/[jscoverage]/trunk/js/jsobj.cpp

Diff of /trunk/js/jsobj.cpp

Parent Directory | Revision Log | View Patch Patch

-revision 506 by siliconforks,
Sat Sep 26 23:15:22 2009 UTC
+revision 507 by siliconforks,
Sun Jan 10 07:23:34 2010 UTC
 Line 1
- /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
   * vim: set ts=8 sw=4 et tw=79:
   *
   * ***** BEGIN LICENSE BLOCK *****
 Line 41
  /*
   * JS object implementation.
   */
- #include "jsstddef.h"
  #include <stdlib.h>
  #include <string.h>
  #include "jstypes.h"
+ #include "jsstdint.h"
  #include "jsarena.h" /* Added by JSIFY */
  #include "jsbit.h"
  #include "jsutil.h" /* Added by JSIFY */
 Line 69
  #include "jsparse.h"
  #include "jsscope.h"
  #include "jsscript.h"
+ #include "jsscriptinlines.h"
  #include "jsstaticcheck.h"
  #include "jsstr.h"
  #include "jstracer.h"
-Line 90
+Line 91
  #include "jsdtracef.h"
  #endif
+ #include "jsatominlines.h"
+ #include "jsobjinlines.h"
+ #include "jsscriptinlines.h"
  #include "jsautooplen.h"
  #ifdef JS_THREADSAFE
-Line 111
+Line 116
      NULL,                   NATIVE_DROP_PROPERTY,
      js_Call,                js_Construct,
      js_HasInstance,         js_TraceObject,
-     js_Clear,               js_GetRequiredSlot,
+     js_Clear
-     js_SetRequiredSlot
  };
  JSClass js_ObjectClass = {
      js_Object_str,
      JSCLASS_HAS_CACHED_PROTO(JSProto_Object),
      JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,
-     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   JS_FinalizeStub,
+     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   NULL,
      JSCLASS_NO_OPTIONAL_MEMBERS
  };
-Line 179
+Line 183
          mode = JSACC_PARENT;
      }
-     /* Let OBJ_CHECK_ACCESS get the slot's value, based on the access mode. */
+     /* Let obj->checkAccess get the slot's value, based on the access mode. */
-     if (!OBJ_CHECK_ACCESS(cx, obj, propid, mode, vp, &attrs))
+     if (!obj->checkAccess(cx, propid, mode, vp, &attrs))
          return JS_FALSE;
      pobj = JSVAL_TO_OBJECT(*vp);
-Line 234
+Line 238
      /* __parent__ is readonly and permanent, only __proto__ may be set. */
      propid = ATOM_TO_JSID(cx->runtime->atomState.protoAtom);
-     if (!OBJ_CHECK_ACCESS(cx, obj, propid,
+     if (!obj->checkAccess(cx, propid, (JSAccessMode)(JSACC_PROTO|JSACC_WRITE), vp, &attrs))
-                           (JSAccessMode)(JSACC_PROTO|JSACC_WRITE), vp,
-                           &attrs)) {
          return JS_FALSE;
-     }
      return js_SetProtoOrParent(cx, obj, slot, pobj, JS_TRUE);
  }
-Line 253
+Line 254
      if (JS_HAS_STRICT_OPTION(cx) && !ReportStrictSlot(cx, JSSLOT_COUNT))
          return JS_FALSE;
-     /* Get the number of properties to enumerate. */
      iter_state = JSVAL_NULL;
-     ok = OBJ_ENUMERATE(cx, obj, JSENUMERATE_INIT, &iter_state, &num_properties);
+     JSAutoEnumStateRooter tvr(cx, obj, &iter_state);
+     /* Get the number of properties to enumerate. */
+     ok = obj->enumerate(cx, JSENUMERATE_INIT, &iter_state, &num_properties);
      if (!ok)
          goto out;
-Line 267
+Line 270
      *vp = num_properties;
  out:
-     if (iter_state != JSVAL_NULL)
+     if (!JSVAL_IS_NULL(iter_state))
-         ok = OBJ_ENUMERATE(cx, obj, JSENUMERATE_DESTROY, &iter_state, 0);
+         ok &= obj->enumerate(cx, JSENUMERATE_DESTROY, &iter_state, 0);
      return ok;
  }
-Line 297
+Line 300
          /*
           * Regenerate property cache shape ids for all of the scopes along the
           * old prototype chain to invalidate their property cache entries, in
-          * case any entries were filled by looking up starting from obj.
+          * case any entries were filled by looking up through obj.
           */
          JSObject *oldproto = obj;
          while (oldproto && OBJ_IS_NATIVE(oldproto)) {
              JS_LOCK_OBJ(cx, oldproto);
              JSScope *scope = OBJ_SCOPE(oldproto);
-             js_MakeScopeShapeUnique(cx, scope);
+             scope->protoShapeChange(cx);
-             JSObject *tmp = STOBJ_GET_PROTO(scope->object);
+             JSObject *tmp = STOBJ_GET_PROTO(oldproto);
              JS_UNLOCK_OBJ(cx, oldproto);
              oldproto = tmp;
          }
-Line 312
+Line 315
      if (!pobj || !checkForCycles) {
          if (slot == JSSLOT_PROTO)
-             STOBJ_SET_PROTO(obj, pobj);
+             obj->setProto(pobj);
          else
-             STOBJ_SET_PARENT(obj, pobj);
+             obj->setParent(pobj);
      } else {
          /*
           * Use the GC machinery to serialize access to all objects on the
-Line 404
+Line 407
          for (i = 0, length = ida->length; i < length; i++) {
              id = ida->vector[i];
  #if JS_HAS_GETTER_SETTER
-             ok = OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop);
+             ok = obj->lookupProperty(cx, id, &obj2, &prop);
              if (!ok)
                  break;
              if (!prop)
                  continue;
-             ok = OBJ_GET_ATTRIBUTES(cx, obj2, id, prop, &attrs);
+             ok = obj2->getAttributes(cx, id, prop, &attrs);
              if (ok) {
                  if (OBJ_IS_NATIVE(obj2) &&
                      (attrs & (JSPROP_GETTER | JSPROP_SETTER))) {
-Line 427
+Line 430
                          val = js_CastAsObjectJSVal(sprop->setter);
                      }
                  } else {
-                     ok = OBJ_GET_PROPERTY(cx, obj, id, &val);
+                     ok = obj->getProperty(cx, id, &val);
                  }
              }
-             OBJ_DROP_PROPERTY(cx, obj2, prop);
+             obj2->dropProperty(cx, prop);
  #else
-             ok = OBJ_GET_PROPERTY(cx, obj, id, &val);
+             ok = obj->getProperty(cx, id, &val);
  #endif
              if (!ok)
                  break;
-Line 524
+Line 527
           * It's possible that the value of a property has changed from the
           * first time the object's properties are traversed (when the property
           * ids are entered into the hash table) to the second (when they are
-          * converted to strings), i.e., the OBJ_GET_PROPERTY() call is not
+          * converted to strings), i.e., the JSObject::getProperty() call is not
           * idempotent.
           */
          if (!he) {
-Line 558
+Line 561
              ida = JS_Enumerate(cx, obj);
              if (!ida) {
                  if (*sp) {
-                     JS_free(cx, *sp);
+                     cx->free(*sp);
                      *sp = NULL;
                  }
                  goto bad;
-Line 702
+Line 705
      if (!chars) {
          /* If outermost, allocate 4 + 1 for "({})" and the terminator. */
-         chars = (jschar *) malloc(((outermost ? 4 : 2) + 1) * sizeof(jschar));
+         chars = (jschar *) js_malloc(((outermost ? 4 : 2) + 1) * sizeof(jschar));
          nchars = 0;
          if (!chars)
              goto error;
-Line 713
+Line 716
          MAKE_SHARP(he);
          nchars = js_strlen(chars);
          chars = (jschar *)
-             realloc((ochars = chars), (nchars + 2 + 1) * sizeof(jschar));
+             js_realloc((ochars = chars), (nchars + 2 + 1) * sizeof(jschar));
          if (!chars) {
-             free(ochars);
+             js_free(ochars);
              goto error;
          }
          if (outermost) {
-Line 746
+Line 749
          id = ida->vector[i];
  #if JS_HAS_GETTER_SETTER
-         ok = OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop);
+         ok = obj->lookupProperty(cx, id, &obj2, &prop);
          if (!ok)
              goto error;
  #endif
-Line 758
+Line 761
          idstr = js_ValueToString(cx, ID_TO_VALUE(id));
          if (!idstr) {
              ok = JS_FALSE;
-             OBJ_DROP_PROPERTY(cx, obj2, prop);
+             obj2->dropProperty(cx, prop);
              goto error;
          }
          *vp = STRING_TO_JSVAL(idstr);                   /* local root */
          idIsLexicalIdentifier = js_IsIdentifier(idstr);
          needOldStyleGetterSetter =
              !idIsLexicalIdentifier ||
-             js_CheckKeyword(JSSTRING_CHARS(idstr),
+             js_CheckKeyword(idstr->chars(), idstr->length()) != TOK_EOF;
-                             JSSTRING_LENGTH(idstr)) != TOK_EOF;
  #if JS_HAS_GETTER_SETTER
          valcnt = 0;
          if (prop) {
-             ok = OBJ_GET_ATTRIBUTES(cx, obj2, id, prop, &attrs);
+             ok = obj2->getAttributes(cx, id, prop, &attrs);
              if (!ok) {
-                 OBJ_DROP_PROPERTY(cx, obj2, prop);
+                 obj2->dropProperty(cx, prop);
                  goto error;
              }
              if (OBJ_IS_NATIVE(obj2) &&
-Line 802
+Line 804
                  valcnt = 1;
                  gsop[0] = NULL;
                  gsopold[0] = NULL;
-                 ok = OBJ_GET_PROPERTY(cx, obj, id, &val[0]);
+                 ok = obj->getProperty(cx, id, &val[0]);
              }
-             OBJ_DROP_PROPERTY(cx, obj2, prop);
+             obj2->dropProperty(cx, prop);
          }
  #else  /* !JS_HAS_GETTER_SETTER */
-Line 818
+Line 820
          valcnt = 1;
          gsop[0] = NULL;
          gsopold[0] = NULL;
-         ok = OBJ_GET_PROPERTY(cx, obj, id, &val[0]);
+         ok = obj->getProperty(cx, id, &val[0]);
  #endif /* !JS_HAS_GETTER_SETTER */
-Line 839
+Line 841
              }
              *vp = STRING_TO_JSVAL(idstr);               /* local root */
          }
-         JSSTRING_CHARS_AND_LENGTH(idstr, idstrchars, idstrlength);
+         idstr->getCharsAndLength(idstrchars, idstrlength);
          for (j = 0; j < valcnt; j++) {
              /* Convert val[j] to its canonical source form. */
-Line 849
+Line 851
                  goto error;
              }
              localroot[j] = STRING_TO_JSVAL(valstr);     /* local root */
-             JSSTRING_CHARS_AND_LENGTH(valstr, vchars, vlength);
+             valstr->getCharsAndLength(vchars, vlength);
              if (vchars[0] == '#')
                  needOldStyleGetterSetter = JS_TRUE;
-Line 945
+Line 947
