWrappedObject(cx, obj);
+     /*
       * Ban all indirect uses of eval (global.foo = eval; global.foo(...)) and
       * calls that attempt to use a non-global object as the "with" object in
       * the former indirect case.
       */
-     scopeobj = OBJ_GET_PARENT(cx, obj);
+     {
-     if (scopeobj) {
+         JSObject *parent = OBJ_GET_PARENT(cx, obj);
-         scopeobj = js_GetWrappedObject(cx, obj);
+         if (indirectCall || parent) {
-         scopeobj = OBJ_GET_PARENT(cx, scopeobj);
+             uintN flags = parent
-     }
+                           ? JSREPORT_ERROR
-     if (indirectCall || scopeobj) {
+                           : JSREPORT_STRICT | JSREPORT_WARNING;
-         uintN flags = scopeobj
+             if (!JS_ReportErrorFlagsAndNumber(cx, flags, js_GetErrorMessage, NULL,
-                       ? JSREPORT_ERROR
+                                               JSMSG_BAD_INDIRECT_CALL,
-                       : JSREPORT_STRICT | JSREPORT_WARNING;
+                                               js_eval_str)) {
-         if (!JS_ReportErrorFlagsAndNumber(cx, flags, js_GetErrorMessage, NULL,
+                 return JS_FALSE;
-                                           JSMSG_BAD_INDIRECT_CALL,
+             }
-                                           js_eval_str)) {
-             return JS_FALSE;
          }
      }
-Line 1230
+Line 1298
       * object, then we need to provide one for the compiler to stick any
       * declared (var) variables into.
       */
-     if (caller && !caller->varobj && !js_GetCallObject(cx, caller, NULL))
+     if (caller && !caller->varobj && !js_GetCallObject(cx, caller))
          return JS_FALSE;
-     /* eval no longer takes an optional trailing argument. */
+     /* Accept an optional trailing argument that overrides the scope object. */
-     if (argc >= 2 &&
+     JSObject *scopeobj = NULL;
-         !JS_ReportErrorFlagsAndNumber(cx, JSREPORT_WARNING | JSREPORT_STRICT,
+     if (argc >= 2) {
-                                       js_GetErrorMessage, NULL,
+         if (!js_ValueToObject(cx, argv[1], &scopeobj))
-                                       JSMSG_EVAL_ARITY)) {
+             return JS_FALSE;
-         return JS_FALSE;
+         argv[1] = OBJECT_TO_JSVAL(scopeobj);
      }
      /* From here on, control must exit through label out with ok set. */
-Line 1259
+Line 1327
              }
              if (obj != callerScopeChain) {
                  ok = js_CheckPrincipalsAccess(cx, obj,
-                                               caller->script->principals,
+                                               JS_StackFramePrincipals(cx, caller),
                                                cx->runtime->atomState.evalAtom);
                  if (!ok)
                      goto out;
-Line 1299
+Line 1367
                  goto out;
              }
          }
+     } else {
+         scopeobj = js_GetWrappedObject(cx, scopeobj);
+         OBJ_TO_INNER_OBJECT(cx, scopeobj);
+         if (!scopeobj) {
+             ok = JS_FALSE;
+             goto out;
+         }
+         ok = js_CheckPrincipalsAccess(cx, scopeobj,
+                                       JS_StackFramePrincipals(cx, caller),
+                                       cx->runtime->atomState.evalAtom);
+         if (!ok)
+             goto out;
+         scopeobj = js_NewWithObject(cx, scopeobj,
+                                     JS_GetGlobalForObject(cx, scopeobj), -1);
+         if (!scopeobj) {
+             ok = JS_FALSE;
+             goto out;
+         }
+         argv[1] = OBJECT_TO_JSVAL(scopeobj);
      }
      /* Ensure we compile this eval with the right object in the scope chain. */
-Line 1308
+Line 1396
          goto out;
      }
-     str = JSVAL_TO_STRING(argv[0]);
+     tcflags = TCF_COMPILE_N_GO;
      if (caller) {
+         tcflags |= TCF_PUT_STATIC_LEVEL(caller->script->staticLevel + 1);
          principals = JS_EvalFramePrincipals(cx, fp, caller);
          file = js_ComputeFilename(cx, caller, principals, &line);
      } else {
+         principals = NULL;
          file = NULL;
          line = 0;
-         principals = NULL;
      }
-     tcflags = TCF_COMPILE_N_GO;
+     str = JSVAL_TO_STRING(argv[0]);
-     if (caller)
+     script = NULL;
-         tcflags |= TCF_PUT_STATIC_DEPTH(caller->script->staticDepth + 1);
-     script = js_CompileScript(cx, scopeobj, caller, principals, tcflags,
+     /* Cache local eval scripts indexed by source qualified by scope. */
-                               JSSTRING_CHARS(str), JSSTRING_LENGTH(str),
+     bucket = EvalCacheHash(cx, str);
-                               NULL, file, line);
+     if (caller->fun) {
+         uintN count = 0;
+         JSScript **scriptp = bucket;
+         EVAL_CACHE_METER(probe);
+         while ((script = *scriptp) != NULL) {
+             if ((script->flags & JSSF_SAVED_CALLER_FUN) &&
+                 script->version == cx->version &&
+                 (script->principals == principals ||
+                  (principals->subsume(principals, script->principals) &&
+                   script->principals->subsume(script->principals, principals)))) {
+                 /*
+                  * Get the prior (cache-filling) eval's saved caller function.
+                  * See JSCompiler::compileScript in jsparse.cpp.
+                  */
+                 JSFunction *fun;
+                 JS_GET_SCRIPT_FUNCTION(script, 0, fun);
+                 if (fun == caller->fun) {
+                     /*
+                      * Get the source string passed for safekeeping in the
+                      * atom map by the prior eval to JSCompiler::compileScript.
+                      */
+                     JSString *src = ATOM_TO_STRING(script->atomMap.vector[0]);
+                     if (src == str || js_EqualStrings(src, str)) {
+                         /*
+                          * Source matches, qualify by comparing scopeobj to the
+                          * COMPILE_N_GO-memoized parent of the first literal
+                          * function or regexp object if any. If none, then this
+                          * script has no compiled-in dependencies on the prior
+                          * eval's scopeobj.
+                          */
+                         JSObjectArray *objarray = JS_SCRIPT_OBJECTS(script);
+                         int i = 1;
+                         if (objarray->length == 1) {
+                             if (script->regexpsOffset != 0) {
+                                 objarray = JS_SCRIPT_REGEXPS(script);
+                                 i = 0;
+                             } else {
+                                 EVAL_CACHE_METER(noscope);
+                                 i = -1;
+                             }
+                         }
+                         if (i < 0 ||
+                             STOBJ_GET_PARENT(objarray->vector[i]) == scopeobj) {
+                             EVAL_CACHE_METER(hit);
+                             *scriptp = script->u.nextToGC;
+                             script->u.nextToGC = NULL;
+                             break;
+                         }
+                     }
+                 }
+             }
+             if (++count == EVAL_CACHE_CHAIN_LIMIT) {
+                 script = NULL;
+                 break;
+             }
+             EVAL_CACHE_METER(step);
+             scriptp = &script->u.nextToGC;
+         }
+     }
      if (!script) {
-         ok = JS_FALSE;
+         script = JSCompiler::compileScript(cx, scopeobj, caller, principals, tcflags,
-         goto out;
+                                            JSSTRING_CHARS(str), JSSTRING_LENGTH(str),
+                                            NULL, file, line, str);
+         if (!script) {
+             ok = JS_FALSE;
+             goto out;
+         }
      }
      if (argc < 2) {
-Line 1344
+Line 1501
      if (ok)
          ok = js_Execute(cx, scopeobj, script, caller, JSFRAME_EVAL, rval);
-     script->u.nextToGC = JS_SCRIPTS_TO_GC(cx);
+     script->u.nextToGC = *bucket;
-     JS_SCRIPTS_TO_GC(cx) = script;
+     *bucket = script;
  #ifdef CHECK_SCRIPT_OWNER
      script->owner = NULL;
  #endif
-Line 1385
+Line 1542
      callbacks = JS_GetSecurityCallbacks(cx);
      if (callbacks && callbacks->findObjectPrincipals) {
          /* Skip over any obj_watch_* frames between us and the real subject. */
-         caller = JS_GetScriptedCaller(cx, cx->fp);
+         caller = js_GetScriptedCaller(cx, NULL);
          if (caller) {
              /*
               * Only call the watch handler if the watcher is allowed to watch
-Line 1555
+Line 1712
  }
  #ifdef JS_TRACER
- static int32 FASTCALL
+ static JSBool FASTCALL
  Object_p_hasOwnProperty(JSContext* cx, JSObject* obj, JSString *str)
  {
      jsid id;
      jsval v;
-     if (!js_ValueToStringId(cx, STRING_TO_JSVAL(str), &id))
+     if (!js_ValueToStringId(cx, STRING_TO_JSVAL(str), &id) ||
-         return JSVAL_TO_BOOLEAN(JSVAL_VOID);
+         !js_HasOwnProperty(cx, obj->map->ops->lookupProperty, obj, id, &v)) {
-     if (!js_HasOwnProperty(cx, obj->map->ops->lookupProperty, obj, id, &v))
+         js_SetBuiltinError(cx);
          return JSVAL_TO_BOOLEAN(JSVAL_VOID);
+     }
      JS_ASSERT(JSVAL_IS_BOOLEAN(v));
      return JSVAL_TO_BOOLEAN(v);
  }
-Line 1599
+Line 1758
  }
  #ifdef JS_TRACER
- static int32 FASTCALL
+ static JSBool FASTCALL
  Object_p_propertyIsEnumerable(JSContext* cx, JSObject* obj, JSString *str)
  {
      jsid id = ATOM_TO_JSID(STRING_TO_JSVAL(str));
      jsval v;
-     if (!js_PropertyIsEnumerable(cx, obj, id, &v))
+     if (!js_PropertyIsEnumerable(cx, obj, id, &v)) {
+         js_SetBuiltinError(cx);
          return JSVAL_TO_BOOLEAN(JSVAL_VOID);
+     }
      JS_ASSERT(JSVAL_IS_BOOLEAN(v));
      return JSVAL_TO_BOOLEAN(v);
  }
-Line 1654
+Line 1817
  }
  #if JS_HAS_GETTER_SETTER
- static JSBool
+ JS_FRIEND_API(JSBool)
- obj_defineGetter(JSContext *cx, uintN argc, jsval *vp)
+ js_obj_defineGetter(JSContext *cx, uintN argc, jsval *vp)
  {
      jsval fval, junk;
      jsid id;
-Line 1683
+Line 1846
          return JS_FALSE;
      *vp = JSVAL_VOID;
      return OBJ_DEFINE_PROPERTY(cx, obj, id, JSVAL_VOID,
-                                (JSPropertyOp) JSVAL_TO_OBJECT(fval),
+                                js_CastAsPropertyOp(JSVAL_TO_OBJECT(fval)),
                                 JS_PropertyStub,
                                 JSPROP_ENUMERATE | JSPROP_GETTER | JSPROP_SHARED,
                                 NULL);
  }
- static JSBool
+ JS_FRIEND_API(JSBool)
- obj_defineSetter(JSContext *cx, uintN argc, jsval *vp)
+ js_obj_defineSetter(JSContext *cx, uintN argc, jsval *vp)
  {
      jsval fval, junk;
      jsid id;
-Line 1719
+Line 1882
      *vp = JSVAL_VOID;
      return OBJ_DEFINE_PROPERTY(cx, obj, id, JSVAL_VOID,
                                 JS_PropertyStub,
-                                (JSPropertyOp) JSVAL_TO_OBJECT(fval),
+                                js_CastAsPropertyOp(JSVAL_TO_OBJECT(fval)),