                  SAFE_ADD(2);
              SAFE_ADD(idstrlength + 1);
              if (gsop[j])
-                 SAFE_ADD(JSSTRING_LENGTH(gsop[j]) + 1);
+                 SAFE_ADD(gsop[j]->length() + 1);
              SAFE_ADD(vsharplength);
              SAFE_ADD(vlength);
              /* Account for the trailing null. */
-Line 957
+Line 959
              /* Allocate 1 + 1 at end for closing brace and terminating 0. */
              chars = (jschar *)
-                 realloc((ochars = chars), curlen * sizeof(jschar));
+                 js_realloc((ochars = chars), curlen * sizeof(jschar));
              if (!chars) {
                  /* Save code space on error: let JS_free ignore null vsharp. */
-                 JS_free(cx, vsharp);
+                 cx->free(vsharp);
-                 free(ochars);
+                 js_free(ochars);
                  goto error;
              }
-Line 976
+Line 978
                  nchars += idstrlength;
                  if (gsop[j]) {
                      chars[nchars++] = ' ';
-                     gsoplength = JSSTRING_LENGTH(gsop[j]);
+                     gsoplength = gsop[j]->length();
-                     js_strncpy(&chars[nchars], JSSTRING_CHARS(gsop[j]),
+                     js_strncpy(&chars[nchars], gsop[j]->chars(),
                                 gsoplength);
                      nchars += gsoplength;
                  }
                  chars[nchars++] = ':';
              } else {  /* New style "decompilation" */
                  if (gsop[j]) {
-                     gsoplength = JSSTRING_LENGTH(gsop[j]);
+                     gsoplength = gsop[j]->length();
-                     js_strncpy(&chars[nchars], JSSTRING_CHARS(gsop[j]),
+                     js_strncpy(&chars[nchars], gsop[j]->chars(),
                                 gsoplength);
                      nchars += gsoplength;
                      chars[nchars++] = ' ';
-Line 1004
+Line 1006
              nchars += vlength;
              if (vsharp)
-                 JS_free(cx, vsharp);
+                 cx->free(vsharp);
          }
      }
-Line 1018
+Line 1020
      if (!ok) {
          if (chars)
-             free(chars);
+             js_free(chars);
          goto out;
      }
-Line 1030
+Line 1032
    make_string:
      str = js_NewString(cx, chars, nchars);
      if (!str) {
-         free(chars);
+         js_free(chars);
          ok = JS_FALSE;
          goto out;
      }
-Line 1041
+Line 1043
      return ok;
    overflow:
-     JS_free(cx, vsharp);
+     cx->free(vsharp);
-     free(chars);
+     js_free(chars);
      chars = NULL;
      goto error;
  }
-Line 1063
+Line 1065
      obj = js_GetWrappedObject(cx, obj);
      clazz = OBJ_GET_CLASS(cx, obj)->name;
      nchars = 9 + strlen(clazz);         /* 9 for "[object ]" */
-     chars = (jschar *) JS_malloc(cx, (nchars + 1) * sizeof(jschar));
+     chars = (jschar *) cx->malloc((nchars + 1) * sizeof(jschar));
      if (!chars)
          return JS_FALSE;
-Line 1078
+Line 1080
      str = js_NewString(cx, chars, nchars);
      if (!str) {
-         JS_free(cx, chars);
+         cx->free(chars);
          return JS_FALSE;
      }
      *vp = STRING_TO_JSVAL(str);
-Line 1203
+Line 1205
          return principals->codebase;
      }
-     jsbytecode *pc = caller->regs->pc;
+     if (caller->regs && js_GetOpcode(cx, caller->script, caller->regs->pc) == JSOP_EVAL) {
-     if (caller->regs && js_GetOpcode(cx, caller->script, pc) == JSOP_EVAL) {
+         JS_ASSERT(js_GetOpcode(cx, caller->script, caller->regs->pc + JSOP_EVAL_LENGTH) == JSOP_LINENO);
-         JS_ASSERT(js_GetOpcode(cx, caller->script, pc + JSOP_EVAL_LENGTH) == JSOP_LINENO);
+         *linenop = GET_UINT16(caller->regs->pc + JSOP_EVAL_LENGTH);
-         *linenop = GET_UINT16(pc + JSOP_EVAL_LENGTH);
      } else {
          *linenop = js_FramePCToLineNumber(cx, caller);
      }
-Line 1224
+Line 1225
      size_t n;
      uint32 h;
-     JSSTRING_CHARS_AND_LENGTH(str, s, n);
+     str->getCharsAndLength(s, n);
      if (n > 100)
          n = 100;
      for (h = 0; n; s++, n--)
-Line 1257
+Line 1258
      fp = js_GetTopStackFrame(cx);
      caller = js_GetScriptedCaller(cx, fp);
      indirectCall = (caller && caller->regs && *caller->regs->pc != JSOP_EVAL);
+     uintN staticLevel = caller->script->staticLevel + 1;
      /*
       * This call to js_GetWrappedObject is safe because of the security checks
-Line 1398
+Line 1400
      tcflags = TCF_COMPILE_N_GO;
      if (caller) {
-         tcflags |= TCF_PUT_STATIC_LEVEL(caller->script->staticLevel + 1);
+         tcflags |= TCF_PUT_STATIC_LEVEL(staticLevel);
          principals = JS_EvalFramePrincipals(cx, fp, caller);
          file = js_ComputeFilename(cx, caller, principals, &line);
      } else {
-Line 1412
+Line 1414
      /* Cache local eval scripts indexed by source qualified by scope. */
      bucket = EvalCacheHash(cx, str);
-     if (caller->fun) {
+     if (!indirectCall && argc == 1 && caller->fun) {
          uintN count = 0;
          JSScript **scriptp = bucket;
          EVAL_CACHE_METER(probe);
          while ((script = *scriptp) != NULL) {
              if ((script->flags & JSSF_SAVED_CALLER_FUN) &&
+                 script->staticLevel == staticLevel &&
                  script->version == cx->version &&
                  (script->principals == principals ||
                   (principals->subsume(principals, script->principals) &&
-Line 1428
+Line 1431
                   * See JSCompiler::compileScript in jsparse.cpp.
                   */
                  JSFunction *fun;
-                 JS_GET_SCRIPT_FUNCTION(script, 0, fun);
+                 fun = script->getFunction(0);
                  if (fun == caller->fun) {
                      /*
-Line 1445
+Line 1448
                           * script has no compiled-in dependencies on the prior
                           * eval's scopeobj.
                           */
-                         JSObjectArray *objarray = JS_SCRIPT_OBJECTS(script);
+                         JSObjectArray *objarray = script->objects();
                          int i = 1;
                          if (objarray->length == 1) {
                              if (script->regexpsOffset != 0) {
-                                 objarray = JS_SCRIPT_REGEXPS(script);
+                                 objarray = script->regexps();
                                  i = 0;
                              } else {
                                  EVAL_CACHE_METER(noscope);
-Line 1458
+Line 1461
                          }
                          if (i < 0 ||
                              STOBJ_GET_PARENT(objarray->vector[i]) == scopeobj) {
+                             JS_ASSERT(staticLevel == script->staticLevel);
                              EVAL_CACHE_METER(hit);
                              *scriptp = script->u.nextToGC;
                              script->u.nextToGC = NULL;
-Line 1478
+Line 1482
      if (!script) {
          script = JSCompiler::compileScript(cx, scopeobj, caller, principals, tcflags,
-                                            JSSTRING_CHARS(str), JSSTRING_LENGTH(str),
+                                            str->chars(), str->length(),
                                             NULL, file, line, str);
          if (!script) {
              ok = JS_FALSE;
-Line 1513
+Line 1517
      if (setCallerScopeChain) {
          caller->scopeChain = callerScopeChain;
          JS_ASSERT(OBJ_GET_CLASS(cx, setCallerScopeChain) == &js_WithClass);
-         JS_SetPrivate(cx, setCallerScopeChain, NULL);
+         setCallerScopeChain->setPrivate(NULL);
      }
      if (setCallerVarObj)
          caller->varobj = callerVarObj;
-Line 1599
+Line 1603
          return JS_FALSE;
      obj = JS_THIS_OBJECT(cx, vp);
-     if (!obj || !OBJ_CHECK_ACCESS(cx, obj, propid, JSACC_WATCH, &value, &attrs))
+     if (!obj || !obj->checkAccess(cx, propid, JSACC_WATCH, &value, &attrs))
          return JS_FALSE;
      if (attrs & JSPROP_READONLY)
          return JS_TRUE;
-Line 1707
+Line 1711
          }
      }
      if (prop)
-         OBJ_DROP_PROPERTY(cx, obj2, prop);
+         obj2->dropProperty(cx, prop);
      return JS_TRUE;
  }
-Line 1782
+Line 1786
      JSProperty *prop;
      JSBool ok;
-     if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+     if (!obj->lookupProperty(cx, id, &pobj, &prop))
          return JS_FALSE;
      if (!prop) {
-Line 1804
+Line 1808
      if (pobj != obj &&
          !(OBJ_IS_NATIVE(pobj) &&
            SPROP_IS_SHARED_PERMANENT((JSScopeProperty *)prop))) {
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
          *vp = JSVAL_FALSE;
          return JS_TRUE;
      }
-     ok = OBJ_GET_ATTRIBUTES(cx, pobj, id, prop, &attrs);
+     ok = pobj->getAttributes(cx, id, prop, &attrs);
-     OBJ_DROP_PROPERTY(cx, pobj, prop);
+     pobj->dropProperty(cx, prop);
      if (ok)
          *vp = BOOLEAN_TO_JSVAL((attrs & JSPROP_ENUMERATE) != 0);
      return ok;
-Line 1842
+Line 1846
       * Getters and setters are just like watchpoints from an access
       * control point of view.
       */
-     if (!OBJ_CHECK_ACCESS(cx, obj, id, JSACC_WATCH, &junk, &attrs))
+     if (!obj->checkAccess(cx, id, JSACC_WATCH, &junk, &attrs))
          return JS_FALSE;
      *vp = JSVAL_VOID;
-     return OBJ_DEFINE_PROPERTY(cx, obj, id, JSVAL_VOID,
+     return obj->defineProperty(cx, id, JSVAL_VOID,
-                                js_CastAsPropertyOp(JSVAL_TO_OBJECT(fval)),
+                                js_CastAsPropertyOp(JSVAL_TO_OBJECT(fval)), JS_PropertyStub,
-                                JS_PropertyStub,
+                                JSPROP_ENUMERATE | JSPROP_GETTER | JSPROP_SHARED);
-                                JSPROP_ENUMERATE | JSPROP_GETTER | JSPROP_SHARED,
-                                NULL);
  }
  JS_FRIEND_API(JSBool)
-Line 1877
+Line 1879
       * Getters and setters are just like watchpoints from an access
       * control point of view.
       */
-     if (!OBJ_CHECK_ACCESS(cx, obj, id, JSACC_WATCH, &junk, &attrs))
+     if (!obj->checkAccess(cx, id, JSACC_WATCH, &junk, &attrs))
          return JS_FALSE;
      *vp = JSVAL_VOID;
-     return OBJ_DEFINE_PROPERTY(cx, obj, id, JSVAL_VOID,
+     return obj->defineProperty(cx, id, JSVAL_VOID,
-                                JS_PropertyStub,
+                                JS_PropertyStub, js_CastAsPropertyOp(JSVAL_TO_OBJECT(fval)),
-                                js_CastAsPropertyOp(JSVAL_TO_OBJECT(fval)),
+                                JSPROP_ENUMERATE | JSPROP_SETTER | JSPROP_SHARED);
-                                JSPROP_ENUMERATE | JSPROP_SETTER | JSPROP_SHARED,
-                                NULL);
  }
  static JSBool
 Line 1898
      if (!JS_ValueToId(cx, argc != 0 ? vp[2] : JSVAL_VOID, &id))
          return JS_FALSE;
      obj = JS_THIS_OBJECT(cx, vp);
-     if (!obj || !OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+     if (!obj || !obj->lookupProperty(cx, id, &pobj, &prop))
          return JS_FALSE;
      *vp = JSVAL_VOID;
      if (prop) {
 Line 1907
              if (sprop->attrs & JSPROP_GETTER)
                  *vp = js_CastAsObjectJSVal(sprop->getter);
          }
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
      }
      return JS_TRUE;
  }
 Line 1923
      if (!JS_ValueToId(cx, argc != 0 ? vp[2] : JSVAL_VOID, &id))
          return JS_FALSE;
      obj = JS_THIS_OBJECT(cx, vp);
-     if (!obj || !OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+     if (!obj || !obj->lookupProperty(cx, id, &pobj, &prop))
          return JS_FALSE;
      *vp = JSVAL_VOID;
      if (prop) {
 Line 1932
              if (sprop->attrs & JSPROP_SETTER)
                  *vp = js_CastAsObjectJSVal(sprop->setter);
          }
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
      }
      return JS_TRUE;
  }
 Line 1954
          return JS_FALSE;
      vp[2] = OBJECT_TO_JSVAL(obj);
-     return OBJ_CHECK_ACCESS(cx, obj,
+     return obj->checkAccess(cx, ATOM_TO_JSID(cx->runtime->atomState.protoAtom),
-                             ATOM_TO_JSID(cx->runtime->atomState.protoAtom),
                              JSACC_PROTO, vp, &attrs);
  }
-Line 1986
+Line 1985
  #endif
      JS_FN(js_toString_str,             obj_toString,                0,0),
      JS_FN(js_toLocaleString_str,       obj_toLocaleString,          0,0),
-     JS_TN(js_valueOf_str,              obj_valueOf,                 0,0,
+     JS_TN(js_valueOf_str,              obj_valueOf,                 0,0, &obj_valueOf_trcinfo),
-           obj_valueOf_trcinfo),
  #if JS_HAS_OBJ_WATCHPOINT
      JS_FN(js_watch_str,                obj_watch,                   2,0),
      JS_FN(js_unwatch_str,              obj_unwatch,                 1,0),
  #endif
-     JS_TN(js_hasOwnProperty_str,       obj_hasOwnProperty,          1,0,
+     JS_TN(js_hasOwnProperty_str,       obj_hasOwnProperty,          1,0, &obj_hasOwnProperty_trcinfo),
-           obj_hasOwnProperty_trcinfo),
      JS_FN(js_isPrototypeOf_str,        obj_isPrototypeOf,           1,0),
-     JS_TN(js_propertyIsEnumerable_str, obj_propertyIsEnumerable,    1,0,
+     JS_TN(js_propertyIsEnumerable_str, obj_propertyIsEnumerable,    1,0, &obj_propertyIsEnumerable_trcinfo),
-           obj_propertyIsEnumerable_trcinfo),
  #if JS_HAS_GETTER_SETTER
      JS_FN(js_defineGetter_str,         js_obj_defineGetter,         2,0),
      JS_FN(js_defineSetter_str,         js_obj_defineSetter,         2,0),
-Line 2011
+Line 2007
      JS_FS_END
  };
+ static bool
+ AllocSlots(JSContext *cx, JSObject *obj, size_t nslots);
+ static inline bool
+ InitScopeForObject(JSContext* cx, JSObject* obj, JSObject* proto, JSObjectOps* ops)
+ {
+     JS_ASSERT(OPS_IS_NATIVE(ops));
+     JS_ASSERT(proto == OBJ_GET_PROTO(cx, obj));
+     /* Share proto's emptyScope only if obj is similar to proto. */
+     JSClass *clasp = OBJ_GET_CLASS(cx, obj);
+     JSScope *scope;
+     if (proto && OBJ_IS_NATIVE(proto) &&
+         (scope = OBJ_SCOPE(proto))->canProvideEmptyScope(ops, clasp)) {
+         scope = scope->getEmptyScope(cx, clasp);
+         if (!scope)
+             goto bad;
+     } else {
+         scope = JSScope::create(cx, ops, clasp, obj, js_GenerateShape(cx, false));
+         if (!scope)
+             goto bad;
+         /* Let JSScope::create set freeslot so as to reserve slots. */
+         JS_ASSERT(scope->freeslot >= JSSLOT_PRIVATE);
+         if (scope->freeslot > JS_INITIAL_NSLOTS &&
+             !AllocSlots(cx, obj, scope->freeslot)) {
+             JSScope::destroy(cx, scope);
+             goto bad;
+         }
+     }
+     obj->map = scope;
+     return true;
+   bad:
+     /* The GC nulls map initially. It should still be null on error. */
+     JS_ASSERT(!obj->map);
+     return false;
+ }
+ JSObject *
+ js_NewObjectWithGivenProto(JSContext *cx, JSClass *clasp, JSObject *proto,
+                            JSObject *parent, size_t objectSize)
+ {
+ #ifdef INCLUDE_MOZILLA_DTRACE
+     if (JAVASCRIPT_OBJECT_CREATE_START_ENABLED())
+         jsdtrace_object_create_start(cx->fp, clasp);
+ #endif
+     /* Assert that the class is a proper class. */
+     JS_ASSERT_IF(clasp->flags & JSCLASS_IS_EXTENDED,
+                  ((JSExtendedClass *)clasp)->equality);
+     /* Always call the class's getObjectOps hook if it has one. */
+     JSObjectOps *ops = clasp->getObjectOps
+                        ? clasp->getObjectOps(cx, clasp)
+                        : &js_ObjectOps;
+     /*
+      * Allocate an object from the GC heap and initialize all its fields before
+      * doing any operation that can potentially trigger GC. Functions have a
+      * larger non-standard allocation size.
+      */
+     JSObject* obj;
+     if (clasp == &js_FunctionClass && !objectSize) {
+         obj = (JSObject*) js_NewGCFunction(cx, GCX_OBJECT);
+ #ifdef DEBUG
+         memset((uint8 *) obj + sizeof(JSObject), JS_FREE_PATTERN,
+                sizeof(JSFunction) - sizeof(JSObject));
+ #endif
+     } else {
+         JS_ASSERT(!objectSize || objectSize == sizeof(JSObject));
+         obj = js_NewGCObject(cx, GCX_OBJECT);
+     }
+     if (!obj)
+         goto out;
+     /*
+      * Default parent to the parent of the prototype, which was set from
+      * the parent of the prototype's constructor.
+      */
+     obj->init(clasp,
+               proto,
+               (!parent && proto) ? proto->getParent() : parent,
+               JSObject::defaultPrivate(clasp));
+     if (OPS_IS_NATIVE(ops)) {
+         if (!InitScopeForObject(cx, obj, proto, ops)) {
+             obj = NULL;
+             goto out;
+         }
+     } else {
+         JS_ASSERT(ops->objectMap->ops == ops);
+         obj->map = const_cast<JSObjectMap *>(ops->objectMap);
+     }
+     /* Check that the newborn root still holds the object. */
+     JS_ASSERT_IF(!cx->localRootStack, cx->weakRoots.newborn[GCX_OBJECT] == obj);
+     /*
+      * Do not call debug hooks on trace, because we might be in a non-_FAIL
+      * builtin. See bug 481444.
+      */
+     if (cx->debugHooks->objectHook && !JS_ON_TRACE(cx)) {
+         JSAutoTempValueRooter tvr(cx, obj);
+         JS_KEEP_ATOMS(cx->runtime);
+         cx->debugHooks->objectHook(cx, obj, JS_TRUE,
+                                    cx->debugHooks->objectHookData);
+         JS_UNKEEP_ATOMS(cx->runtime);
+         cx->weakRoots.newborn[GCX_OBJECT] = obj;
+     }
+ out:
+ #ifdef INCLUDE_MOZILLA_DTRACE
+     if (JAVASCRIPT_OBJECT_CREATE_ENABLED())
+         jsdtrace_object_create(cx, clasp, obj);
+     if (JAVASCRIPT_OBJECT_CREATE_DONE_ENABLED())
+         jsdtrace_object_create_done(cx->fp, clasp);
+ #endif
+     return obj;
+ }
+ JSObject *
+ js_NewObject(JSContext *cx, JSClass *clasp, JSObject *proto,
+              JSObject *parent, size_t objectSize)
+ {
+     jsid id;
+     /* Bootstrap the ur-object, and make it the default prototype object. */
+     if (!proto) {
+         if (!js_GetClassId(cx, clasp, &id))
+             return NULL;
+         if (!js_GetClassPrototype(cx, parent, id, &proto))
+             return NULL;
+         if (!proto &&
+             !js_GetClassPrototype(cx, parent, INT_TO_JSID(JSProto_Object),
+                                   &proto)) {
+             return NULL;
+         }
+     }
+     return js_NewObjectWithGivenProto(cx, clasp, proto, parent, objectSize);
+ }
  JSBool
  js_Object(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
  {
-Line 2026
+Line 2165
          JS_ASSERT(!argc || JSVAL_IS_NULL(argv[0]) || JSVAL_IS_VOID(argv[0]));
          if (JS_IsConstructing(cx))
              return JS_TRUE;
-         obj = js_NewObject(cx, &js_ObjectClass, NULL, NULL, 0);
+         obj = js_NewObject(cx, &js_ObjectClass, NULL, NULL);
          if (!obj)
              return JS_FALSE;
      }
-Line 2034
+Line 2173
      return JS_TRUE;
  }
- static inline bool
- InitScopeForObject(JSContext* cx, JSObject* obj, JSObject* proto,
-                    JSObjectOps* ops)
- {
-     JS_ASSERT(OPS_IS_NATIVE(ops));
-     JS_ASSERT(proto == OBJ_GET_PROTO(cx, obj));
-     JSClass* protoclasp;
-     JSClass* clasp = OBJ_GET_CLASS(cx, obj);
-     /*
-      * Share proto's map only if it has the same JSObjectOps, and only if
-      * proto's class has the same private and reserved slots as obj's map
-      * and class have.  We assume that if prototype and object are of the
-      * same class, they always have the same number of computed reserved
-      * slots (returned via clasp->reserveSlots); otherwise, prototype and
-      * object classes must have the same (null or not) reserveSlots hook.