                                 JSPROP_ENUMERATE | JSPROP_SETTER | JSPROP_SHARED,
                                 NULL);
  }
-Line 1742
+Line 1905
          if (OBJ_IS_NATIVE(pobj)) {
              sprop = (JSScopeProperty *) prop;
              if (sprop->attrs & JSPROP_GETTER)
-                 *vp = OBJECT_TO_JSVAL(sprop->getter);
+                 *vp = js_CastAsObjectJSVal(sprop->getter);
          }
          OBJ_DROP_PROPERTY(cx, pobj, prop);
      }
-Line 1767
+Line 1930
          if (OBJ_IS_NATIVE(pobj)) {
              sprop = (JSScopeProperty *) prop;
              if (sprop->attrs & JSPROP_SETTER)
-                 *vp = OBJECT_TO_JSVAL(sprop->setter);
+                 *vp = js_CastAsObjectJSVal(sprop->setter);
          }
          OBJ_DROP_PROPERTY(cx, pobj, prop);
      }
-Line 1810
+Line 1973
  const char js_lookupSetter_str[] = "__lookupSetter__";
  #endif
+ JS_DEFINE_TRCINFO_1(obj_valueOf,
+     (3, (static, JSVAL,     Object_p_valueOf,               CONTEXT, THIS, STRING,  0, 0)))
  JS_DEFINE_TRCINFO_1(obj_hasOwnProperty,
-     (3, (static, BOOL_FAIL, Object_p_hasOwnProperty, CONTEXT, THIS, STRING,       0, 0)))
+     (3, (static, BOOL_FAIL, Object_p_hasOwnProperty,        CONTEXT, THIS, STRING,  0, 0)))
  JS_DEFINE_TRCINFO_1(obj_propertyIsEnumerable,
-     (3, (static, BOOL_FAIL, Object_p_propertyIsEnumerable, CONTEXT, THIS, STRING, 0, 0)))
+     (3, (static, BOOL_FAIL, Object_p_propertyIsEnumerable,  CONTEXT, THIS, STRING,  0, 0)))
  static JSFunctionSpec object_methods[] = {
  #if JS_HAS_TOSOURCE
-Line 1821
+Line 1986
  #endif
      JS_FN(js_toString_str,             obj_toString,                0,0),
      JS_FN(js_toLocaleString_str,       obj_toLocaleString,          0,0),
-     JS_FN(js_valueOf_str,              obj_valueOf,                 0,0),
+     JS_TN(js_valueOf_str,              obj_valueOf,                 0,0,
+           obj_valueOf_trcinfo),
  #if JS_HAS_OBJ_WATCHPOINT
      JS_FN(js_watch_str,                obj_watch,                   2,0),
      JS_FN(js_unwatch_str,              obj_unwatch,                 1,0),
-Line 1832
+Line 1998
      JS_TN(js_propertyIsEnumerable_str, obj_propertyIsEnumerable,    1,0,
            obj_propertyIsEnumerable_trcinfo),
  #if JS_HAS_GETTER_SETTER
-     JS_FN(js_defineGetter_str,         obj_defineGetter,            2,0),
+     JS_FN(js_defineGetter_str,         js_obj_defineGetter,         2,0),
-     JS_FN(js_defineSetter_str,         obj_defineSetter,            2,0),
+     JS_FN(js_defineSetter_str,         js_obj_defineSetter,         2,0),
      JS_FN(js_lookupGetter_str,         obj_lookupGetter,            1,0),
      JS_FN(js_lookupSetter_str,         obj_lookupSetter,            1,0),
  #endif
-Line 1858
+Line 2024
      }
      if (!obj) {
          JS_ASSERT(!argc || JSVAL_IS_NULL(argv[0]) || JSVAL_IS_VOID(argv[0]));
-         if (cx->fp->flags & JSFRAME_CONSTRUCTING)
+         if (JS_IsConstructing(cx))
              return JS_TRUE;
          obj = js_NewObject(cx, &js_ObjectClass, NULL, NULL, 0);
          if (!obj)
-Line 1868
+Line 2034
      return JS_TRUE;
  }
+ static inline bool
+ InitScopeForObject(JSContext* cx, JSObject* obj, JSObject* proto,
+                    JSObjectOps* ops)
+ {
+     JS_ASSERT(OPS_IS_NATIVE(ops));
+     JS_ASSERT(proto == OBJ_GET_PROTO(cx, obj));
+     JSClass* protoclasp;
+     JSClass* clasp = OBJ_GET_CLASS(cx, obj);
+     /*
+      * Share proto's map only if it has the same JSObjectOps, and only if
+      * proto's class has the same private and reserved slots as obj's map
+      * and class have.  We assume that if prototype and object are of the
+      * same class, they always have the same number of computed reserved
+      * slots (returned via clasp->reserveSlots); otherwise, prototype and
+      * object classes must have the same (null or not) reserveSlots hook.
+      */
+     if (proto &&
+         proto->map->ops == ops &&
+         ((protoclasp = OBJ_GET_CLASS(cx, proto)) == clasp ||
+          (!((protoclasp->flags ^ clasp->flags) &
+             (JSCLASS_HAS_PRIVATE |
+              (JSCLASS_RESERVED_SLOTS_MASK << JSCLASS_RESERVED_SLOTS_SHIFT))) &&
+           protoclasp->reserveSlots == clasp->reserveSlots)))
+     {
+         js_HoldScope(OBJ_SCOPE(proto));
+         obj->map = proto->map;
+         return true;
+     }
+     JSScope *scope = js_NewScope(cx, ops, clasp, obj);
+     if (!scope)
+         goto bad;
+     /* Let js_NewScope set freeslot so as to reserve slots. */
+     JS_ASSERT(scope->freeslot >= JSSLOT_PRIVATE);
+     if (scope->freeslot > JS_INITIAL_NSLOTS &&
+         !js_ReallocSlots(cx, obj, scope->freeslot, JS_TRUE)) {
+         js_DestroyScope(cx, scope);
+         goto bad;
+     }
+     obj->map = &scope->map;
+     return true;
+   bad:
+     /* Ensure that the map field is initialized for GC. */
+     obj->map = NULL;
+     return false;
+ }
+ #ifdef JS_TRACER
+ static inline JSObject*
+ NewNativeObject(JSContext* cx, JSClass* clasp, JSObject* proto, JSObject *parent)
+ {
+     JS_ASSERT(JS_ON_TRACE(cx));
+     JSObject* obj = (JSObject*) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject));
+     if (!obj)
+         return NULL;
+     obj->classword = jsuword(clasp);
+     obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
+     obj->fslots[JSSLOT_PARENT] = OBJECT_TO_JSVAL(parent);
+     for (unsigned i = JSSLOT_PRIVATE; i < JS_INITIAL_NSLOTS; ++i)
+         obj->fslots[i] = JSVAL_VOID;
+     obj->dslots = NULL;
+     return InitScopeForObject(cx, obj, proto, &js_ObjectOps) ? obj : NULL;
+ }
+ JSObject* FASTCALL
+ js_Object_tn(JSContext* cx, JSObject* proto)
+ {
+     return NewNativeObject(cx, &js_ObjectClass, proto, JSVAL_TO_OBJECT(proto->fslots[JSSLOT_PARENT]));
+ }
+ JS_DEFINE_TRCINFO_1(js_Object,
+     (2, (extern, CONSTRUCTOR_RETRY, js_Object_tn, CONTEXT, CALLEE_PROTOTYPE, 0, 0)))
+ JSObject* FASTCALL
+ js_NewInstance(JSContext *cx, JSClass *clasp, JSObject *ctor)
+ {
+     JS_ASSERT(HAS_FUNCTION_CLASS(ctor));
+     JSAtom *atom = cx->runtime->atomState.classPrototypeAtom;
+     JSScope *scope = OBJ_SCOPE(ctor);
+ #ifdef JS_THREADSAFE
+     if (scope->title.ownercx != cx)
+         return NULL;
+ #endif
+     if (scope->object != ctor) {
+         scope = js_GetMutableScope(cx, ctor);
+         if (!scope)
+             return NULL;
+     }
+     JSScopeProperty *sprop = SCOPE_GET_PROPERTY(scope, ATOM_TO_JSID(atom));
+     jsval pval = sprop ? STOBJ_GET_SLOT(ctor, sprop->slot) : JSVAL_HOLE;
+     JSObject *proto;
+     if (!JSVAL_IS_PRIMITIVE(pval)) {
+         /* An object in ctor.prototype, let's use it as the new instance's proto. */
+         proto = JSVAL_TO_OBJECT(pval);
+     } else if (pval == JSVAL_HOLE) {
+         /* No ctor.prototype yet, inline and optimize fun_resolve's prototype code. */
+         proto = js_NewObject(cx, clasp, NULL, OBJ_GET_PARENT(cx, ctor), 0);
+         if (!proto)
+             return NULL;
+         if (!js_SetClassPrototype(cx, ctor, proto, JSPROP_ENUMERATE | JSPROP_PERMANENT))
+             return NULL;
+     } else {
+         /* Primitive value in .prototype means we use Object.prototype for proto. */
+         if (!js_GetClassPrototype(cx, JSVAL_TO_OBJECT(ctor->fslots[JSSLOT_PARENT]),
+                                   INT_TO_JSID(JSProto_Object), &proto)) {
+             return NULL;
+         }
+     }
+     return NewNativeObject(cx, clasp, proto, JSVAL_TO_OBJECT(ctor->fslots[JSSLOT_PARENT]));
+ }
+ JS_DEFINE_CALLINFO_3(extern, CONSTRUCTOR_RETRY, js_NewInstance, CONTEXT, CLASS, OBJECT, 0, 0)
+ #else  /* !JS_TRACER */
+ # define js_Object_trcinfo NULL
+ #endif /* !JS_TRACER */
+ /*
+  * Given pc pointing after a property accessing bytecode, return true if the
+  * access is "object-detecting" in the sense used by web scripts, e.g., when
+  * checking whether document.all is defined.
+  */
+ static JS_REQUIRES_STACK JSBool
+ Detecting(JSContext *cx, jsbytecode *pc)
+ {
+     JSScript *script;
+     jsbytecode *endpc;
+     JSOp op;
+     JSAtom *atom;
+     script = cx->fp->script;
+     endpc = script->code + script->length;
+     for (;; pc += js_CodeSpec[op].length) {
+         JS_ASSERT(pc < endpc);
+         /* General case: a branch or equality op follows the access. */
+         op = js_GetOpcode(cx, script, pc);
+         if (js_CodeSpec[op].format & JOF_DETECTING)
+             return JS_TRUE;
+         switch (op) {
+           case JSOP_NULL:
+             /*
+              * Special case #1: handle (document.all == null).  Don't sweat
+              * about JS1.2's revision of the equality operators here.
+              */
+             if (++pc < endpc) {
+                 op = js_GetOpcode(cx, script, pc);
+                 return *pc == JSOP_EQ || *pc == JSOP_NE;
+             }
+             return JS_FALSE;
+           case JSOP_NAME:
+             /*
+              * Special case #2: handle (document.all == undefined).  Don't
+              * worry about someone redefining undefined, which was added by
+              * Edition 3, so is read/write for backward compatibility.
+              */
+             GET_ATOM_FROM_BYTECODE(script, pc, 0, atom);
+             if (atom == cx->runtime->atomState.typeAtoms[JSTYPE_VOID] &&
+                 (pc += js_CodeSpec[op].length) < endpc) {
+                 op = js_GetOpcode(cx, script, pc);
+                 return op == JSOP_EQ || op == JSOP_NE ||
+                        op == JSOP_STRICTEQ || op == JSOP_STRICTNE;
+             }
+             return JS_FALSE;
+           default:
+             /*
+              * At this point, anything but an extended atom index prefix means
+              * we're not detecting.
+              */
+             if (!(js_CodeSpec[op].format & JOF_INDEXBASE))
+                 return JS_FALSE;
+             break;
+         }
+     }
+ }
+ /*
+  * Infer lookup flags from the currently executing bytecode. This does
+  * not attempt to infer JSRESOLVE_WITH, because the current bytecode
+  * does not indicate whether we are in a with statement. Return defaultFlags
+  * if a currently executing bytecode cannot be determined.
+  */
+ static uintN
+ InferFlags(JSContext *cx, uintN defaultFlags)
+ {
+     JSStackFrame *fp;
+     jsbytecode *pc;
+     const JSCodeSpec *cs;
+     uint32 format;
+     uintN flags = 0;
+     fp = js_GetTopStackFrame(cx);
+     if (!fp || !fp->regs)
+         return defaultFlags;
+     pc = fp->regs->pc;
+     cs = &js_CodeSpec[js_GetOpcode(cx, fp->script, pc)];
+     format = cs->format;
+     if (JOF_MODE(format) != JOF_NAME)
+         flags |= JSRESOLVE_QUALIFIED;
+     if ((format & (JOF_SET | JOF_FOR)) ||
+         (fp->flags & JSFRAME_ASSIGNING)) {
+         flags |= JSRESOLVE_ASSIGNING;
+     } else {
+         pc += cs->length;
+         if (pc < cx->fp->script->code + cx->fp->script->length && Detecting(cx, pc))
+             flags |= JSRESOLVE_DETECTING;
+     }
+     if (format & JOF_DECLARING)
+         flags |= JSRESOLVE_DECLARING;
+     return flags;
+ }
  /*
   * ObjectOps and Class for with-statement stack objects.