-      */
-     if (proto &&
-         proto->map->ops == ops &&
-         ((protoclasp = OBJ_GET_CLASS(cx, proto)) == clasp ||
-          (!((protoclasp->flags ^ clasp->flags) &
-             (JSCLASS_HAS_PRIVATE |
-              (JSCLASS_RESERVED_SLOTS_MASK << JSCLASS_RESERVED_SLOTS_SHIFT))) &&
-           protoclasp->reserveSlots == clasp->reserveSlots)))
-     {
-         js_HoldScope(OBJ_SCOPE(proto));
-         obj->map = proto->map;
-         return true;
-     }
-     JSScope *scope = js_NewScope(cx, ops, clasp, obj);
-     if (!scope)
-         goto bad;
-     /* Let js_NewScope set freeslot so as to reserve slots. */
-     JS_ASSERT(scope->freeslot >= JSSLOT_PRIVATE);
-     if (scope->freeslot > JS_INITIAL_NSLOTS &&
-         !js_ReallocSlots(cx, obj, scope->freeslot, JS_TRUE)) {
-         js_DestroyScope(cx, scope);
-         goto bad;
-     }
-     obj->map = &scope->map;
-     return true;
-   bad:
-     /* Ensure that the map field is initialized for GC. */
-     obj->map = NULL;
-     return false;
- }
  #ifdef JS_TRACER
- static inline JSObject*
+ JSObject*
- NewNativeObject(JSContext* cx, JSClass* clasp, JSObject* proto, JSObject *parent)
+ js_NewObjectWithClassProto(JSContext *cx, JSClass *clasp, JSObject *proto,
+                            jsval privateSlotValue)
  {
-     JS_ASSERT(JS_ON_TRACE(cx));
+     JS_ASSERT(!clasp->getObjectOps);
-     JSObject* obj = (JSObject*) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject));
+     JS_ASSERT(proto->map->ops == &js_ObjectOps);
+     JSObject* obj = js_NewGCObject(cx, GCX_OBJECT);
      if (!obj)
          return NULL;
-     obj->classword = jsuword(clasp);
+     obj->initSharingEmptyScope(clasp, proto, proto->getParent(), privateSlotValue);
-     obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
+     return obj;
-     obj->fslots[JSSLOT_PARENT] = OBJECT_TO_JSVAL(parent);
-     for (unsigned i = JSSLOT_PRIVATE; i < JS_INITIAL_NSLOTS; ++i)
-         obj->fslots[i] = JSVAL_VOID;
-     obj->dslots = NULL;
-     return InitScopeForObject(cx, obj, proto, &js_ObjectOps) ? obj : NULL;
  }
  JSObject* FASTCALL
  js_Object_tn(JSContext* cx, JSObject* proto)
  {
-     return NewNativeObject(cx, &js_ObjectClass, proto, JSVAL_TO_OBJECT(proto->fslots[JSSLOT_PARENT]));
+     JS_ASSERT(!(js_ObjectClass.flags & JSCLASS_HAS_PRIVATE));
+     return js_NewObjectWithClassProto(cx, &js_ObjectClass, proto, JSVAL_VOID);
  }
  JS_DEFINE_TRCINFO_1(js_Object,
      (2, (extern, CONSTRUCTOR_RETRY, js_Object_tn, CONTEXT, CALLEE_PROTOTYPE, 0, 0)))
+ static inline JSObject*
+ NewNativeObject(JSContext* cx, JSClass* clasp, JSObject* proto,
+                 JSObject *parent, jsval privateSlotValue)
+ {
+     JS_ASSERT(JS_ON_TRACE(cx));
+     JSObject* obj = js_NewGCObject(cx, GCX_OBJECT);
+     if (!obj)
+         return NULL;
+     obj->init(clasp, proto, parent, privateSlotValue);
+     return InitScopeForObject(cx, obj, proto, &js_ObjectOps) ? obj : NULL;
+ }
  JSObject* FASTCALL
  js_NewInstance(JSContext *cx, JSClass *clasp, JSObject *ctor)
  {
-Line 2126
+Line 2225
      if (scope->title.ownercx != cx)
          return NULL;
  #endif
-     if (scope->object != ctor) {
+     if (!scope->owned()) {
          scope = js_GetMutableScope(cx, ctor);
          if (!scope)
              return NULL;
      }
-     JSScopeProperty *sprop = SCOPE_GET_PROPERTY(scope, ATOM_TO_JSID(atom));
+     JSScopeProperty *sprop = scope->lookup(ATOM_TO_JSID(atom));
      jsval pval = sprop ? STOBJ_GET_SLOT(ctor, sprop->slot) : JSVAL_HOLE;
      JSObject *proto;
-Line 2141
+Line 2240
          proto = JSVAL_TO_OBJECT(pval);
      } else if (pval == JSVAL_HOLE) {
          /* No ctor.prototype yet, inline and optimize fun_resolve's prototype code. */
-         proto = js_NewObject(cx, clasp, NULL, OBJ_GET_PARENT(cx, ctor), 0);
+         proto = js_NewObject(cx, clasp, NULL, OBJ_GET_PARENT(cx, ctor));
          if (!proto)
              return NULL;
          if (!js_SetClassPrototype(cx, ctor, proto, JSPROP_ENUMERATE | JSPROP_PERMANENT))
-Line 2154
+Line 2253
          }
      }
-     return NewNativeObject(cx, clasp, proto, JSVAL_TO_OBJECT(ctor->fslots[JSSLOT_PARENT]));
+     return NewNativeObject(cx, clasp, proto, ctor->getParent(),
+                            JSObject::defaultPrivate(clasp));
  }
  JS_DEFINE_CALLINFO_3(extern, CONSTRUCTOR_RETRY, js_NewInstance, CONTEXT, CLASS, OBJECT, 0, 0)
-Line 2170
+Line 2270
   * access is "object-detecting" in the sense used by web scripts, e.g., when
   * checking whether document.all is defined.
   */
- static JS_REQUIRES_STACK JSBool
+ JS_REQUIRES_STACK JSBool
  Detecting(JSContext *cx, jsbytecode *pc)
  {
      JSScript *script;
-Line 2181
+Line 2281
      script = cx->fp->script;
      endpc = script->code + script->length;
      for (;; pc += js_CodeSpec[op].length) {
-         JS_ASSERT(pc < endpc);
+         JS_ASSERT_IF(!cx->fp->imacpc, script->code <= pc && pc < endpc);
          /* General case: a branch or equality op follows the access. */
          op = js_GetOpcode(cx, script, pc);
-Line 2233
+Line 2333
   * does not indicate whether we are in a with statement. Return defaultFlags
   * if a currently executing bytecode cannot be determined.
   */
- static uintN
+ uintN
- InferFlags(JSContext *cx, uintN defaultFlags)
+ js_InferFlags(JSContext *cx, uintN defaultFlags)
  {
+ #ifdef JS_TRACER
+     if (JS_ON_TRACE(cx))
+         return cx->bailExit->lookupFlags;
+ #endif
+     JS_ASSERT_NOT_ON_TRACE(cx);
      JSStackFrame *fp;
      jsbytecode *pc;
      const JSCodeSpec *cs;
-Line 2253
+Line 2360
      if ((format & (JOF_SET | JOF_FOR)) ||
          (fp->flags & JSFRAME_ASSIGNING)) {
          flags |= JSRESOLVE_ASSIGNING;
-     } else {
+     } else if (cs->length >= 0) {
          pc += cs->length;
          if (pc < cx->fp->script->code + cx->fp->script->length && Detecting(cx, pc))
              flags |= JSRESOLVE_DETECTING;
-Line 2273
+Line 2380
      /* Fixes bug 463997 */
      uintN flags = cx->resolveFlags;
      if (flags == JSRESOLVE_INFER)
-         flags = InferFlags(cx, flags);
+         flags = js_InferFlags(cx, flags);
      flags |= JSRESOLVE_WITH;
      JSAutoResolveFlags rf(cx, flags);
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_LookupProperty(cx, obj, id, objp, propp);
-     return OBJ_LOOKUP_PROPERTY(cx, proto, id, objp, propp);
+     return proto->lookupProperty(cx, id, objp, propp);
  }
  static JSBool
-Line 2288
+Line 2395
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_GetProperty(cx, obj, id, vp);
-     return OBJ_GET_PROPERTY(cx, proto, id, vp);
+     return proto->getProperty(cx, id, vp);
  }
  static JSBool
-Line 2297
+Line 2404
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_SetProperty(cx, obj, id, vp);
-     return OBJ_SET_PROPERTY(cx, proto, id, vp);
+     return proto->setProperty(cx, id, vp);
  }
  static JSBool
-Line 2307
+Line 2414
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_GetAttributes(cx, obj, id, prop, attrsp);
-     return OBJ_GET_ATTRIBUTES(cx, proto, id, prop, attrsp);
+     return proto->getAttributes(cx, id, prop, attrsp);
  }
  static JSBool
-Line 2317
+Line 2424
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_SetAttributes(cx, obj, id, prop, attrsp);
-     return OBJ_SET_ATTRIBUTES(cx, proto, id, prop, attrsp);
+     return proto->setAttributes(cx, id, prop, attrsp);
  }
  static JSBool
-Line 2326
+Line 2433
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_DeleteProperty(cx, obj, id, rval);
-     return OBJ_DELETE_PROPERTY(cx, proto, id, rval);
+     return proto->deleteProperty(cx, id, rval);
  }
  static JSBool
-Line 2335
+Line 2442
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_DefaultValue(cx, obj, hint, vp);
-     return OBJ_DEFAULT_VALUE(cx, proto, hint, vp);
+     return proto->defaultValue(cx, hint, vp);
  }
  static JSBool
-Line 2345
+Line 2452
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_Enumerate(cx, obj, enum_op, statep, idp);
-     return OBJ_ENUMERATE(cx, proto, enum_op, statep, idp);
+     return proto->enumerate(cx, enum_op, statep, idp);
  }
  static JSBool
-Line 2355
+Line 2462
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return js_CheckAccess(cx, obj, id, mode, vp, attrsp);
-     return OBJ_CHECK_ACCESS(cx, proto, id, mode, vp, attrsp);
+     return proto->checkAccess(cx, id, mode, vp, attrsp);
  }
  static JSObject *
-Line 2364
+Line 2471
      JSObject *proto = OBJ_GET_PROTO(cx, obj);
      if (!proto)
          return obj;
-     return OBJ_THIS_OBJECT(cx, proto);
+     return proto->thisObject(cx);
  }
  JS_FRIEND_DATA(JSObjectOps) js_WithObjectOps = {
-Line 2377
+Line 2484
      with_ThisObject,        NATIVE_DROP_PROPERTY,
      NULL,                   NULL,
      NULL,                   js_TraceObject,
-     js_Clear,               NULL,
+     js_Clear
-     NULL
  };
  static JSObjectOps *
-Line 2391
+Line 2497
      "With",
      JSCLASS_HAS_PRIVATE | JSCLASS_HAS_RESERVED_SLOTS(1) | JSCLASS_IS_ANONYMOUS,
      JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,
-     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   JS_FinalizeStub,
+     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   NULL,
      with_getObjectOps,
 ,0,0,0,0,0,0
  };
-Line 2401
+Line 2507
  {
      JSObject *obj;
-     obj = js_NewObject(cx, &js_WithClass, proto, parent, 0);
+     obj = js_NewObject(cx, &js_WithClass, proto, parent);
      if (!obj)
          return NULL;
-     STOBJ_SET_SLOT(obj, JSSLOT_PRIVATE, PRIVATE_TO_JSVAL(cx->fp));
+     obj->setPrivate(cx->fp);
      OBJ_SET_BLOCK_DEPTH(cx, obj, depth);
      return obj;
  }
-Line 2416
+Line 2522
       * Null obj's proto slot so that Object.prototype.* does not pollute block
       * scopes and to give the block object its own scope.