   */
-Line 1875
+Line 2270
  with_LookupProperty(JSContext *cx, JSObject *obj, jsid id, JSObject **objp,
                      JSProperty **propp)
  {
+     /* Fixes bug 463997 */
+     uintN flags = cx->resolveFlags;
+     if (flags == JSRESOLVE_INFER)
+         flags = InferFlags(cx, flags);
+     flags |= JSRESOLVE_WITH;
+     JSAutoResolveFlags rf(cx, flags);
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_LookupProperty(cx, obj, id, objp, propp);
-Line 1967
+Line 2368
  }
  JS_FRIEND_DATA(JSObjectOps) js_WithObjectOps = {
-     js_NewObjectMap,        js_DestroyObjectMap,
+     NULL,
      with_LookupProperty,    js_DefineProperty,
      with_GetProperty,       with_SetProperty,
      with_GetAttributes,     with_SetAttributes,
-Line 1975
+Line 2376
      with_Enumerate,         with_CheckAccess,
      with_ThisObject,        NATIVE_DROP_PROPERTY,
      NULL,                   NULL,
-     NULL,                   NULL,
+     NULL,                   js_TraceObject,
-     js_SetProtoOrParent,    js_SetProtoOrParent,
+     js_Clear,               NULL,
-     js_TraceObject,         js_Clear,
+     NULL
-     NULL,                   NULL
  };
  static JSObjectOps *
-Line 1996
+Line 2396
 ,0,0,0,0,0,0
  };
- JSObject *
+ JS_REQUIRES_STACK JSObject *
  js_NewWithObject(JSContext *cx, JSObject *proto, JSObject *parent, jsint depth)
  {
      JSObject *obj;
-Line 2012
+Line 2412
  JSObject *
  js_NewBlockObject(JSContext *cx)
  {
-     JSObject *obj;
-     JSBool ok;
      /*
       * Null obj's proto slot so that Object.prototype.* does not pollute block
-      * scopes.  Make sure obj has its own scope too, since clearing proto does
+      * scopes and to give the block object its own scope.
-      * not affect OBJ_SCOPE(obj).
       */
-     obj = js_NewObject(cx, &js_BlockClass, NULL, NULL, 0);
+     JSObject *blockObj = js_NewObjectWithGivenProto(cx, &js_BlockClass,
-     if (!obj)
+                                                     NULL, NULL, 0);
-         return NULL;
+     JS_ASSERT_IF(blockObj, !OBJ_IS_CLONED_BLOCK(blockObj));
-     JS_LOCK_OBJ(cx, obj);
+     return blockObj;
-     ok = js_GetMutableScope(cx, obj) != NULL;
-     JS_UNLOCK_OBJ(cx, obj);
-     if (!ok)
-         return NULL;
-     OBJ_CLEAR_PROTO(cx, obj);
-     return obj;
  }
  JSObject *
-Line 2047
+Line 2437
      STOBJ_SET_SLOT(clone, JSSLOT_BLOCK_DEPTH,
                     OBJ_GET_SLOT(cx, proto, JSSLOT_BLOCK_DEPTH));
      JS_ASSERT(OBJ_IS_CLONED_BLOCK(clone));
+     JS_ASSERT(OBJ_SCOPE(clone)->object == proto);
      return clone;
  }
- JSBool
+ JS_REQUIRES_STACK JSBool
  js_PutBlockObject(JSContext *cx, JSBool normalUnwind)
  {
      JSStackFrame *fp;
-Line 2069
+Line 2460
      /*
       * Block objects should never be exposed to scripts. Thus the clone should
       * not own the property map and rather always share it with the prototype
-      * object. This allows to skip updating OBJ_SCOPE(obj)->map.freeslot after
+      * object. This allows us to skip updating OBJ_SCOPE(obj)->freeslot after
       * we copy the stack slots into reserved slots.
       */
      JS_ASSERT(OBJ_SCOPE(obj)->object != obj);
-Line 2174
+Line 2565
      return NO_PARENT_INDEX;
  }
- static JSBool
+ JSBool
- block_xdrObject(JSXDRState *xdr, JSObject **objp)
+ js_XDRBlockObject(JSXDRState *xdr, JSObject **objp)
  {
      JSContext *cx;
      uint32 parentId;
-Line 2276
+Line 2667
          if (xdr->mode == JSXDR_DECODE) {
              if (!js_DefineNativeProperty(cx, obj, ATOM_TO_JSID(atom),
                                           JSVAL_VOID, NULL, NULL,
-                                          JSPROP_ENUMERATE | JSPROP_PERMANENT,
+                                          JSPROP_ENUMERATE | JSPROP_PERMANENT |
+                                          JSPROP_SHARED,
                                           SPROP_HAS_SHORTID, shortid, NULL)) {
                  ok = JS_FALSE;
                  break;
-Line 2288
+Line 2680
      return ok;
  }
- #else
- # define block_xdrObject NULL
  #endif
  static uint32
-Line 2300
+Line 2690
  JSClass js_BlockClass = {
      "Block",
-     JSCLASS_HAS_PRIVATE | JSCLASS_HAS_RESERVED_SLOTS(1) |
+     JSCLASS_HAS_PRIVATE | JSCLASS_HAS_RESERVED_SLOTS(1) | JSCLASS_IS_ANONYMOUS,
-     JSCLASS_IS_ANONYMOUS | JSCLASS_HAS_CACHED_PROTO(JSProto_Block),
      JS_PropertyStub,  JS_PropertyStub,  block_getProperty, block_setProperty,
      JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,    JS_FinalizeStub,
-     NULL, NULL, NULL, NULL, block_xdrObject, NULL, NULL, block_reserveSlots
+     NULL, NULL, NULL, NULL, NULL, NULL, NULL, block_reserveSlots
  };
- JSObject*
- js_InitBlockClass(JSContext *cx, JSObject* obj)
- {
-     JSObject *proto;
-     proto = JS_InitClass(cx, obj, NULL, &js_BlockClass, NULL, 0, NULL,
-                          NULL, NULL, NULL);
-     if (!proto)
-         return NULL;
-     OBJ_CLEAR_PROTO(cx, proto);
-     return proto;
- }
  JSObject *
  js_InitEval(JSContext *cx, JSObject *obj)
  {
-Line 2336
+Line 2711
  JSObject *
  js_InitObjectClass(JSContext *cx, JSObject *obj)
  {
-     return JS_InitClass(cx, obj, NULL, &js_ObjectClass, js_Object, 1,
+     return js_InitClass(cx, obj, NULL, &js_ObjectClass, js_Object, 1,
-                         object_props, object_methods, NULL,
+                         object_props, object_methods, NULL, object_static_methods);
-                         object_static_methods);
  }
- void
+ JSObject *
- js_InitObjectMap(JSObjectMap *map, jsrefcount nrefs, JSObjectOps *ops,
+ js_InitClass(JSContext *cx, JSObject *obj, JSObject *parent_proto,
-                  JSClass *clasp)
+              JSClass *clasp, JSNative constructor, uintN nargs,
- {
+              JSPropertySpec *ps, JSFunctionSpec *fs,
-     map->nrefs = nrefs;
+              JSPropertySpec *static_ps, JSFunctionSpec *static_fs)
-     map->ops = ops;
-     map->freeslot = JSSLOT_FREE(clasp);
- }
- JSObjectMap *
- js_NewObjectMap(JSContext *cx, jsrefcount nrefs, JSObjectOps *ops,
-                 JSClass *clasp, JSObject *obj)
  {
-     return (JSObjectMap *) js_NewScope(cx, nrefs, ops, clasp, obj);
+     JSAtom *atom;
- }
+     JSProtoKey key;
+     JSObject *proto, *ctor;
+     JSTempValueRooter tvr;
+     jsval cval, rval;
+     JSBool named;
+     JSFunction *fun;
- void
+     atom = js_Atomize(cx, clasp->name, strlen(clasp->name), 0);
- js_DestroyObjectMap(JSContext *cx, JSObjectMap *map)
+     if (!atom)
- {
+         return NULL;
-     js_DestroyScope(cx, (JSScope *)map);
- }
- JSObjectMap *
+     /*
- js_HoldObjectMap(JSContext *cx, JSObjectMap *map)
+      * When initializing a standard class, if no parent_proto (grand-proto of
- {
+      * instances of the class, parent-proto of the class's prototype object)
-     JS_ASSERT(map->nrefs >= 0);
+      * is given, we must use Object.prototype if it is available.  Otherwise,
-     JS_ATOMIC_INCREMENT(&map->nrefs);
+      * we could look up the wrong binding for a class name in obj.  Example:
-     return map;
+      *
- }
+      *   String = Array;
+      *   print("hi there".join);
+      *
+      * should print undefined, not Array.prototype.join.  This is required by
+      * ECMA-262, alas.  It might have been better to make String readonly and
+      * permanent in the global object, instead -- but that's too big a change
+      * to swallow at this point.
+      */
+     key = JSCLASS_CACHED_PROTO_KEY(clasp);
+     if (key != JSProto_Null &&
+         !parent_proto &&
+         !js_GetClassPrototype(cx, obj, INT_TO_JSID(JSProto_Object),
+                               &parent_proto)) {
+         return NULL;
+     }
- JSObjectMap *
+     /* Create a prototype object for this class. */
- js_DropObjectMap(JSContext *cx, JSObjectMap *map, JSObject *obj)
+     proto = js_NewObject(cx, clasp, parent_proto, obj, 0);
- {
+     if (!proto)
-     JS_ASSERT(map->nrefs > 0);
-     JS_ATOMIC_DECREMENT(&map->nrefs);
-     if (map->nrefs == 0) {
-         map->ops->destroyObjectMap(cx, map);
          return NULL;
+     /* After this point, control must exit via label bad or out. */
+     JS_PUSH_TEMP_ROOT_OBJECT(cx, proto, &tvr);
+     if (!constructor) {
+         /*
+          * Lacking a constructor, name the prototype (e.g., Math) unless this
+          * class (a) is anonymous, i.e. for internal use only; (b) the class
+          * of obj (the global object) is has a reserved slot indexed by key;
+          * and (c) key is not the null key.
+          */
+         if ((clasp->flags & JSCLASS_IS_ANONYMOUS) &&
+             (OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_IS_GLOBAL) &&
+             key != JSProto_Null) {
+             named = JS_FALSE;
+         } else {
+             named = OBJ_DEFINE_PROPERTY(cx, obj, ATOM_TO_JSID(atom),
+                                         OBJECT_TO_JSVAL(proto),
+                                         JS_PropertyStub, JS_PropertyStub,
+                                         (clasp->flags & JSCLASS_IS_ANONYMOUS)
+                                         ? JSPROP_READONLY | JSPROP_PERMANENT
+                                         : 0,
+                                         NULL);
+             if (!named)
+                 goto bad;
+         }
+         ctor = proto;
+     } else {
+         /* Define the constructor function in obj's scope. */
+         fun = js_DefineFunction(cx, obj, atom, constructor, nargs,
+                                 JSFUN_STUB_GSOPS);
+         named = (fun != NULL);
+         if (!fun)
+             goto bad;
+         /*
+          * Remember the class this function is a constructor for so that
+          * we know to create an object of this class when we call the
+          * constructor.
+          */
+         FUN_CLASP(fun) = clasp;
+         /*
+          * Optionally construct the prototype object, before the class has
+          * been fully initialized.  Allow the ctor to replace proto with a
+          * different object, as is done for operator new -- and as at least
+          * XML support requires.