       */
-     JSObject *blockObj = js_NewObjectWithGivenProto(cx, &js_BlockClass,
+     JSObject *blockObj = js_NewObjectWithGivenProto(cx, &js_BlockClass, NULL, NULL);
-                                                     NULL, NULL, 0);
      JS_ASSERT_IF(blockObj, !OBJ_IS_CLONED_BLOCK(blockObj));
      return blockObj;
  }
  JSObject *
- js_CloneBlockObject(JSContext *cx, JSObject *proto, JSObject *parent,
+ js_CloneBlockObject(JSContext *cx, JSObject *proto, JSStackFrame *fp)
-                     JSStackFrame *fp)
  {
-     JSObject *clone;
-     JS_ASSERT(STOBJ_GET_CLASS(proto) == &js_BlockClass);
      JS_ASSERT(!OBJ_IS_CLONED_BLOCK(proto));
-     clone = js_NewObject(cx, &js_BlockClass, proto, parent, 0);
+     JS_ASSERT(STOBJ_GET_CLASS(proto) == &js_BlockClass);
+     JSObject *clone = js_NewGCObject(cx, GCX_OBJECT);
      if (!clone)
          return NULL;
-     STOBJ_SET_SLOT(clone, JSSLOT_PRIVATE, PRIVATE_TO_JSVAL(fp));
-     STOBJ_SET_SLOT(clone, JSSLOT_BLOCK_DEPTH,
+     JSScope *scope = OBJ_SCOPE(proto);
-                    OBJ_GET_SLOT(cx, proto, JSSLOT_BLOCK_DEPTH));
+     scope->hold();
+     JS_ASSERT(!scope->owned());
+     clone->map = scope;
+     clone->classword = jsuword(&js_BlockClass);
+     clone->setProto(proto);
+     clone->setParent(NULL);  // caller's responsibility
+     clone->setPrivate(fp);
+     clone->fslots[JSSLOT_BLOCK_DEPTH] = proto->fslots[JSSLOT_BLOCK_DEPTH];
+     JS_ASSERT(scope->freeslot == JSSLOT_BLOCK_DEPTH + 1);
+     for (uint32 i = JSSLOT_BLOCK_DEPTH + 1; i < JS_INITIAL_NSLOTS; ++i)
+         clone->fslots[i] = JSVAL_VOID;
+     clone->dslots = NULL;
      JS_ASSERT(OBJ_IS_CLONED_BLOCK(clone));
-     JS_ASSERT(OBJ_SCOPE(clone)->object == proto);
      return clone;
  }
-Line 2454
+Line 2568
      fp = cx->fp;
      obj = fp->scopeChain;
      JS_ASSERT(OBJ_GET_CLASS(cx, obj) == &js_BlockClass);
-     JS_ASSERT(OBJ_GET_PRIVATE(cx, obj) == cx->fp);
+     JS_ASSERT(obj->getPrivate() == cx->fp);
      JS_ASSERT(OBJ_IS_CLONED_BLOCK(obj));
      /*
-Line 2482
+Line 2596
      if (normalUnwind && count > 1) {
          --count;
          JS_LOCK_OBJ(cx, obj);
-         if (!js_ReallocSlots(cx, obj, JS_INITIAL_NSLOTS + count, JS_TRUE))
+         if (!AllocSlots(cx, obj, JS_INITIAL_NSLOTS + count))
              normalUnwind = JS_FALSE;
          else
              memcpy(obj->dslots, fp->slots + depth + 1, count * sizeof(jsval));
-Line 2490
+Line 2604
      }
      /* We must clear the private slot even with errors. */
-     JS_SetPrivate(cx, obj, NULL);
+     obj->setPrivate(NULL);
      fp->scopeChain = OBJ_GET_PARENT(cx, obj);
      return normalUnwind;
  }
-Line 2498
+Line 2612
  static JSBool
  block_getProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
  {
-     uintN index;
+     /*
-     JSStackFrame *fp;
+      * Block objects are never exposed to script, and the engine handles them
+      * with care. So unlike other getters, this one can assert (rather than
-     JS_ASSERT(JS_InstanceOf(cx, obj, &js_BlockClass, NULL));
+      * check) certain invariants about obj.
+      */
+     JS_ASSERT(obj->getClass() == &js_BlockClass);
      JS_ASSERT(OBJ_IS_CLONED_BLOCK(obj));
-     if (!JSVAL_IS_INT(id))
+     uintN index = (uintN) JSVAL_TO_INT(id);
-         return JS_TRUE;
+     JS_ASSERT(index < OBJ_BLOCK_COUNT(cx, obj));
-     index = (uint16) JSVAL_TO_INT(id);
+     JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
-     fp = (JSStackFrame *) JS_GetPrivate(cx, obj);
      if (fp) {
          index += fp->script->nfixed + OBJ_BLOCK_DEPTH(cx, obj);
          JS_ASSERT(index < fp->script->nslots);
          *vp = fp->slots[index];
-         return JS_TRUE;
+         return true;
      }
-     /* Reserve slots start with the first slot after the private. */
+     /* Values are in reserved slots immediately following DEPTH. */
-     index += JSSLOT_BLOCK_DEPTH - JSSLOT_PRIVATE;
+     uint32 slot = JSSLOT_BLOCK_DEPTH + 1 + index;
-     return JS_GetReservedSlot(cx, obj, index, vp);
+     JS_LOCK_OBJ(cx, obj);
+     JS_ASSERT(slot < STOBJ_NSLOTS(obj));
+     *vp = STOBJ_GET_SLOT(obj, slot);
+     JS_UNLOCK_OBJ(cx, obj);
+     return true;
  }
  static JSBool
  block_setProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
  {
-     uintN index;
+     JS_ASSERT(obj->getClass() == &js_BlockClass);
-     JSStackFrame *fp;
+     JS_ASSERT(OBJ_IS_CLONED_BLOCK(obj));
+     uintN index = (uintN) JSVAL_TO_INT(id);
-     JS_ASSERT(JS_InstanceOf(cx, obj, &js_BlockClass, NULL));
+     JS_ASSERT(index < OBJ_BLOCK_COUNT(cx, obj));
-     if (!JSVAL_IS_INT(id))
-         return JS_TRUE;
-     index = (uint16) JSVAL_TO_INT(id);
+     JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
-     fp = (JSStackFrame *) JS_GetPrivate(cx, obj);
      if (fp) {
          index += fp->script->nfixed + OBJ_BLOCK_DEPTH(cx, obj);
          JS_ASSERT(index < fp->script->nslots);
          fp->slots[index] = *vp;
-         return JS_TRUE;
+         return true;
      }
-     /* Reserve slots start with the first slot after the private. */
+     /* Values are in reserved slots immediately following DEPTH. */
-     index += JSSLOT_BLOCK_DEPTH - JSSLOT_PRIVATE;
+     uint32 slot = JSSLOT_BLOCK_DEPTH + 1 + index;
-     return JS_SetReservedSlot(cx, obj, index, *vp);
+     JS_LOCK_OBJ(cx, obj);
+     JS_ASSERT(slot < STOBJ_NSLOTS(obj));
+     STOBJ_SET_SLOT(obj, slot, *vp);
+     JS_UNLOCK_OBJ(cx, obj);
+     return true;
+ }
+ JSBool
+ js_DefineBlockVariable(JSContext *cx, JSObject *obj, jsid id, int16 index)
+ {
+     JS_ASSERT(obj->getClass() == &js_BlockClass);
+     JS_ASSERT(!OBJ_IS_CLONED_BLOCK(obj));
+     /* Use JSPROP_ENUMERATE to aid the disassembler. */
+     return js_DefineNativeProperty(cx, obj, id, JSVAL_VOID,
+                                    block_getProperty, block_setProperty,
+                                    JSPROP_ENUMERATE | JSPROP_PERMANENT | JSPROP_SHARED,
+                                    SPROP_HAS_SHORTID, index, NULL);
  }
  #if JS_HAS_XDR
-Line 2573
+Line 2706
      JSObject *obj, *parent;
      uint16 depth, count, i;
      uint32 tmp;
-     JSTempValueRooter tvr;
      JSScopeProperty *sprop;
      jsid propid;
      JSAtom *atom;
-Line 2590
+Line 2722
          parent = OBJ_GET_PARENT(cx, obj);
          parentId = (xdr->script->objectsOffset == 0)
                     ? NO_PARENT_INDEX
-                    : FindObjectIndex(JS_SCRIPT_OBJECTS(xdr->script), parent);
+                    : FindObjectIndex(xdr->script->objects(), parent);
          depth = (uint16)OBJ_BLOCK_DEPTH(cx, obj);
          count = (uint16)OBJ_BLOCK_COUNT(cx, obj);
          tmp = (uint32)(depth << 16) | count;
-Line 2617
+Line 2749
          if (parentId == NO_PARENT_INDEX)
              parent = NULL;
          else
-             JS_GET_SCRIPT_OBJECT(xdr->script, parentId, parent);
+             parent = xdr->script->getObject(parentId);
          STOBJ_SET_PARENT(obj, parent);
      }
-     JS_PUSH_SINGLE_TEMP_ROOT(cx, OBJECT_TO_JSVAL(obj), &tvr);
+     JSAutoTempValueRooter tvr(cx, obj);
-     if (!JS_XDRUint32(xdr, &tmp)) {
+     if (!JS_XDRUint32(xdr, &tmp))
-         JS_POP_TEMP_ROOT(cx, &tvr);
+         return false;
-         return JS_FALSE;
-     }
      if (xdr->mode == JSXDR_DECODE) {
          depth = (uint16)(tmp >> 16);
-Line 2649
+Line 2779
                  sprop = sprop ? sprop->parent : OBJ_SCOPE(obj)->lastProp;
              } while (!(sprop->flags & SPROP_HAS_SHORTID));
-             JS_ASSERT(sprop->getter == js_BlockClass.getProperty);
+             JS_ASSERT(sprop->getter == block_getProperty);
              propid = sprop->id;
              JS_ASSERT(JSID_IS_ATOM(propid));
              atom = JSID_TO_ATOM(propid);
-Line 2660
+Line 2790
          /* XDR the real id, then the shortid. */
          if (!js_XDRStringAtom(xdr, &atom) ||
              !JS_XDRUint16(xdr, (uint16 *)&shortid)) {
-             ok = JS_FALSE;
+             return false;
-             break;
          }
          if (xdr->mode == JSXDR_DECODE) {
-             if (!js_DefineNativeProperty(cx, obj, ATOM_TO_JSID(atom),
+             if (!js_DefineBlockVariable(cx, obj, ATOM_TO_JSID(atom), shortid))
-                                          JSVAL_VOID, NULL, NULL,
+                 return false;
-                                          JSPROP_ENUMERATE | JSPROP_PERMANENT |
-                                          JSPROP_SHARED,
-                                          SPROP_HAS_SHORTID, shortid, NULL)) {
-                 ok = JS_FALSE;
-                 break;
-             }
          }
      }
-     JS_POP_TEMP_ROOT(cx, &tvr);
+     if (xdr->mode == JSXDR_DECODE) {
-     return ok;
+         /* Do as the parser does and make this block scope shareable. */
+         OBJ_SCOPE(obj)->object = NULL;
+     }
+     return true;
  }
  #endif
-Line 2691
+Line 2817
  JSClass js_BlockClass = {
      "Block",
      JSCLASS_HAS_PRIVATE | JSCLASS_HAS_RESERVED_SLOTS(1) | JSCLASS_IS_ANONYMOUS,
-     JS_PropertyStub,  JS_PropertyStub,  block_getProperty, block_setProperty,
+     JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,   JS_PropertyStub,
-     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,    JS_FinalizeStub,
+     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,    NULL,
      NULL, NULL, NULL, NULL, NULL, NULL, NULL, block_reserveSlots
  };
-Line 2756
+Line 2882
      }
      /* Create a prototype object for this class. */
-     proto = js_NewObject(cx, clasp, parent_proto, obj, 0);
+     proto = js_NewObject(cx, clasp, parent_proto, obj);
      if (!proto)
          return NULL;
-Line 2775
+Line 2901
              key != JSProto_Null) {
              named = JS_FALSE;
          } else {
-             named = OBJ_DEFINE_PROPERTY(cx, obj, ATOM_TO_JSID(atom),
+             named = obj->defineProperty(cx, ATOM_TO_JSID(atom),
                                          OBJECT_TO_JSVAL(proto),
                                          JS_PropertyStub, JS_PropertyStub,
                                          (clasp->flags & JSCLASS_IS_ANONYMOUS)
                                          ? JSPROP_READONLY | JSPROP_PERMANENT
-                                         : 0,
+                                         : 0);
-                                         NULL);
              if (!named)
                  goto bad;
          }
-Line 2836
+Line 2961
          goto bad;
      }
+     /*
+      * Make sure proto's scope's emptyScope is available to be shared by
+      * objects of this class.  JSScope::emptyScope is a one-slot cache. If we
+      * omit this, some other class could snap it up. (The risk is particularly
+      * great for Object.prototype.)