+          */
+         ctor = FUN_OBJECT(fun);
+         if (clasp->flags & JSCLASS_CONSTRUCT_PROTOTYPE) {
+             cval = OBJECT_TO_JSVAL(ctor);
+             if (!js_InternalConstruct(cx, proto, cval, 0, NULL, &rval))
+                 goto bad;
+             if (!JSVAL_IS_PRIMITIVE(rval) && JSVAL_TO_OBJECT(rval) != proto)
+                 proto = JSVAL_TO_OBJECT(rval);
+         }
+         /* Connect constructor and prototype by named properties. */
+         if (!js_SetClassPrototype(cx, ctor, proto,
+                                   JSPROP_READONLY | JSPROP_PERMANENT)) {
+             goto bad;
+         }
+         /* Bootstrap Function.prototype (see also JS_InitStandardClasses). */
+         if (OBJ_GET_CLASS(cx, ctor) == clasp)
+             OBJ_SET_PROTO(cx, ctor, proto);
      }
-     if (MAP_IS_NATIVE(map) && ((JSScope *)map)->object == obj)
-         ((JSScope *)map)->object = NULL;
+     /* Add properties and methods to the prototype and the constructor. */
-     return map;
+     if ((ps && !JS_DefineProperties(cx, proto, ps)) ||
+         (fs && !JS_DefineFunctions(cx, proto, fs)) ||
+         (static_ps && !JS_DefineProperties(cx, ctor, static_ps)) ||
+         (static_fs && !JS_DefineFunctions(cx, ctor, static_fs))) {
+         goto bad;
+     }
+     /* If this is a standard class, cache its prototype. */
+     if (key != JSProto_Null && !js_SetClassObject(cx, obj, key, ctor))
+         goto bad;
+ out:
+     JS_POP_TEMP_ROOT(cx, &tvr);
+     return proto;
+ bad:
+     if (named)
+         (void) OBJ_DELETE_PROPERTY(cx, obj, ATOM_TO_JSID(atom), &rval);
+     proto = NULL;
+     goto out;
  }
  static void
-Line 2568
+Line 3034
  js_NewObjectWithGivenProto(JSContext *cx, JSClass *clasp, JSObject *proto,
                             JSObject *parent, uintN objectSize)
  {
-     JSObject *obj;
-     JSObjectOps *ops;
-     JSObjectMap *map;
-     JSClass *protoclasp;
-     uint32 nslots, i;
-     JSTempValueRooter tvr;
  #ifdef INCLUDE_MOZILLA_DTRACE
      if (JAVASCRIPT_OBJECT_CREATE_START_ENABLED())
          jsdtrace_object_create_start(cx->fp, clasp);
-Line 2591
+Line 3050
          objectSize = sizeof(JSObject);
      }
+     /* Assert that the class is a proper class. */
+     JS_ASSERT_IF(clasp->flags & JSCLASS_IS_EXTENDED,
+                  ((JSExtendedClass *)clasp)->equality);
+     /* Always call the class's getObjectOps hook if it has one. */
+     JSObjectOps *ops = clasp->getObjectOps
+                        ? clasp->getObjectOps(cx, clasp)
+                        : &js_ObjectOps;
      /*
       * Allocate an object from the GC heap and initialize all its fields before
       * doing any operation that can potentially trigger GC.
       */
-     obj = (JSObject *) js_NewGCThing(cx, GCX_OBJECT, objectSize);
+     JSObject *obj = (JSObject *) js_NewGCThing(cx, GCX_OBJECT, objectSize);
      if (!obj)
-         goto earlybad;
+         goto out;
-     obj->map = NULL;
-     obj->dslots = NULL;
      /*
       * Set the class slot with the initial value of the system and delegate
-Line 2611
+Line 3076
      JS_ASSERT(!STOBJ_IS_DELEGATE(obj));
      JS_ASSERT(!STOBJ_IS_SYSTEM(obj));
-     /* Set the proto and parent properties. */
+     obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
-     STOBJ_SET_PROTO(obj, proto);
-     STOBJ_SET_PARENT(obj, parent);
+     /*
+      * Default parent to the parent of the prototype, which was set from
+      * the parent of the prototype's constructor.
+      */
+     obj->fslots[JSSLOT_PARENT] = OBJECT_TO_JSVAL((!parent && proto)
+                                                  ? OBJ_GET_PARENT(cx, proto)
+                                                  : parent);
      /* Initialize the remaining fixed slots. */
-     for (i = JSSLOT_PRIVATE; i != JS_INITIAL_NSLOTS; ++i)
+     for (uint32 i = JSSLOT_PRIVATE; i < JS_INITIAL_NSLOTS; ++i)
          obj->fslots[i] = JSVAL_VOID;
+     obj->dslots = NULL;
+     if (OPS_IS_NATIVE(ops)) {
+         if (!InitScopeForObject(cx, obj, proto, ops)) {
+             obj = NULL;
+             goto out;
+         }
+     } else {
+         JS_ASSERT(ops->objectMap->ops == ops);
+         obj->map = const_cast<JSObjectMap *>(ops->objectMap);
+     }
  #ifdef DEBUG
      memset((uint8 *) obj + sizeof(JSObject), JS_FREE_PATTERN,
             objectSize - sizeof(JSObject));
  #endif
-     /*
+     /* Check that the newborn root still holds the object. */
-      * Root obj to prevent it from being collected out from under this call to
+     JS_ASSERT_IF(!cx->localRootStack, cx->weakRoots.newborn[GCX_OBJECT] == obj);
-      * js_NewObject. There's a possibilty of GC under the objectHook call-out
-      * further below.
-      */
-     JS_PUSH_TEMP_ROOT_OBJECT(cx, obj, &tvr);
-     /* Always call the class's getObjectOps hook if it has one. */
-     ops = clasp->getObjectOps
-           ? clasp->getObjectOps(cx, clasp)
-           : &js_ObjectOps;
      /*
-      * Default parent to the parent of the prototype, which was set from
+      * Do not call debug hooks on trace, because we might be in a non-_FAIL
-      * the parent of the prototype's constructor.
+      * builtin. See bug 481444.
       */
-     if (proto && !parent)
+     if (cx->debugHooks->objectHook && !JS_ON_TRACE(cx)) {
-         STOBJ_SET_PARENT(obj, OBJ_GET_PARENT(cx, proto));
+         JSAutoTempValueRooter tvr(cx, obj);
-     /*
-      * Share proto's map only if it has the same JSObjectOps, and only if
-      * proto's class has the same private and reserved slots as obj's map
-      * and class have.  We assume that if prototype and object are of the
-      * same class, they always have the same number of computed reserved
-      * slots (returned via clasp->reserveSlots); otherwise, prototype and
-      * object classes must have the same (null or not) reserveSlots hook.
-      */
-     if (proto &&
-         (map = proto->map)->ops == ops &&
-         ((protoclasp = OBJ_GET_CLASS(cx, proto)) == clasp ||
-          (!((protoclasp->flags ^ clasp->flags) &
-             (JSCLASS_HAS_PRIVATE |
-              (JSCLASS_RESERVED_SLOTS_MASK << JSCLASS_RESERVED_SLOTS_SHIFT))) &&
-           protoclasp->reserveSlots == clasp->reserveSlots)))
-     {
-         /* Share the given prototype's map. */
-         obj->map = js_HoldObjectMap(cx, map);
-     } else {
-         map = ops->newObjectMap(cx, 1, ops, clasp, obj);
-         if (!map)
-             goto bad;
-         obj->map = map;
-         /* Let ops->newObjectMap set freeslot so as to reserve slots. */
-         nslots = map->freeslot;
-         JS_ASSERT(nslots >= JSSLOT_PRIVATE);
-         if (nslots > JS_INITIAL_NSLOTS &&
-             !js_ReallocSlots(cx, obj, nslots, JS_TRUE)) {
-             js_DropObjectMap(cx, map, obj);
-             obj->map = NULL;
-             goto bad;
-         }
-     }
-     if (cx->debugHooks->objectHook) {
          JS_KEEP_ATOMS(cx->runtime);
          cx->debugHooks->objectHook(cx, obj, JS_TRUE,
                                     cx->debugHooks->objectHookData);
          JS_UNKEEP_ATOMS(cx->runtime);
+         cx->weakRoots.newborn[GCX_OBJECT] = obj;
      }
  out:
-     JS_POP_TEMP_ROOT(cx, &tvr);
-     cx->weakRoots.newborn[GCX_OBJECT] = obj;
  #ifdef INCLUDE_MOZILLA_DTRACE
      if (JAVASCRIPT_OBJECT_CREATE_ENABLED())
          jsdtrace_object_create(cx, clasp, obj);
-Line 2695
+Line 3131
          jsdtrace_object_create_done(cx->fp, clasp);
  #endif
      return obj;
+ }
- bad:
+ JSObject*
-     obj = NULL;
+ js_NewNativeObject(JSContext *cx, JSClass *clasp, JSObject *proto, uint32 slot)
-     goto out;
+ {
+     JS_ASSERT(!clasp->getObjectOps);
+     JS_ASSERT(proto->map->ops == &js_ObjectOps);
+     JS_ASSERT(OBJ_GET_CLASS(cx, proto) == clasp);
- earlybad:
+     JSObject* obj = (JSObject*) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject));
- #ifdef INCLUDE_MOZILLA_DTRACE
+     if (!obj)
-     if (JAVASCRIPT_OBJECT_CREATE_ENABLED())
+         return NULL;
-         jsdtrace_object_create(cx, clasp, NULL);
-     if (JAVASCRIPT_OBJECT_CREATE_DONE_ENABLED())
+     js_HoldScope(OBJ_SCOPE(proto));
-         jsdtrace_object_create_done(cx->fp, clasp);
+     obj->map = proto->map;
- #endif
+     obj->classword = jsuword(clasp);
-     return NULL;
+     obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
+     obj->fslots[JSSLOT_PARENT] = proto->fslots[JSSLOT_PARENT];
+     JS_ASSERT(slot > JSSLOT_PARENT);
+     while (slot < JS_INITIAL_NSLOTS)
+         obj->fslots[slot++] = JSVAL_VOID;
+     obj->dslots = NULL;
+     return obj;
  }
  JS_BEGIN_EXTERN_C
-Line 2799
+Line 3247
  JSBool
  js_FindClassObject(JSContext *cx, JSObject *start, jsid id, jsval *vp)
  {
+     JSStackFrame *fp;
      JSObject *obj, *cobj, *pobj;
      JSProtoKey key;
      JSProperty *prop;
      jsval v;
      JSScopeProperty *sprop;
-     if (start || (cx->fp && (start = cx->fp->scopeChain) != NULL)) {
+     /*
+      * Find the global object. Use cx->fp directly to avoid falling off
+      * trace; all JIT-elided stack frames have the same global object as
+      * cx->fp.
+      */
+     VOUCH_DOES_NOT_REQUIRE_STACK();
+     if (!start && (fp = cx->fp) != NULL)
+         start = fp->scopeChain;
+     if (start) {
          /* Find the topmost object in the scope chain. */
          do {
              obj = start;
-Line 2946
+Line 3404
  void
  js_FinalizeObject(JSContext *cx, JSObject *obj)
  {
-     JSObjectMap *map;
      /* Cope with stillborn objects that have no map. */
-     map = obj->map;
+     if (!obj->map)
-     if (!map)
          return;
      if (cx->debugHooks->objectHook) {
-Line 2966
+Line 3421
          jsdtrace_object_finalize(obj);
  #endif
-     /* Drop map and free slots. */
+     if (OBJ_IS_NATIVE(obj))
-     js_DropObjectMap(cx, map, obj);
+         js_DropScope(cx, OBJ_SCOPE(obj), obj);
      FreeSlots(cx, obj);
  }
-Line 2976
+Line 3431
  JSBool
  js_AllocSlot(JSContext *cx, JSObject *obj, uint32 *slotp)
  {
-     JSObjectMap *map;
+     JS_ASSERT(OBJ_IS_NATIVE(obj));
-     JSClass *clasp;
-     map = obj->map;
+     JSScope *scope = OBJ_SCOPE(obj);
-     JS_ASSERT(!MAP_IS_NATIVE(map) || ((JSScope *)map)->object == obj);
+     JSClass *clasp = LOCKED_OBJ_GET_CLASS(obj);
-     clasp = LOCKED_OBJ_GET_CLASS(obj);
+     if (scope->freeslot == JSSLOT_FREE(clasp) && clasp->reserveSlots) {
-     if (map->freeslot == JSSLOT_FREE(clasp) && clasp->reserveSlots) {
+         /* Adjust scope->freeslot to include computed reserved slots, if any. */
-         /* Adjust map->freeslot to include computed reserved slots, if any. */
+         scope->freeslot += clasp->reserveSlots(cx, obj);
-         map->freeslot += clasp->reserveSlots(cx, obj);
      }
-     if (map->freeslot >= STOBJ_NSLOTS(obj) &&
+     if (scope->freeslot >= STOBJ_NSLOTS(obj) &&
-         !js_ReallocSlots(cx, obj, map->freeslot + 1, JS_FALSE)) {
+         !js_ReallocSlots(cx, obj, scope->freeslot + 1, JS_FALSE)) {
          return JS_FALSE;
      }
      /* js_ReallocSlots or js_FreeSlot should set the free slots to void. */
-     JS_ASSERT(JSVAL_IS_VOID(STOBJ_GET_SLOT(obj, map->freeslot)));
+     JS_ASSERT(JSVAL_IS_VOID(STOBJ_GET_SLOT(obj, scope->freeslot)));
-     *slotp = map->freeslot++;
+     *slotp = scope->freeslot++;
      return JS_TRUE;
  }
  void
  js_FreeSlot(JSContext *cx, JSObject *obj, uint32 slot)
  {
-     JSObjectMap *map;
+     JS_ASSERT(OBJ_IS_NATIVE(obj));
-     map = obj->map;
+     JSScope *scope = OBJ_SCOPE(obj);
-     JS_ASSERT(!MAP_IS_NATIVE(map) || ((JSScope *)map)->object == obj);
      LOCKED_OBJ_SET_SLOT(obj, slot, JSVAL_VOID);
-     if (map->freeslot == slot + 1) {
+     if (scope->freeslot == slot + 1) {
-         map->freeslot = slot;
+         scope->freeslot = slot;
          /* When shrinking, js_ReallocSlots always returns true. */
          js_ReallocSlots(cx, obj, slot, JS_FALSE);
-Line 3030
+Line 3482
              cp++;
          }
      }
-     if (cp == end &&
-         (oldIndex < (JSVAL_INT_MAX / 10) ||
+     /*
-          (oldIndex == (JSVAL_INT_MAX / 10) &&
+      * Non-integer indexes can't be represented as integers.  Also, distinguish
-           c <= (JSVAL_INT_MAX % 10)))) {
+      * index "-0" from "0", because JSVAL_INT cannot.