+      *
+      * All callers of JSObject::initSharingEmptyScope depend on this.
+      */
+     if (OBJ_IS_NATIVE(proto)) {
+         JSScope *scope = OBJ_SCOPE(proto)->getEmptyScope(cx, clasp);
+         if (!scope)
+             goto bad;
+         scope->drop(cx, NULL);
+     }
      /* If this is a standard class, cache its prototype. */
      if (key != JSProto_Null && !js_SetClassObject(cx, obj, key, ctor))
          goto bad;
-Line 2846
+Line 2986
  bad:
      if (named)
-         (void) OBJ_DELETE_PROPERTY(cx, obj, ATOM_TO_JSID(atom), &rval);
+         (void) obj->deleteProperty(cx, ATOM_TO_JSID(atom), &rval);
      proto = NULL;
      goto out;
  }
- static void
- FreeSlots(JSContext *cx, JSObject *obj)
- {
-     if (obj->dslots) {
-         JS_ASSERT((uint32)obj->dslots[-1] > JS_INITIAL_NSLOTS);
-         JS_free(cx, obj->dslots - 1);
-         obj->dslots = NULL;
-     }
- }
  #define SLOTS_TO_DYNAMIC_WORDS(nslots)                                        \
    (JS_ASSERT((nslots) > JS_INITIAL_NSLOTS), (nslots) + 1 - JS_INITIAL_NSLOTS)
  #define DYNAMIC_WORDS_TO_SLOTS(words)                                         \
    (JS_ASSERT((words) > 1), (words) - 1 + JS_INITIAL_NSLOTS)
- JSBool
- js_ReallocSlots(JSContext *cx, JSObject *obj, uint32 nslots,
+ static bool
-                 JSBool exactAllocation)
+ AllocSlots(JSContext *cx, JSObject *obj, size_t nslots)
  {
-     jsval *old, *slots;
+     JS_ASSERT(!obj->dslots);
-     uint32 oslots, nwords, owords, log, i;
+     JS_ASSERT(nslots > JS_INITIAL_NSLOTS);
+     jsval* slots;
+     slots = (jsval*) cx->malloc(SLOTS_TO_DYNAMIC_WORDS(nslots) * sizeof(jsval));
+     if (!slots)
+         return true;
+     *slots++ = nslots;
+     /* clear the newly allocated cells. */
+     for (jsuint n = JS_INITIAL_NSLOTS; n < nslots; ++n)
+         slots[n - JS_INITIAL_NSLOTS] = JSVAL_VOID;
+     obj->dslots = slots;
+     return true;
+ }
+ bool
+ js_GrowSlots(JSContext *cx, JSObject *obj, size_t nslots)
+ {
      /*
       * Minimal number of dynamic slots to allocate.
       */
- #define MIN_DYNAMIC_WORDS 4
+     const size_t MIN_DYNAMIC_WORDS = 4;
      /*
       * The limit to switch to linear allocation strategy from the power of 2
       * growth no to waste too much memory.
       */
- #define LINEAR_GROWTH_STEP JS_BIT(16)
+     const size_t LINEAR_GROWTH_STEP = JS_BIT(16);
-     old = obj->dslots;
+     /* If we are allocating fslots, there is nothing to do. */
-     if (nslots <= JS_INITIAL_NSLOTS) {
+     if (nslots <= JS_INITIAL_NSLOTS)
-         if (old &&
-             (exactAllocation ||
-              SLOTS_TO_DYNAMIC_WORDS((uint32)old[-1]) != MIN_DYNAMIC_WORDS ||
-              nslots <= (JS_INITIAL_NSLOTS +
-                         JSSLOT_FREE(STOBJ_GET_CLASS(obj))) / 2)) {
-             /*
-              * We do not want to free dynamic slots when allocation is a hint,
-              * we reached minimal allocation and almost all fixed slots are
-              * used. It avoids allocating dynamic slots again when properties
-              * are added to the object.
-              *
-              * If there were no private or reserved slots, the condition to
-              * free the slots would be
-              *
-              *   nslots <= JS_INITIAL_NSLOTS / 2
-              *
-              * but to account for never removed slots before JSSLOT_FREE(class)
-              * we need to subtract it from the slot counts which gives
-              *
-              *   nslots - JSSLOT_FREE <= (JS_INITIAL_NSLOTS - JSSLOT_FREE) / 2
-              *
-              * or
-              *
-              *   nslots <= (JS_INITIAL_NSLOTS + JSSLOT_FREE) / 2
-              */
-             FreeSlots(cx, obj);
-         }
          return JS_TRUE;
-     }
-     oslots = (old) ? (uint32)*--old : JS_INITIAL_NSLOTS;
+     size_t nwords = SLOTS_TO_DYNAMIC_WORDS(nslots);
-     nwords = SLOTS_TO_DYNAMIC_WORDS(nslots);
-     if (nslots > oslots) {
+     /*
-         if (!exactAllocation) {
+      * Round up nslots so the number of bytes in dslots array is power
-             /*
+      * of 2 to ensure exponential grouth.
-              * Round up nslots so the number of bytes in dslots array is power
+      */
-              * of 2 to ensure exponential grouth.
+     uintN log;
-              */
+     if (nwords <= MIN_DYNAMIC_WORDS) {
-             if (nwords <= MIN_DYNAMIC_WORDS) {
+         nwords = MIN_DYNAMIC_WORDS;
-                 nwords = MIN_DYNAMIC_WORDS;
+     } else if (nwords < LINEAR_GROWTH_STEP) {
-             } else if (nwords < LINEAR_GROWTH_STEP) {
+         JS_CEILING_LOG2(log, nwords);
-                 JS_CEILING_LOG2(log, nwords);
+         nwords = JS_BIT(log);
-                 nwords = JS_BIT(log);
-             } else {
-                 nwords = JS_ROUNDUP(nwords, LINEAR_GROWTH_STEP);
-             }
-         }
-         slots = (jsval *)JS_realloc(cx, old, nwords * sizeof(jsval));
-         if (!slots)
-             return JS_FALSE;
      } else {
-         JS_ASSERT(nslots < oslots);
+         nwords = JS_ROUNDUP(nwords, LINEAR_GROWTH_STEP);
-         if (!exactAllocation) {
-             owords = DYNAMIC_WORDS_TO_SLOTS(oslots);
-             if (owords <= MIN_DYNAMIC_WORDS)
-                 return JS_TRUE;
-             if (owords < LINEAR_GROWTH_STEP * 2) {
-                 /*
-                  * Shrink only if 1/4 of slots are left and we need to grow
-                  * the array at least twice to reach the current capacity. It
-                  * prevents frequent capacity growth/shrinking when slots are
-                  * often removed and added.
-                  */
-                 if (nwords > owords / 4)
-                     return JS_TRUE;
-                 JS_CEILING_LOG2(log, nwords);
-                 nwords = JS_BIT(log);
-                 if (nwords < MIN_DYNAMIC_WORDS)
-                     nwords = MIN_DYNAMIC_WORDS;
-             } else {
-                 /*
-                  * Shrink only if we free at least 2 linear allocation
-                  * segments, to prevent growth/shrinking resonance.
-                  */
-                 if (nwords > owords - LINEAR_GROWTH_STEP * 2)
-                     return JS_TRUE;
-                 nwords = JS_ROUNDUP(nwords, LINEAR_GROWTH_STEP);
-             }
-         }
-         /* We avoid JS_realloc not to report a failed shrink attempt. */
-         slots = (jsval *)realloc(old, nwords * sizeof(jsval));
-         if (!slots)
-             slots = old;
      }
      nslots = DYNAMIC_WORDS_TO_SLOTS(nwords);
-     *slots++ = (jsval)nslots;
+     /*
+      * If nothing was allocated yet, treat it as initial allocation (but with
+      * the exponential growth algorithm applied).
+      */
+     jsval* slots = obj->dslots;
+     if (!slots)
+         return AllocSlots(cx, obj, nslots);
+     size_t oslots = size_t(slots[-1]);
+     slots = (jsval*) cx->realloc(slots - 1, nwords * sizeof(jsval));
+     *slots++ = nslots;
      obj->dslots = slots;
-     /* If we're extending an allocation, initialize free slots. */
+     /* Initialize the additional slots we added. */
-     for (i = oslots; i < nslots; i++)
+     JS_ASSERT(nslots > oslots);
+     for (size_t i = oslots; i < nslots; i++)
          slots[i - JS_INITIAL_NSLOTS] = JSVAL_VOID;
-     return JS_TRUE;
+     return true;
+ }
+ void
+ js_ShrinkSlots(JSContext *cx, JSObject *obj, size_t nslots)
+ {
+     jsval* slots = obj->dslots;
+     /* Nothing to shrink? */
+     if (!slots)
+         return;
- #undef LINEAR_GROWTH_STEP
+     JS_ASSERT(size_t(slots[-1]) > JS_INITIAL_NSLOTS);
- #undef MIN_DYNAMIC_WORDS
+     JS_ASSERT(nslots <= size_t(slots[-1]));
+     if (nslots <= JS_INITIAL_NSLOTS) {
+         cx->free(slots - 1);
+         obj->dslots = NULL;
+     } else {
+         size_t nwords = SLOTS_TO_DYNAMIC_WORDS(nslots);
+         slots = (jsval*) cx->realloc(slots - 1, nwords * sizeof(jsval));
+         *slots++ = nslots;
+         obj->dslots = slots;
+     }
+ }
+ bool
+ js_EnsureReservedSlots(JSContext *cx, JSObject *obj, size_t nreserved)
+ {
+     JS_ASSERT(OBJ_IS_NATIVE(obj));
+     JS_ASSERT(!obj->dslots);
+     uintN nslots = JSSLOT_FREE(STOBJ_GET_CLASS(obj)) + nreserved;
+     if (nslots > STOBJ_NSLOTS(obj) && !AllocSlots(cx, obj, nslots))
+         return false;
+     JSScope *scope = OBJ_SCOPE(obj);
+     if (scope->owned()) {
+ #ifdef JS_THREADSAFE
+         JS_ASSERT(scope->title.ownercx->thread == cx->thread);
+ #endif
+         JS_ASSERT(scope->freeslot == JSSLOT_FREE(STOBJ_GET_CLASS(obj)));
+         if (scope->freeslot < nslots)
+             scope->freeslot = nslots;
+     }
+     return true;
  }
  extern JSBool
-Line 3008
+Line 3140
      return JS_TRUE;
  }
- JSObject *
- js_NewObject(JSContext *cx, JSClass *clasp, JSObject *proto, JSObject *parent,
-              uintN objectSize)
- {
-     jsid id;
-     /* Bootstrap the ur-object, and make it the default prototype object. */
-     if (!proto) {
-         if (!js_GetClassId(cx, clasp, &id))
-             return NULL;
-         if (!js_GetClassPrototype(cx, parent, id, &proto))
-             return NULL;
-         if (!proto &&
-             !js_GetClassPrototype(cx, parent, INT_TO_JSID(JSProto_Object),
-                                   &proto)) {
-             return NULL;
-         }
-     }
-     return js_NewObjectWithGivenProto(cx, clasp, proto, parent, objectSize);
- }
- JSObject *
- js_NewObjectWithGivenProto(JSContext *cx, JSClass *clasp, JSObject *proto,
-                            JSObject *parent, uintN objectSize)
- {
- #ifdef INCLUDE_MOZILLA_DTRACE
-     if (JAVASCRIPT_OBJECT_CREATE_START_ENABLED())
-         jsdtrace_object_create_start(cx->fp, clasp);
- #endif
-     /* Currently only functions can have non-standard allocation size. */
-     if (clasp == &js_FunctionClass) {
-         if (objectSize == 0)
-             objectSize = sizeof(JSFunction);
-         else
-             JS_ASSERT(objectSize == sizeof(JSObject));
-     } else {
-         JS_ASSERT(objectSize == 0);
-         objectSize = sizeof(JSObject);
-     }
-     /* Assert that the class is a proper class. */
-     JS_ASSERT_IF(clasp->flags & JSCLASS_IS_EXTENDED,
-                  ((JSExtendedClass *)clasp)->equality);
-     /* Always call the class's getObjectOps hook if it has one. */
-     JSObjectOps *ops = clasp->getObjectOps
-                        ? clasp->getObjectOps(cx, clasp)
-                        : &js_ObjectOps;
-     /*
-      * Allocate an object from the GC heap and initialize all its fields before
-      * doing any operation that can potentially trigger GC.
-      */
-     JSObject *obj = (JSObject *) js_NewGCThing(cx, GCX_OBJECT, objectSize);
-     if (!obj)
-         goto out;
-     /*
-      * Set the class slot with the initial value of the system and delegate
-      * flags set to false.
-      */
-     JS_ASSERT(((jsuword) clasp & 3) == 0);
-     obj->classword = jsuword(clasp);
-     JS_ASSERT(!STOBJ_IS_DELEGATE(obj));
-     JS_ASSERT(!STOBJ_IS_SYSTEM(obj));
-     obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
-     /*
-      * Default parent to the parent of the prototype, which was set from
-      * the parent of the prototype's constructor.
-      */
-     obj->fslots[JSSLOT_PARENT] = OBJECT_TO_JSVAL((!parent && proto)
-                                                  ? OBJ_GET_PARENT(cx, proto)
-                                                  : parent);
-     /* Initialize the remaining fixed slots. */
-     for (uint32 i = JSSLOT_PRIVATE; i < JS_INITIAL_NSLOTS; ++i)
-         obj->fslots[i] = JSVAL_VOID;
-     obj->dslots = NULL;
-     if (OPS_IS_NATIVE(ops)) {
-         if (!InitScopeForObject(cx, obj, proto, ops)) {
-             obj = NULL;
-             goto out;
-         }
-     } else {
-         JS_ASSERT(ops->objectMap->ops == ops);
-         obj->map = const_cast<JSObjectMap *>(ops->objectMap);
-     }
- #ifdef DEBUG
-     memset((uint8 *) obj + sizeof(JSObject), JS_FREE_PATTERN,
-            objectSize - sizeof(JSObject));
- #endif
-     /* Check that the newborn root still holds the object. */
-     JS_ASSERT_IF(!cx->localRootStack, cx->weakRoots.newborn[GCX_OBJECT] == obj);
-     /*
-      * Do not call debug hooks on trace, because we might be in a non-_FAIL
-      * builtin. See bug 481444.
-      */
-     if (cx->debugHooks->objectHook && !JS_ON_TRACE(cx)) {
-         JSAutoTempValueRooter tvr(cx, obj);
-         JS_KEEP_ATOMS(cx->runtime);
-         cx->debugHooks->objectHook(cx, obj, JS_TRUE,
-                                    cx->debugHooks->objectHookData);
-         JS_UNKEEP_ATOMS(cx->runtime);
-         cx->weakRoots.newborn[GCX_OBJECT] = obj;
-     }
- out:
- #ifdef INCLUDE_MOZILLA_DTRACE
-     if (JAVASCRIPT_OBJECT_CREATE_ENABLED())
-         jsdtrace_object_create(cx, clasp, obj);
-     if (JAVASCRIPT_OBJECT_CREATE_DONE_ENABLED())
-         jsdtrace_object_create_done(cx->fp, clasp);
- #endif
-     return obj;
- }
- JSObject*
- js_NewNativeObject(JSContext *cx, JSClass *clasp, JSObject *proto, uint32 slot)
- {
-     JS_ASSERT(!clasp->getObjectOps);
-     JS_ASSERT(proto->map->ops == &js_ObjectOps);
-     JS_ASSERT(OBJ_GET_CLASS(cx, proto) == clasp);
-     JSObject* obj = (JSObject*) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject));
-     if (!obj)
-         return NULL;
-     js_HoldScope(OBJ_SCOPE(proto));
-     obj->map = proto->map;
-     obj->classword = jsuword(clasp);
-     obj->fslots[JSSLOT_PROTO] = OBJECT_TO_JSVAL(proto);
-     obj->fslots[JSSLOT_PARENT] = proto->fslots[JSSLOT_PARENT];
-     JS_ASSERT(slot > JSSLOT_PARENT);
-     while (slot < JS_INITIAL_NSLOTS)
-         obj->fslots[slot++] = JSVAL_VOID;
-     obj->dslots = NULL;
-     return obj;
- }
  JS_BEGIN_EXTERN_C
  static JSObject *
-Line 3308
+Line 3290
                      v = JSVAL_VOID;
              }
          }
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
      }
      *vp = v;
      return JS_TRUE;
-Line 3320
+Line 3302
  {
      jsid id;
      jsval cval, rval;
-     JSTempValueRooter argtvr, tvr;
      JSObject *obj, *ctor;
-     JS_PUSH_TEMP_ROOT(cx, argc, argv, &argtvr);
+     JSAutoTempValueRooter argtvr(cx, argc, argv);
      if (!js_GetClassId(cx, clasp, &id) ||
          !js_FindClassObject(cx, parent, id, &cval)) {
-         JS_POP_TEMP_ROOT(cx, &argtvr);
          return NULL;
      }
      if (JSVAL_IS_PRIMITIVE(cval)) {
          js_ReportIsNotFunction(cx, &cval, JSV2F_CONSTRUCT | JSV2F_SEARCH_STACK);
-         JS_POP_TEMP_ROOT(cx, &argtvr);
          return NULL;
      }
-     /*
+     /* Protect cval in case a crazy getter for .prototype uproots it. */
-      * Protect cval in case a crazy getter for .prototype uproots it.  After
+     JSAutoTempValueRooter tvr(cx, cval);
-      * this point, all control flow must exit through label out with obj set.
-      */
-     JS_PUSH_SINGLE_TEMP_ROOT(cx, cval, &tvr);
-     MUST_FLOW_THROUGH("out");
      /*
       * If proto or parent are NULL, set them to Constructor.prototype and/or
-Line 3352
+Line 3327
      if (!parent)
          parent = OBJ_GET_PARENT(cx, ctor);
      if (!proto) {
-         if (!OBJ_GET_PROPERTY(cx, ctor,
+         if (!ctor->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom),
-                               ATOM_TO_JSID(cx->runtime->atomState
+                                &rval)) {
-                                            .classPrototypeAtom),
+             return NULL;
-                               &rval)) {
-             obj = NULL;
-             goto out;
          }
          if (JSVAL_IS_OBJECT(rval))
              proto = JSVAL_TO_OBJECT(rval);
      }
-     obj = js_NewObject(cx, clasp, proto, parent, 0);
+     obj = js_NewObject(cx, clasp, proto, parent);
      if (!obj)
-         goto out;
+         return NULL;
      if (!js_InternalConstruct(cx, obj, cval, argc, argv, &rval))
-         goto bad;
+         return NULL;
      if (JSVAL_IS_PRIMITIVE(rval))
-         goto out;
+         return obj;
-     obj = JSVAL_TO_OBJECT(rval);
      /*
       * If the instance's class differs from what was requested, throw a type
-Line 3381
+Line 3352
       * private data set at this point, then the constructor was replaced and
       * we should throw a type error.
       */
+     obj = JSVAL_TO_OBJECT(rval);
      if (OBJ_GET_CLASS(cx, obj) != clasp ||
          (!(~clasp->flags & (JSCLASS_HAS_PRIVATE |
                              JSCLASS_CONSTRUCT_PROTOTYPE)) &&
-          !JS_GetPrivate(cx, obj))) {
+          !obj->getPrivate())) {
          JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                               JSMSG_WRONG_CONSTRUCTOR, clasp->name);
-         goto bad;
+         return NULL;
      }
- out:
-     JS_POP_TEMP_ROOT(cx, &tvr);
-     JS_POP_TEMP_ROOT(cx, &argtvr);
      return obj;
- bad:
-     cx->weakRoots.newborn[GCX_OBJECT] = NULL;
-     obj = NULL;
-     goto out;
- }
- void
- js_FinalizeObject(JSContext *cx, JSObject *obj)
- {
-     /* Cope with stillborn objects that have no map. */
-     if (!obj->map)
-         return;
-     if (cx->debugHooks->objectHook) {
-         cx->debugHooks->objectHook(cx, obj, JS_FALSE,
-                                    cx->debugHooks->objectHookData);
-     }
-     /* Finalize obj first, in case it needs map and slots. */
-     STOBJ_GET_CLASS(obj)->finalize(cx, obj);
- #ifdef INCLUDE_MOZILLA_DTRACE
-     if (JAVASCRIPT_OBJECT_FINALIZE_ENABLED())
-         jsdtrace_object_finalize(obj);
- #endif
-     if (OBJ_IS_NATIVE(obj))
-         js_DropScope(cx, OBJ_SCOPE(obj), obj);
-     FreeSlots(cx, obj);
  }
  /* XXXbe if one adds props, deletes earlier props, adds more, the last added
-Line 3434
+Line 3372
      JS_ASSERT(OBJ_IS_NATIVE(obj));
      JSScope *scope = OBJ_SCOPE(obj);
-     JSClass *clasp = LOCKED_OBJ_GET_CLASS(obj);
+     JSClass *clasp = obj->getClass();
      if (scope->freeslot == JSSLOT_FREE(clasp) && clasp->reserveSlots) {
          /* Adjust scope->freeslot to include computed reserved slots, if any. */
          scope->freeslot += clasp->reserveSlots(cx, obj);
      }
      if (scope->freeslot >= STOBJ_NSLOTS(obj) &&
-         !js_ReallocSlots(cx, obj, scope->freeslot + 1, JS_FALSE)) {
+         !js_GrowSlots(cx, obj, scope->freeslot + 1)) {
          return JS_FALSE;
      }
-Line 3458
+Line 3396
      JSScope *scope = OBJ_SCOPE(obj);
      LOCKED_OBJ_SET_SLOT(obj, slot, JSVAL_VOID);
-     if (scope->freeslot == slot + 1) {
+     if (scope->freeslot == slot + 1)
          scope->freeslot = slot;
-         /* When shrinking, js_ReallocSlots always returns true. */
-         js_ReallocSlots(cx, obj, slot, JS_FALSE);
-     }
  }
+ /* JSVAL_INT_MAX as a string */
+ #define JSVAL_INT_MAX_STRING "1073741823"
+ /*
+  * Convert string indexes that convert to int jsvals as ints to save memory.