+      */
+     if (cp != end || (negative && index == 0))
+         return id;
+     if (oldIndex < JSVAL_INT_MAX / 10 ||
+         (oldIndex == JSVAL_INT_MAX / 10 && c <= (JSVAL_INT_MAX % 10))) {
          if (negative)
              index = 0 - index;
          id = INT_TO_JSID((jsint)index);
-Line 3057
+Line 3514
          sprop = SCOPE_GET_PROPERTY(scope, id);
          if (sprop) {
              PCMETER(JS_PROPERTY_CACHE(cx).pcpurges++);
-             SCOPE_MAKE_UNIQUE_SHAPE(cx, scope);
+             js_MakeScopeShapeUnique(cx, scope);
              JS_UNLOCK_SCOPE(cx, scope);
+             if (!STOBJ_GET_PARENT(scope->object)) {
+                 /*
+                  * All scope chains end in a global object, so this will change
+                  * the global shape. jstracer.cpp assumes that the global shape
+                  * never changes on trace, so we must deep-bail here.
+                  */
+                 js_LeaveTrace(cx);
+             }
              return JS_TRUE;
          }
          obj = LOCKED_OBJ_GET_PROTO(scope->object);
-Line 3067
+Line 3533
      return JS_FALSE;
  }
- static void
+ void
- PurgeScopeChain(JSContext *cx, JSObject *obj, jsid id)
+ js_PurgeScopeChainHelper(JSContext *cx, JSObject *obj, jsid id)
  {
-     if (!OBJ_IS_DELEGATE(cx, obj))
+     JS_ASSERT(OBJ_IS_DELEGATE(cx, obj));
-         return;
      PurgeProtoChain(cx, OBJ_GET_PROTO(cx, obj), id);
-     while ((obj = OBJ_GET_PARENT(cx, obj)) != NULL) {
-         if (PurgeProtoChain(cx, obj, id))
+     /*
-             return;
+      * We must purge the scope chain only for Call objects as they are the only
+      * kind of cacheable non-global object that can gain properties after outer
+      * properties with the same names have been cached or traced. Call objects
+      * may gain such properties via eval introducing new vars; see bug 490364.
+      */
+     if (STOBJ_GET_CLASS(obj) == &js_CallClass) {
+         while ((obj = OBJ_GET_PARENT(cx, obj)) != NULL) {
+             if (PurgeProtoChain(cx, obj, id))
+                 break;
+         }
      }
  }
-Line 3093
+Line 3566
       * this optimistically (assuming no failure below) before locking obj, so
       * we can lock the shadowed scope.
       */
-     PurgeScopeChain(cx, obj, id);
+     js_PurgeScopeChain(cx, obj, id);
      JS_LOCK_OBJ(cx, obj);
      scope = js_GetMutableScope(cx, obj);
-Line 3142
+Line 3615
   * nominal initial value of a slot-full property, while GC safety wants that
   * value to be stored before the call-out through the hook.  Optimize to do
   * both while saving cycles for classes that stub their addProperty hook.
+  *
+  * As in js_SetProtoOrParent (see above), we maintain the "any Array prototype
+  * has indexed properties hazard" flag by conservatively setting it.
   */
  #define ADD_PROPERTY_HELPER(cx,clasp,obj,scope,sprop,vp,cleanup)              \
      JS_BEGIN_MACRO                                                            \
-Line 3160
+Line 3636
  JSBool
  js_DefineNativeProperty(JSContext *cx, JSObject *obj, jsid id, jsval value,
                          JSPropertyOp getter, JSPropertyOp setter, uintN attrs,
-                         uintN flags, intN shortid, JSProperty **propp)
+                         uintN flags, intN shortid, JSProperty **propp,
+                         uintN defineHow /* = 0 */)
  {
      JSClass *clasp;
      JSScope *scope;
      JSScopeProperty *sprop;
+     bool added;
+     JS_ASSERT((defineHow & ~(JSDNP_CACHE_RESULT | JSDNP_DONT_PURGE)) == 0);
+     js_LeaveTraceIfGlobalObject(cx, obj);
      /* Convert string indices to integers if appropriate. */
      CHECK_FOR_STRING_INDEX(id);
-Line 3205
+Line 3686
              /* NB: obj == pobj, so we can share unlock code at the bottom. */
              if (!sprop)
-                 goto bad;
+                 goto error;
          } else if (prop) {
              /* NB: call OBJ_DROP_PROPERTY, as pobj might not be native. */
              OBJ_DROP_PROPERTY(cx, pobj, prop);
-Line 3216
+Line 3697
  #endif /* JS_HAS_GETTER_SETTER */
      /*
-      * Purge the property cache of now-shadowed id in obj's scope chain.
+      * Purge the property cache of any properties named by id that are about
-      * Do this early, before locking obj to avoid nesting locks.
+      * to be shadowed in obj's scope chain unless it is known a priori that it
+      * is not possible. We do this before locking obj to avoid nesting locks.
+      */
+     if (!(defineHow & JSDNP_DONT_PURGE))
+         js_PurgeScopeChain(cx, obj, id);
+     /*
+      * Check whether a readonly property or setter is being defined on a known
+      * prototype object. See the comment in jscntxt.h before protoHazardShape's
+      * member declaration.
       */
-     PurgeScopeChain(cx, obj, id);
+     if (OBJ_IS_DELEGATE(cx, obj) && (attrs & (JSPROP_READONLY | JSPROP_SETTER)))
+         cx->runtime->protoHazardShape = js_GenerateShape(cx, false);
      /* Lock if object locking is required by this implementation. */
      JS_LOCK_OBJ(cx, obj);
-Line 3234
+Line 3725
      /* Get obj's own scope if it has one, or create a new one for obj. */
      scope = js_GetMutableScope(cx, obj);
      if (!scope)
-         goto bad;
+         goto error;
+     added = false;
      if (!sprop) {
          /* Add a new property, or replace an existing one of the same id. */
          if (clasp->flags & JSCLASS_SHARE_ALL_PROPERTIES)
-Line 3244
+Line 3736
                                      SPROP_INVALID_SLOT, attrs, flags,
                                      shortid);
          if (!sprop)
-             goto bad;
+             goto error;
+         added = true;
      }
      /* Store value before calling addProperty, in case the latter GC's. */
-Line 3254
+Line 3747
      /* XXXbe called with lock held */
      ADD_PROPERTY_HELPER(cx, clasp, obj, scope, sprop, &value,
                          js_RemoveScopeProperty(cx, scope, id);
-                         goto bad);
+                         goto error);
+     if (defineHow & JSDNP_CACHE_RESULT) {
+         JS_ASSERT_NOT_ON_TRACE(cx);
+         JSPropCacheEntry *entry;
+         entry = js_FillPropertyCache(cx, obj, 0, 0, obj, sprop, added);
+         TRACE_2(SetPropHit, entry, sprop);
+     }
      if (propp)
          *propp = (JSProperty *) sprop;
      else
          JS_UNLOCK_OBJ(cx, obj);
      return JS_TRUE;
- bad:
+ error: // TRACE_2 jumps here on error, as well.
      JS_UNLOCK_OBJ(cx, obj);
      return JS_FALSE;
  }
- /*
-  * Given pc pointing after a property accessing bytecode, return true if the
-  * access is "object-detecting" in the sense used by web scripts, e.g., when
-  * checking whether document.all is defined.
-  */
- static JSBool
- Detecting(JSContext *cx, jsbytecode *pc)
- {
-     JSScript *script;
-     jsbytecode *endpc;
-     JSOp op;
-     JSAtom *atom;
-     if (!cx->fp)
-         return JS_FALSE;
-     script = cx->fp->script;
-     for (endpc = script->code + script->length;
-          pc < endpc;
-          pc += js_CodeSpec[op].length) {
-         /* General case: a branch or equality op follows the access. */
-         op = (JSOp) *pc;
-         if (js_CodeSpec[op].format & JOF_DETECTING)
-             return JS_TRUE;
-         switch (op) {
-           case JSOP_NULL:
-             /*
-              * Special case #1: handle (document.all == null).  Don't sweat
-              * about JS1.2's revision of the equality operators here.
-              */
-             if (++pc < endpc)
-                 return *pc == JSOP_EQ || *pc == JSOP_NE;
-             return JS_FALSE;
-           case JSOP_NAME:
-             /*
-              * Special case #2: handle (document.all == undefined).  Don't
-              * worry about someone redefining undefined, which was added by
-              * Edition 3, so is read/write for backward compatibility.
-              */
-             GET_ATOM_FROM_BYTECODE(script, pc, 0, atom);
-             if (atom == cx->runtime->atomState.typeAtoms[JSTYPE_VOID] &&
-                 (pc += js_CodeSpec[op].length) < endpc) {
-                 op = (JSOp) *pc;
-                 return op == JSOP_EQ || op == JSOP_NE ||
-                        op == JSOP_STRICTEQ || op == JSOP_STRICTNE;
-             }
-             return JS_FALSE;
-           default:
-             /*
-              * At this point, anything but an extended atom index prefix means
-              * we're not detecting.
-              */
-             if (!(js_CodeSpec[op].format & JOF_INDEXBASE))
-                 return JS_FALSE;
-             break;
-         }
-     }
-     return JS_FALSE;
- }
  JS_FRIEND_API(JSBool)
  js_LookupProperty(JSContext *cx, JSObject *obj, jsid id, JSObject **objp,
                    JSProperty **propp)
-Line 3354
+Line 3791
      JSResolvingEntry *entry;
      uint32 generation;
      JSNewResolveOp newresolve;
-     jsbytecode *pc;
-     const JSCodeSpec *cs;
-     uint32 format;
      JSBool ok;
      /* Convert string indices to integers if appropriate. */
      CHECK_FOR_STRING_INDEX(id);
-     JS_COUNT_OPERATION(cx, JSOW_LOOKUP_PROPERTY);
      /* Search scopes starting with obj and following the prototype link. */
      start = obj;
-Line 3406
+Line 3839
                  if (clasp->flags & JSCLASS_NEW_RESOLVE) {
                      newresolve = (JSNewResolveOp)resolve;
-                     if (flags == JSRESOLVE_INFER && cx->fp && cx->fp->regs) {
+                     if (flags == JSRESOLVE_INFER)
-                         flags = 0;
+                         flags = InferFlags(cx, flags);
-                         pc = cx->fp->regs->pc;
-                         cs = &js_CodeSpec[*pc];
-                         format = cs->format;
-                         if (JOF_MODE(format) != JOF_NAME)
-                             flags |= JSRESOLVE_QUALIFIED;
-                         if ((format & (JOF_SET | JOF_FOR)) ||
-                             (cx->fp->flags & JSFRAME_ASSIGNING)) {
-                             flags |= JSRESOLVE_ASSIGNING;
-                         } else {
-                             pc += cs->length;
-                             if (Detecting(cx, pc))
-                                 flags |= JSRESOLVE_DETECTING;
-                         }
-                         if (format & JOF_DECLARING)
-                             flags |= JSRESOLVE_DECLARING;
-                     }
                      obj2 = (clasp->flags & JSCLASS_NEW_RESOLVE_GETS_START)
                             ? start
                             : NULL;
-Line 3449
+Line 3866
                               proto = OBJ_GET_PROTO(cx, proto)) {
                              protoIndex++;
                          }
-                         scope = OBJ_SCOPE(obj2);
+                         if (!OBJ_IS_NATIVE(obj2)) {
-                         if (!MAP_IS_NATIVE(&scope->map)) {
                              /* Whoops, newresolve handed back a foreign obj2. */
                              JS_ASSERT(obj2 != obj);
                              ok = OBJ_LOOKUP_PROPERTY(cx, obj2, id, objp, propp);
-Line 3466
+Line 3882
                               * not on obj's proto chain.  That last case is a
                               * "too bad!" case.
                               */
+                             scope = OBJ_SCOPE(obj2);
                              if (scope->object == obj2)
                                  sprop = SCOPE_GET_PROPERTY(scope, id);
                          }
-Line 3488
+Line 3905
                      if (!ok)
                          goto cleanup;
                      JS_LOCK_OBJ(cx, obj);
+                     JS_ASSERT(OBJ_IS_NATIVE(obj));
                      scope = OBJ_SCOPE(obj);
-                     JS_ASSERT(MAP_IS_NATIVE(&scope->map));
                      if (scope->object == obj)
                          sprop = SCOPE_GET_PROPERTY(scope, id);
                  }
-Line 3530
+Line 3947
      return protoIndex;
  }
- int
+ /*
- js_FindPropertyHelper(JSContext *cx, jsid id, JSObject **objp,
+  * We cache name lookup results only for the global object or for native
-                       JSObject **pobjp, JSProperty **propp,
+  * non-global objects without prototype or with prototype that never mutates,
-                       JSPropCacheEntry **entryp)
+  * see bug 462734 and bug 487039.
+  */
+ static inline bool
+ IsCacheableNonGlobalScope(JSObject *obj)
+ {
+     JS_ASSERT(STOBJ_GET_PARENT(obj));
+     JSClass *clasp = STOBJ_GET_CLASS(obj);
+     bool cacheable = (clasp == &js_CallClass ||
+                       clasp == &js_BlockClass ||
+                       clasp == &js_DeclEnvClass);
+     JS_ASSERT_IF(cacheable, obj->map->ops->lookupProperty == js_LookupProperty);
+     return cacheable;
+ }
+ JSPropCacheEntry *
+ js_FindPropertyHelper(JSContext *cx, jsid id, JSBool cacheResult,
+                       JSObject **objp, JSObject **pobjp, JSProperty **propp)
  {
-     JSObject *obj, *pobj, *lastobj;
+     JSObject *scopeChain, *obj, *parent, *pobj;
-     uint32 shape;
+     JSPropCacheEntry *entry;
      int scopeIndex, protoIndex;
      JSProperty *prop;
-     JSScopeProperty *sprop;
-     obj = cx->fp->scopeChain;
+     JS_ASSERT_IF(cacheResult, !JS_ON_TRACE(cx));
-     shape = OBJ_SHAPE(obj);
+     scopeChain = js_GetTopStackFrame(cx)->scopeChain;
-     for (scopeIndex = 0; ; scopeIndex++) {
-         if (obj->map->ops->lookupProperty == js_LookupProperty) {
+     /* Scan entries on the scope chain that we can cache across. */
-             protoIndex =
+     entry = JS_NO_PROP_CACHE_FILL;
-                 js_LookupPropertyWithFlags(cx, obj, id, cx->resolveFlags,
+     obj = scopeChain;
-                                            &pobj, &prop);
+     parent = OBJ_GET_PARENT(cx, obj);
-         } else {
+     for (scopeIndex = 0;
-             if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+          parent
-                 return -1;
+          ? IsCacheableNonGlobalScope(obj)
-             protoIndex = -1;
+          : obj->map->ops->lookupProperty == js_LookupProperty;
-         }
+          ++scopeIndex) {
+         protoIndex =
+             js_LookupPropertyWithFlags(cx, obj, id, cx->resolveFlags,
+                                        &pobj, &prop);
+         if (protoIndex < 0)
+             return NULL;
          if (prop) {
-             if (entryp) {
+ #ifdef DEBUG
-                 if (protoIndex >= 0 && OBJ_IS_NATIVE(pobj)) {
+             if (parent) {
-                     sprop = (JSScopeProperty *) prop;
+                 JSClass *clasp = OBJ_GET_CLASS(cx, obj);
-                     js_FillPropertyCache(cx, cx->fp->scopeChain, shape,
+                 JS_ASSERT(OBJ_IS_NATIVE(pobj));
-                                          scopeIndex, protoIndex, pobj, sprop,
+                 JS_ASSERT(OBJ_GET_CLASS(cx, pobj) == clasp);
-                                          entryp);
+                 if (clasp == &js_BlockClass) {
+                     /*
+                      * Block instances on the scope chain are immutable and
+                      * always share their scope with compile-time prototypes.
+                      */
+                     JS_ASSERT(pobj == OBJ_GET_PROTO(cx, obj));
+                     JS_ASSERT(OBJ_SCOPE(obj)->object == pobj);
+                     JS_ASSERT(protoIndex == 1);
                  } else {
-                     PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
+                     /* Call and DeclEnvClass objects have no prototypes. */
-                     *entryp = NULL;
+                     JS_ASSERT(!OBJ_GET_PROTO(cx, obj));
+                     JS_ASSERT(protoIndex == 0);
                  }
              }
+ #endif
+             if (cacheResult) {
+                 entry = js_FillPropertyCache(cx, scopeChain,
+                                              scopeIndex, protoIndex, pobj,
+                                              (JSScopeProperty *) prop, false);
+             }
              SCOPE_DEPTH_ACCUM(&rt->scopeSearchDepthStats, scopeIndex);
-             *objp = obj;
+             goto out;
-             *pobjp = pobj;
-             *propp = prop;
-             return scopeIndex;
          }
-         lastobj = obj;
+         if (!parent) {
-         obj = OBJ_GET_PARENT(cx, obj);
+             pobj = NULL;
-         if (!obj)
+             goto out;
+         }
+         obj = parent;
+         parent = OBJ_GET_PARENT(cx, obj);
+     }
+     for (;;) {
+         if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+             return NULL;
+         if (prop) {
+             PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
+             goto out;
+         }
+         /*
+          * We conservatively assume that a resolve hook could mutate the scope
+          * chain during OBJ_LOOKUP_PROPERTY. So we read parent here again.
+          */
+         parent = OBJ_GET_PARENT(cx, obj);
+         if (!parent) {
+             pobj = NULL;
              break;
+         }
+         obj = parent;
      }
-     *objp = lastobj;
+   out:
-     *pobjp = NULL;
+     JS_ASSERT(!!pobj == !!prop);
-     *propp = NULL;
+     *objp = obj;
-     return scopeIndex;
+     *pobjp = pobj;
+     *propp = prop;
+     return entry;
  }
  JS_FRIEND_API(JSBool)
  js_FindProperty(JSContext *cx, jsid id, JSObject **objp, JSObject **pobjp,
                  JSProperty **propp)
  {
-     return js_FindPropertyHelper(cx, id, objp, pobjp, propp, NULL) >= 0;
+     return !!js_FindPropertyHelper(cx, id, false, objp, pobjp, propp);
  }
  JSObject *
- js_FindIdentifierBase(JSContext *cx, jsid id, JSPropCacheEntry *entry)
+ js_FindIdentifierBase(JSContext *cx, JSObject *scopeChain, jsid id)
  {
-     JSObject *obj, *pobj;
-     JSProperty *prop;
      /*
-      * Look for id's property along the "with" statement chain and the
+      * This function should not be called for a global object or from the
-      * statically-linked scope chain.
+      * trace and should have a valid cache entry for native scopeChain.
       */
-     if (js_FindPropertyHelper(cx, id, &obj, &pobj, &prop, &entry) < 0)
+     JS_ASSERT(OBJ_GET_PARENT(cx, scopeChain));
-         return NULL;
+     JS_ASSERT(!JS_ON_TRACE(cx));
-     if (prop) {
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
-         return obj;
-     }
-     /*
+     JSObject *obj = scopeChain;
-      * Use the top-level scope from the scope chain, which won't end in the
-      * same scope as cx->globalObject for cross-context function calls.
-      */
-     JS_ASSERT(obj);
      /*
-      * Property not found.  Give a strict warning if binding an undeclared
+      * Loop over cacheable objects on the scope chain until we find a
-      * top-level variable.
+      * property. We also stop when we reach the global object skipping any
+      * farther checks or lookups. For details see the JSOP_BINDNAME case of
+      * js_Interpret.
       */
-     if (JS_HAS_STRICT_OPTION(cx)) {
+     for (int scopeIndex = 0; IsCacheableNonGlobalScope(obj); scopeIndex++) {
-         JSString *str = JSVAL_TO_STRING(ID_TO_VALUE(id));
+         JSObject *pobj;
-         const char *bytes = js_GetStringBytes(cx, str);
+         JSProperty *prop;
+         int protoIndex = js_LookupPropertyWithFlags(cx, obj, id,
-         if (!bytes ||
+                                                     cx->resolveFlags,
-             !JS_ReportErrorFlagsAndNumber(cx,
+                                                     &pobj, &prop);
-                                           JSREPORT_WARNING | JSREPORT_STRICT,
+         if (protoIndex < 0)
-                                           js_GetErrorMessage, NULL,
-                                           JSMSG_UNDECLARED_VAR, bytes)) {
              return NULL;
+         if (prop) {
+             JS_ASSERT(OBJ_IS_NATIVE(pobj));
+             JS_ASSERT(OBJ_GET_CLASS(cx, pobj) == OBJ_GET_CLASS(cx, obj));
+ #ifdef DEBUG
+             JSPropCacheEntry *entry =
+ #endif
+             js_FillPropertyCache(cx, scopeChain,
+                                  scopeIndex, protoIndex, pobj,
+                                  (JSScopeProperty *) prop, false);
+             JS_ASSERT(entry);
+             JS_UNLOCK_OBJ(cx, pobj);
+             return obj;
          }
+         /* Call and other cacheable objects always have a parent. */
+         obj = OBJ_GET_PARENT(cx, obj);
+         if (!OBJ_GET_PARENT(cx, obj))
+             return obj;
      }
+     /* Loop until we find a property or reach the global object. */
+     do {
+         JSObject *pobj;
+         JSProperty *prop;
+         if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+             return NULL;
+         if (prop) {
+             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             break;
+         }
+         /*
+          * We conservatively assume that a resolve hook could mutate the scope
+          * chain during OBJ_LOOKUP_PROPERTY. So we must check if parent is not
+          * null here even if it wasn't before the lookup.
+          */
+         JSObject *parent = OBJ_GET_PARENT(cx, obj);
+         if (!parent)
+             break;
+         obj = parent;
+     } while (OBJ_GET_PARENT(cx, obj));
      return obj;
  }
-Line 3639
+Line 4140
  js_NativeGet(JSContext *cx, JSObject *obj, JSObject *pobj,
               JSScopeProperty *sprop, jsval *vp)
  {
+     js_LeaveTraceIfGlobalObject(cx, pobj);
      JSScope *scope;
      uint32 slot;
      int32 sample;
-     JSTempValueRooter tvr;
+     JSTempValueRooter tvr, tvr2;
      JSBool ok;
      JS_ASSERT(OBJ_IS_NATIVE(pobj));
-Line 3660
+Line 4163
      sample = cx->runtime->propertyRemovals;
      JS_UNLOCK_SCOPE(cx, scope);
      JS_PUSH_TEMP_ROOT_SPROP(cx, sprop, &tvr);
-     ok = SPROP_GET(cx, sprop, obj, pobj, vp);
+     JS_PUSH_TEMP_ROOT_OBJECT(cx, pobj, &tvr2);
+     ok = js_GetSprop(cx, sprop, obj, vp);
+     JS_POP_TEMP_ROOT(cx, &tvr2);
      JS_POP_TEMP_ROOT(cx, &tvr);
      if (!ok)
          return JS_FALSE;
-Line 3679
+Line 4184
  JSBool
  js_NativeSet(JSContext *cx, JSObject *obj, JSScopeProperty *sprop, jsval *vp)
  {
+     js_LeaveTraceIfGlobalObject(cx, obj);
      JSScope *scope;
      uint32 slot;
      int32 sample;
      JSTempValueRooter tvr;
-     bool ok;
+     JSBool ok;
      JS_ASSERT(OBJ_IS_NATIVE(obj));
      JS_ASSERT(JS_IS_OBJ_LOCKED(cx, obj));
      scope = OBJ_SCOPE(obj);
-     JS_ASSERT(scope->object == obj);
+     JS_ASSERT(scope->object == obj || (sprop->attrs & JSPROP_SHARED));
      slot = sprop->slot;
      if (slot != SPROP_INVALID_SLOT) {
-Line 3702
+Line 4209
           * Allow API consumers to create shared properties with stub setters.
           * Such properties lack value storage, so setting them is like writing
           * to /dev/null.
+          *
+          * But we can't short-circuit if there's a scripted getter or setter
+          * since we might need to throw. In that case, we let SPROP_SET
+          * decide whether to throw an exception. See bug 478047.
           */
-         if (SPROP_HAS_STUB_SETTER(sprop))
+         if (!(sprop->attrs & JSPROP_GETTER) && SPROP_HAS_STUB_SETTER(sprop)) {
+             JS_ASSERT(!(sprop->attrs & JSPROP_SETTER));
              return JS_TRUE;
+         }
      }
      sample = cx->runtime->propertyRemovals;
      JS_UNLOCK_SCOPE(cx, scope);
      JS_PUSH_TEMP_ROOT_SPROP(cx, sprop, &tvr);
-     ok = SPROP_SET(cx, sprop, obj, obj, vp);
+     ok = js_SetSprop(cx, sprop, obj, vp);
      JS_POP_TEMP_ROOT(cx, &tvr);
      if (!ok)
          return JS_FALSE;
      JS_LOCK_SCOPE(cx, scope);
-     JS_ASSERT(scope->object == obj);
+     JS_ASSERT(scope->object == obj || (sprop->attrs & JSPROP_SHARED));
      if (SLOT_IN_SCOPE(slot, scope) &&
          (JS_LIKELY(cx->runtime->propertyRemovals == sample) ||
           SCOPE_GET_PROPERTY(scope, sprop->id) == sprop)) {
-Line 3728
+Line 4241
  }
  JSBool
- js_GetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,
+ js_GetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
-                      JSPropCacheEntry **entryp)
+                      jsval *vp)
  {
-     uint32 shape;
+     JSObject *aobj, *obj2;
      int protoIndex;
-     JSObject *obj2;
      JSProperty *prop;
      JSScopeProperty *sprop;
+     JS_ASSERT_IF(cacheResult, !JS_ON_TRACE(cx));
      /* Convert string indices to integers if appropriate. */
      CHECK_FOR_STRING_INDEX(id);
-     JS_COUNT_OPERATION(cx, JSOW_GET_PROPERTY);
-     shape = OBJ_SHAPE(obj);
+     aobj = js_GetProtoIfDenseArray(cx, obj);
-     protoIndex = js_LookupPropertyWithFlags(cx, obj, id, cx->resolveFlags,
+     protoIndex = js_LookupPropertyWithFlags(cx, aobj, id, cx->resolveFlags,
                                              &obj2, &prop);
      if (protoIndex < 0)
          return JS_FALSE;
      if (!prop) {
-         jsbytecode *pc;
          *vp = JSVAL_VOID;
          if (!OBJ_GET_CLASS(cx, obj)->getProperty(cx, obj, ID_TO_VALUE(id), vp))
              return JS_FALSE;
-         if (entryp) {
+         PCMETER(cacheResult && JS_PROPERTY_CACHE(cx).nofills++);
-             PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
-             *entryp = NULL;
-         }
          /*
           * Give a strict warning if foo.bar is evaluated by a script for an
           * object foo with no property named 'bar'.
           */
-         if (JSVAL_IS_VOID(*vp) && cx->fp && cx->fp->regs) {
+         jsbytecode *pc;
+         if (JSVAL_IS_VOID(*vp) && ((pc = js_GetCurrentBytecodePC(cx)) != NULL)) {
              JSOp op;
              uintN flags;
-             pc = cx->fp->regs->pc;
              op = (JSOp) *pc;
+             if (op == JSOP_TRAP) {
+                 JS_ASSERT_NOT_ON_TRACE(cx);
+                 op = JS_GetTrapOpcode(cx, cx->fp->script, pc);
+             }
              if (op == JSOP_GETXPROP) {
                  flags = JSREPORT_ERROR;
              } else {
-Line 3784
+Line 4295
                  if (id == ATOM_TO_JSID(cx->runtime->atomState.iteratorAtom))
                      return JS_TRUE;
-                 /* Kludge to allow (typeof foo == "undefined") tests. */
+                 /* Do not warn about tests like (obj[prop] == undefined). */
-                 JS_ASSERT(cx->fp->script);
+                 if (cx->resolveFlags == JSRESOLVE_INFER) {
-                 pc += js_CodeSpec[op].length;
+                     js_LeaveTrace(cx);
-                 if (Detecting(cx, pc))
+                     pc += js_CodeSpec[op].length;
+                     if (Detecting(cx, pc))
+                         return JS_TRUE;
+                 } else if (cx->resolveFlags & JSRESOLVE_DETECTING) {
                      return JS_TRUE;
+                 }
                  flags = JSREPORT_WARNING | JSREPORT_STRICT;
              }
-Line 3809
+Line 4324
      }
      sprop = (JSScopeProperty *) prop;
+     if (cacheResult) {
+         JS_ASSERT_NOT_ON_TRACE(cx);
+         js_FillPropertyCache(cx, aobj, 0, protoIndex, obj2, sprop, false);
+     }
      if (!js_NativeGet(cx, obj, obj2, sprop, vp))
          return JS_FALSE;
-     if (entryp)
-         js_FillPropertyCache(cx, obj, shape, 0, protoIndex, obj2, sprop, entryp);
      JS_UNLOCK_OBJ(cx, obj2);
      return JS_TRUE;
  }
-Line 3821
+Line 4340
  JSBool
  js_GetProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
  {
-     return js_GetPropertyHelper(cx, obj, id, vp, NULL);
+     return js_GetPropertyHelper(cx, obj, id, false, vp);
  }
  JSBool
- js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,
+ js_GetMethod(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
-                      JSPropCacheEntry **entryp)
+              jsval *vp)
+ {
+     if (obj->map->ops == &js_ObjectOps ||
+         obj->map->ops->getProperty == js_GetProperty) {
+         return js_GetPropertyHelper(cx, obj, id, cacheResult, vp);
+     }
+     JS_ASSERT_IF(cacheResult, OBJ_IS_DENSE_ARRAY(cx, obj));
+ #if JS_HAS_XML_SUPPORT
+     if (OBJECT_IS_XML(cx, obj))
+         return js_GetXMLMethod(cx, obj, id, vp);
+ #endif
+     return OBJ_GET_PROPERTY(cx, obj, id, vp);
+ }
+ JS_FRIEND_API(JSBool)
+ js_CheckUndeclaredVarAssignment(JSContext *cx)
+ {
+     JSStackFrame *fp;
+     if (!JS_HAS_STRICT_OPTION(cx) ||
+         !(fp = js_GetTopStackFrame(cx)) ||
+         !fp->regs ||
+         js_GetOpcode(cx, fp->script, fp->regs->pc) != JSOP_SETNAME) {
+         return JS_TRUE;
+     }
+     JSAtom *atom;
+     GET_ATOM_FROM_BYTECODE(fp->script, fp->regs->pc, 0, atom);
+     const char *bytes = js_AtomToPrintableString(cx, atom);
+     return bytes &&
+            JS_ReportErrorFlagsAndNumber(cx, JSREPORT_WARNING | JSREPORT_STRICT,
+                                         js_GetErrorMessage, NULL,
+                                         JSMSG_UNDECLARED_VAR, bytes);
+ }
+ /*
+  * Note: all non-error exits in this function must notify the tracer using
+  * SetPropHit when called from the interpreter loop (cacheResult is true).
+  */
+ JSBool
+ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
+                      jsval *vp)
  {
-     uint32 shape;
      int protoIndex;
      JSObject *pobj;
      JSProperty *prop;
-Line 3838
+Line 4397
      intN shortid;
      JSClass *clasp;
      JSPropertyOp getter, setter;
+     bool added;
+     if (cacheResult)
+         JS_ASSERT_NOT_ON_TRACE(cx);
      /* Convert string indices to integers if appropriate. */
      CHECK_FOR_STRING_INDEX(id);
-     JS_COUNT_OPERATION(cx, JSOW_SET_PROPERTY);
-     shape = OBJ_SHAPE(obj);
+     /*
+      * We peek at OBJ_SCOPE(obj) without locking obj. Any race means a failure
+      * to seal before sharing, which is inherently ambiguous.
+      */
+     if (SCOPE_IS_SEALED(OBJ_SCOPE(obj)) && OBJ_SCOPE(obj)->object == obj) {
+         flags = JSREPORT_ERROR;
+         goto read_only_error;
+     }
      protoIndex = js_LookupPropertyWithFlags(cx, obj, id, cx->resolveFlags,
                                              &pobj, &prop);
      if (protoIndex < 0)
          return JS_FALSE;
+     if (prop) {
+         if (!OBJ_IS_NATIVE(pobj)) {
+             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             prop = NULL;
+         }
+     } else {
+         /* We should never add properties to lexical blocks.  */
+         JS_ASSERT(OBJ_GET_CLASS(cx, obj) != &js_BlockClass);
-     if (prop && !OBJ_IS_NATIVE(pobj)) {
+         if (!OBJ_GET_PARENT(cx, obj) && !js_CheckUndeclaredVarAssignment(cx))
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+             return JS_FALSE;
-         prop = NULL;
      }
      sprop = (JSScopeProperty *) prop;
-Line 3880
+Line 4457
          attrs = sprop->attrs;
          if ((attrs & JSPROP_READONLY) ||
-             (SCOPE_IS_SEALED(scope) && pobj == obj)) {
+             (SCOPE_IS_SEALED(scope) && (attrs & JSPROP_SHARED))) {
              JS_UNLOCK_SCOPE(cx, scope);
              /*
-Line 3895
+Line 4472
              if (attrs & JSPROP_READONLY) {
                  if (!JS_HAS_STRICT_OPTION(cx)) {
                      /* Just return true per ECMA if not in strict mode. */
-                     PCMETER(!entryp || JS_PROPERTY_CACHE(cx).rofills++);
+                     PCMETER(cacheResult && JS_PROPERTY_CACHE(cx).rofills++);
+                     if (cacheResult)
+                         TRACE_2(SetPropHit, JS_NO_PROP_CACHE_FILL, sprop);
                      return JS_TRUE;
+                 error: // TRACE_2 jumps here in case of error.
+                     return JS_FALSE;
                  }
                  /* Strict mode: report a read-only strict warning. */
-Line 3915
+Line 4496
               */
              JS_UNLOCK_SCOPE(cx, scope);
-             /*
+             /* Don't clone a shared prototype property. */
-              * Don't clone a shared prototype property. Don't fill it in the
-              * property cache either, since the JSOP_SETPROP/JSOP_SETNAME code
-              * in js_Interpret does not handle shared or prototype properties.
-              * Shared prototype properties require more hit qualification than
-              * the fast-path code for those ops, which is targeted on direct,
-              * slot-based properties.
-              */
              if (attrs & JSPROP_SHARED) {
-                 if (entryp) {
+                 if (cacheResult) {
-                     PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
+                     JSPropCacheEntry *entry;
-                     *entryp = NULL;
+                     entry = js_FillPropertyCache(cx, obj, 0, protoIndex, pobj, sprop, false);
+                     TRACE_2(SetPropHit, entry, sprop);
                  }
                  if (SPROP_HAS_STUB_SETTER(sprop) &&
-Line 3934
+Line 4509
                      return JS_TRUE;
                  }
-                 return !!SPROP_SET(cx, sprop, obj, pobj, vp);
+                 return js_SetSprop(cx, sprop, obj, vp);
              }
              /* Restore attrs to the ECMA default for new properties. */
-Line 3966
+Line 4541
  #endif
      }
+     added = false;
      if (!sprop) {
-         if (SCOPE_IS_SEALED(OBJ_SCOPE(obj)) && OBJ_SCOPE(obj)->object == obj) {
-             flags = JSREPORT_ERROR;
-             goto read_only_error;
-         }
          /*
           * Purge the property cache of now-shadowed id in obj's scope chain.
           * Do this early, before locking obj to avoid nesting locks.
           */
-         PurgeScopeChain(cx, obj, id);
+         js_PurgeScopeChain(cx, obj, id);
          /* Find or make a property descriptor with the right heritage. */
          JS_LOCK_OBJ(cx, obj);
-Line 4007
+Line 4578
                              js_RemoveScopeProperty(cx, scope, id);
                              JS_UNLOCK_SCOPE(cx, scope);
                              return JS_FALSE);
+         added = true;
+     }
+     if (cacheResult) {
+         JSPropCacheEntry *entry;
+         entry = js_FillPropertyCache(cx, obj, 0, 0, obj, sprop, added);
+         TRACE_2(SetPropHit, entry, sprop);
      }
      if (!js_NativeSet(cx, obj, sprop, vp))
-         return JS_FALSE;
+         return NULL;
-     if (entryp) {
-         if (!(attrs & JSPROP_SHARED))
-             js_FillPropertyCache(cx, obj, shape, 0, 0, obj, sprop, entryp);
-         else
-             PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
-     }
      JS_UNLOCK_SCOPE(cx, scope);
      return JS_TRUE;
-Line 4030
+Line 4602
  JSBool
  js_SetProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
  {
-     return js_SetPropertyHelper(cx, obj, id, vp, NULL);
+     return js_SetPropertyHelper(cx, obj, id, false, vp);
  }
  JSBool
-Line 4101
+Line 4673
      /* Convert string indices to integers if appropriate. */
      CHECK_FOR_STRING_INDEX(id);
-     JS_COUNT_OPERATION(cx, JSOW_DELETE_PROPERTY);
      if (!js_LookupProperty(cx, obj, id, &proto, &prop))
          return JS_FALSE;
-Line 4627
+Line 5198
          if (VALUE_IS_FUNCTION(cx, fval)) {
              if (!GetCurrentExecutionContext(cx, obj, &nargv[2]))
                  return JS_FALSE;
-             args = js_GetArgsObject(cx, cx->fp);
+             args = js_GetArgsObject(cx, js_GetTopStackFrame(cx));
              if (!args)
                  return JS_FALSE;
              nargv[0] = OBJECT_TO_JSVAL(obj);
-Line 4641
+Line 5212
              return ok;
          }
  #endif
-         js_ReportIsNotFunction(cx, &argv[-2], cx->fp->flags & JSFRAME_ITERATOR);
+         js_ReportIsNotFunction(cx, &argv[-2], js_GetTopStackFrame(cx)->flags & JSFRAME_ITERATOR);
          return JS_FALSE;
      }
      return clasp->call(cx, obj, argc, argv, rval);
-Line 4670
+Line 5241
          if (VALUE_IS_FUNCTION(cx, cval)) {
              if (!GetCurrentExecutionContext(cx, obj, &nargv[1]))
                  return JS_FALSE;
-             args = js_GetArgsObject(cx, cx->fp);
+             args = js_GetArgsObject(cx, js_GetTopStackFrame(cx));
              if (!args)
                  return JS_FALSE;
              nargv[0] = OBJECT_TO_JSVAL(args);
-Line 4885
+Line 5456
          obj = JSVAL_TO_OBJECT(v);
          if (!OBJ_DEFAULT_VALUE(cx, obj, JSTYPE_OBJECT, &v))
              return JS_FALSE;
-         if (JSVAL_IS_OBJECT(v))
+         if (!JSVAL_IS_PRIMITIVE(v))
              obj = JSVAL_TO_OBJECT(v);
      } else {
          if (!js_PrimitiveToObject(cx, &v))
-Line 4937
+Line 5508
      older = JS_SetErrorReporter(cx, NULL);
      id = ATOM_TO_JSID(atom);
      fval = JSVAL_VOID;
- #if JS_HAS_XML_SUPPORT
+     ok = js_GetMethod(cx, obj, id, false, &fval);
-     if (OBJECT_IS_XML(cx, obj)) {
-         JSXMLObjectOps *ops;
-         ops = (JSXMLObjectOps *) obj->map->ops;
-         obj = ops->getMethod(cx, obj, id, &fval);
-         ok = (obj != NULL);
-     } else
- #endif
-     {
-         ok = OBJ_GET_PROPERTY(cx, obj, id, &fval);
-     }
      if (!ok)
          JS_ClearPendingException(cx);
      JS_SetErrorReporter(cx, older);
-     return JSVAL_IS_PRIMITIVE(fval) ||
+     if (JSVAL_IS_PRIMITIVE(fval))
-            js_InternalCall(cx, obj, fval, argc, argv, rval);
+         return JS_TRUE;
+     return js_InternalCall(cx, obj, fval, argc, argv, rval);
  }
  #if JS_HAS_XDR
-Line 5189
+Line 5750
              if (IS_GC_MARKING_TRACER(trc)) {
                  uint32 shape, oldshape;
-                 shape = ++cx->runtime->shapeGen;
+                 shape = js_RegenerateShapeForGC(cx);
-                 JS_ASSERT(shape != 0);
                  if (!(sprop->flags & SPROP_MARK)) {
                      oldshape = sprop->shape;
                      sprop->shape = shape;
                      sprop->flags |= SPROP_FLAG_SHAPE_REGEN;
-                     if (scope->shape != oldshape) {
+                     if (scope->shape != oldshape)
-                         shape = ++cx->runtime->shapeGen;
+                         shape = js_RegenerateShapeForGC(cx);
-                         JS_ASSERT(shape != 0);
-                     }
                  }
                  scope->shape = shape;
-Line 5238
+Line 5795
       * above.
       */
      nslots = STOBJ_NSLOTS(obj);
-     if (scope->object == obj && scope->map.freeslot < nslots)
+     if (scope->object == obj && scope->freeslot < nslots)
-         nslots = scope->map.freeslot;
+         nslots = scope->freeslot;
      for (i = 0; i != nslots; ++i) {
          v = STOBJ_GET_SLOT(obj, i);
-Line 5273
+Line 5830
          n = JSSLOT_FREE(LOCKED_OBJ_GET_CLASS(obj));
          while (--i >= n)
              STOBJ_SET_SLOT(obj, i, JSVAL_VOID);
-         scope->map.freeslot = n;
+         scope->freeslot = n;
      }
      JS_UNLOCK_OBJ(cx, obj);
  }
-Line 5322
+Line 5879
      }
      /* Whether or not we grew nslots, we may need to advance freeslot. */
-     if (scope->object == obj && slot >= scope->map.freeslot)
+     if (scope->object == obj && slot >= scope->freeslot)
-         scope->map.freeslot = slot + 1;
+         scope->freeslot = slot + 1;
      STOBJ_SET_SLOT(obj, slot, v);
+     GC_POKE(cx, JS_NULL);
      JS_UNLOCK_SCOPE(cx, scope);
      return JS_TRUE;
  }
-Line 5347
+Line 5905
      return obj;
  }
- #if DEBUG
+ JSBool
+ js_IsCallable(JSObject *obj, JSContext *cx)
+ {
+     if (!OBJ_IS_NATIVE(obj))
+         return obj->map->ops->call != NULL;
+     JS_LOCK_OBJ(cx, obj);
+     JSBool callable = (obj->map->ops == &js_ObjectOps)
+                       ? HAS_FUNCTION_CLASS(obj) || STOBJ_GET_CLASS(obj)->call
+                       : obj->map->ops->call != NULL;
+     JS_UNLOCK_OBJ(cx, obj);
+     return callable;
+ }
+ void
+ js_ReportGetterOnlyAssignment(JSContext *cx)
+ {
+     JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
+                          JSMSG_GETTER_ONLY, NULL);
+ }
+ JS_FRIEND_API(JSBool)
+ js_GetterOnlyPropertyStub(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
+ {
+     js_ReportGetterOnlyAssignment(cx);
+     return JS_FALSE;
+ }
+ #ifdef DEBUG
  /*
   * Routines to print out values during debugging.  These are FRIEND_API to help
-Line 5417
+Line 6004
          fprintf(stderr, "null");
      } else if (JSVAL_IS_VOID(val)) {
          fprintf(stderr, "undefined");
+     } else if (JSVAL_IS_OBJECT(val) &&
+                HAS_FUNCTION_CLASS(JSVAL_TO_OBJECT(val))) {
+         JSObject *funobj = JSVAL_TO_OBJECT(val);
+         JSFunction *fun = (JSFunction *) STOBJ_GET_PRIVATE(funobj);
+         fprintf(stderr, "<%s %s at %p (JSFunction at %p)>",
+                 fun->atom ? "function" : "unnamed",
+                 fun->atom ? JS_GetStringBytes(ATOM_TO_STRING(fun->atom)) : "function",
+                 (void *) funobj,
+                 (void *) fun);
      } else if (JSVAL_IS_OBJECT(val)) {
          JSObject *obj = JSVAL_TO_OBJECT(val);
          JSClass *cls = STOBJ_GET_CLASS(obj);
          fprintf(stderr, "<%s%s at %p>",
                  cls->name,
                  cls == &js_ObjectClass ? "" : " object",
-                 obj);
+                 (void *) obj);
      } else if (JSVAL_IS_INT(val)) {
          fprintf(stderr, "%d", JSVAL_TO_INT(val));
      } else if (JSVAL_IS_STRING(val)) {
-Line 5488
+Line 6084
      uint32 i, slots;
      JSClass *clasp;
      jsuint reservedEnd;
-     JSBool sharesScope = JS_FALSE;
+     bool sharesScope = false;
      fprintf(stderr, "object %p\n", (void *) obj);
      clasp = STOBJ_GET_CLASS(obj);
-Line 5497
+Line 6093
      /* OBJ_IS_DENSE_ARRAY ignores the cx argument. */
      if (OBJ_IS_DENSE_ARRAY(BOGUS_CX, obj)) {
          slots = JS_MIN((jsuint) obj->fslots[JSSLOT_ARRAY_LENGTH],
-                        ARRAY_DENSE_LENGTH(obj));
+                        js_DenseArrayCapacity(obj));
          fprintf(stderr, "elements\n");
          for (i = 0; i < slots; i++) {
              fprintf(stderr, " %3d: ", i);
-Line 5517
+Line 6113
          sharesScope = (scope->object != obj);
          if (sharesScope) {
-             fprintf(stderr, "no own properties - see proto (%s at %p)\n",
+             if (proto) {
-                     STOBJ_GET_CLASS(proto)->name, proto);
+                 fprintf(stderr, "no own properties - see proto (%s at %p)\n",
+                         STOBJ_GET_CLASS(proto)->name, (void *) proto);
+             } else {
+                 fprintf(stderr, "no own properties - null proto\n");
+             }
          } else {
              fprintf(stderr, "properties:\n");
              for (JSScopeProperty *sprop = SCOPE_LAST_PROP(scope); sprop;
-Line 5539
+Line 6139
      if (clasp->flags & JSCLASS_HAS_PRIVATE)
          reservedEnd++;
      reservedEnd += JSCLASS_RESERVED_SLOTS(clasp);
-     slots = sharesScope ? reservedEnd : obj->map->freeslot;
+     slots = (OBJ_IS_NATIVE(obj) && !sharesScope)
+             ? OBJ_SCOPE(obj)->freeslot
+             : STOBJ_NSLOTS(obj);
      for (i = 0; i < slots; i++) {
          fprintf(stderr, " %3d ", i);
          if (i == JSSLOT_PRIVATE && (clasp->flags & JSCLASS_HAS_PRIVATE)) {

 Legend:



Removed from v.459
 


changed lines


 
Added in v.460
 Legend:



Removed from v.459
 


changed lines


 
Added in v.460
-Removed from v.459
+Added in v.460

	ViewVC Help
Powered by ViewVC 1.1.24