+  * Care must be taken to use this macro every time a property name is used, or
+  * else double-sets, incorrect property cache misses, or other mistakes could
+  * occur.
+  */
  jsid
- js_CheckForStringIndex(jsid id, const jschar *cp, const jschar *end,
+ js_CheckForStringIndex(jsid id)
-                        JSBool negative)
  {
+     if (!JSID_IS_ATOM(id))
+         return id;
+     JSAtom *atom = JSID_TO_ATOM(id);
+     JSString *str = ATOM_TO_STRING(atom);
+     const jschar *s = str->flatChars();
+     jschar ch = *s;
+     JSBool negative = (ch == '-');
+     if (negative)
+         ch = *++s;
+     if (!JS7_ISDEC(ch))
+         return id;
+     size_t n = str->flatLength() - negative;
+     if (n > sizeof(JSVAL_INT_MAX_STRING) - 1)
+         return id;
+     const jschar *cp = s;
+     const jschar *end = s + n;
      jsuint index = JS7_UNDEC(*cp++);
      jsuint oldIndex = 0;
      jsuint c = 0;
-Line 3489
+Line 3454
       */
      if (cp != end || (negative && index == 0))
          return id;
      if (oldIndex < JSVAL_INT_MAX / 10 ||
          (oldIndex == JSVAL_INT_MAX / 10 && c <= (JSVAL_INT_MAX % 10))) {
          if (negative)
              index = 0 - index;
          id = INT_TO_JSID((jsint)index);
      }
      return id;
  }
-Line 3511
+Line 3478
          }
          JS_LOCK_OBJ(cx, obj);
          scope = OBJ_SCOPE(obj);
-         sprop = SCOPE_GET_PROPERTY(scope, id);
+         sprop = scope->lookup(id);
          if (sprop) {
              PCMETER(JS_PROPERTY_CACHE(cx).pcpurges++);
-             js_MakeScopeShapeUnique(cx, scope);
+             scope->shadowingShapeChange(cx, sprop);
              JS_UNLOCK_SCOPE(cx, scope);
-             if (!STOBJ_GET_PARENT(scope->object)) {
+             if (!STOBJ_GET_PARENT(obj)) {
                  /*
                   * All scope chains end in a global object, so this will change
                   * the global shape. jstracer.cpp assumes that the global shape
-Line 3527
+Line 3494
              }
              return JS_TRUE;
          }
-         obj = LOCKED_OBJ_GET_PROTO(scope->object);
+         obj = obj->getProto();
          JS_UNLOCK_SCOPE(cx, scope);
      }
      return JS_FALSE;
-Line 3536
+Line 3503
  void
  js_PurgeScopeChainHelper(JSContext *cx, JSObject *obj, jsid id)
  {
-     JS_ASSERT(OBJ_IS_DELEGATE(cx, obj));
+     JS_ASSERT(obj->isDelegate());
-     PurgeProtoChain(cx, OBJ_GET_PROTO(cx, obj), id);
+     PurgeProtoChain(cx, obj->getProto(), id);
      /*
       * We must purge the scope chain only for Call objects as they are the only
-Line 3574
+Line 3541
          sprop = NULL;
      } else {
          /* Convert string indices to integers if appropriate. */
-         CHECK_FOR_STRING_INDEX(id);
+         id = js_CheckForStringIndex(id);
-         sprop = js_AddScopeProperty(cx, scope, id, getter, setter, slot, attrs,
+         sprop = scope->add(cx, id, getter, setter, slot, attrs, flags, shortid);
-                                     flags, shortid);
      }
      JS_UNLOCK_OBJ(cx, obj);
      return sprop;
-Line 3594
+Line 3560
      if (!scope) {
          sprop = NULL;
      } else {
-         sprop = js_ChangeScopePropertyAttrs(cx, scope, sprop, attrs, mask,
+         sprop = scope->change(cx, sprop, attrs, mask, getter, setter);
-                                             getter, setter);
      }
      JS_UNLOCK_OBJ(cx, obj);
      return sprop;
-Line 3603
+Line 3568
  JSBool
  js_DefineProperty(JSContext *cx, JSObject *obj, jsid id, jsval value,
-                   JSPropertyOp getter, JSPropertyOp setter, uintN attrs,
+                   JSPropertyOp getter, JSPropertyOp setter, uintN attrs)
-                   JSProperty **propp)
  {
      return js_DefineNativeProperty(cx, obj, id, value, getter, setter, attrs,
-, 0, propp);
+, 0, NULL);
  }
  /*
-Line 3628
+Line 3592
              }                                                                 \
              if (*(vp) != nominal_) {                                          \
                  if (SPROP_HAS_VALID_SLOT(sprop, scope))                       \
-                     LOCKED_OBJ_WRITE_BARRIER(cx, obj, (sprop)->slot, *(vp));  \
+                     LOCKED_OBJ_WRITE_SLOT(cx, obj, (sprop)->slot, *(vp));     \
              }                                                                 \
          }                                                                     \
      JS_END_MACRO
-Line 3642
+Line 3606
      JSClass *clasp;
      JSScope *scope;
      JSScopeProperty *sprop;
-     bool added;
+     JSBool added;
      JS_ASSERT((defineHow & ~(JSDNP_CACHE_RESULT | JSDNP_DONT_PURGE)) == 0);
      js_LeaveTraceIfGlobalObject(cx, obj);
      /* Convert string indices to integers if appropriate. */
-     CHECK_FOR_STRING_INDEX(id);
+     id = js_CheckForStringIndex(id);
  #if JS_HAS_GETTER_SETTER
      /*
-Line 3675
+Line 3639
          if (sprop &&
              pobj == obj &&
              (sprop->attrs & (JSPROP_GETTER | JSPROP_SETTER))) {
-             sprop = js_ChangeScopePropertyAttrs(cx, OBJ_SCOPE(obj), sprop,
+             sprop = OBJ_SCOPE(obj)->change(cx, sprop, attrs,
-                                                 attrs, sprop->attrs,
+                                            JSPROP_GETTER | JSPROP_SETTER,
-                                                 (attrs & JSPROP_GETTER)
+                                            (attrs & JSPROP_GETTER)
-                                                 ? getter
+                                            ? getter
-                                                 : sprop->getter,
+                                            : sprop->getter,
-                                                 (attrs & JSPROP_SETTER)
+                                            (attrs & JSPROP_SETTER)
-                                                 ? setter
+                                            ? setter
-                                                 : sprop->setter);
+                                            : sprop->setter);
              /* NB: obj == pobj, so we can share unlock code at the bottom. */
              if (!sprop)
                  goto error;
          } else if (prop) {
-             /* NB: call OBJ_DROP_PROPERTY, as pobj might not be native. */
+             /* NB: call JSObject::dropProperty, as pobj might not be native. */
-             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             pobj->dropProperty(cx, prop);
              prop = NULL;
              sprop = NULL;
          }
-Line 3709
+Line 3673
       * prototype object. See the comment in jscntxt.h before protoHazardShape's
       * member declaration.
       */
-     if (OBJ_IS_DELEGATE(cx, obj) && (attrs & (JSPROP_READONLY | JSPROP_SETTER)))
+     if (obj->isDelegate() && (attrs & (JSPROP_READONLY | JSPROP_SETTER)))
          cx->runtime->protoHazardShape = js_GenerateShape(cx, false);
      /* Lock if object locking is required by this implementation. */
      JS_LOCK_OBJ(cx, obj);
      /* Use the object's class getter and setter by default. */
-     clasp = LOCKED_OBJ_GET_CLASS(obj);
+     clasp = obj->getClass();
      if (!getter)
          getter = clasp->getProperty;
      if (!setter)
-Line 3732
+Line 3696
          /* Add a new property, or replace an existing one of the same id. */
          if (clasp->flags & JSCLASS_SHARE_ALL_PROPERTIES)
              attrs |= JSPROP_SHARED;
-         sprop = js_AddScopeProperty(cx, scope, id, getter, setter,
-                                     SPROP_INVALID_SLOT, attrs, flags,
+         added = !scope->lookup(id);
-                                     shortid);
+         sprop = scope->add(cx, id, getter, setter, SPROP_INVALID_SLOT, attrs,
+                            flags, shortid);
          if (!sprop)
              goto error;
-         added = true;
      }
      /* Store value before calling addProperty, in case the latter GC's. */
      if (SPROP_HAS_VALID_SLOT(sprop, scope))
-         LOCKED_OBJ_WRITE_BARRIER(cx, obj, sprop->slot, value);
+         LOCKED_OBJ_WRITE_SLOT(cx, obj, sprop->slot, value);
      /* XXXbe called with lock held */
      ADD_PROPERTY_HELPER(cx, clasp, obj, scope, sprop, &value,
-                         js_RemoveScopeProperty(cx, scope, id);
+                         scope->remove(cx, id);
                          goto error);
      if (defineHow & JSDNP_CACHE_RESULT) {
-Line 3794
+Line 3758
      JSBool ok;
      /* Convert string indices to integers if appropriate. */
-     CHECK_FOR_STRING_INDEX(id);
+     id = js_CheckForStringIndex(id);
      /* Search scopes starting with obj and following the prototype link. */
      start = obj;
      for (protoIndex = 0; ; protoIndex++) {
          JS_LOCK_OBJ(cx, obj);
          scope = OBJ_SCOPE(obj);
-         if (scope->object == obj) {
+         sprop = scope->lookup(id);
-             sprop = SCOPE_GET_PROPERTY(scope, id);
-         } else {
-             /* Shared prototype scope: try resolve before lookup. */
-             sprop = NULL;
-         }
          /* Try obj's class resolve hook if id was not found in obj's scope. */
          if (!sprop) {
-             clasp = LOCKED_OBJ_GET_CLASS(obj);
+             clasp = obj->getClass();
              resolve = clasp->resolve;
              if (resolve != JS_ResolveStub) {
                  /* Avoid recursion on (obj, id) already being resolved on cx. */
-Line 3840
+Line 3799
                  if (clasp->flags & JSCLASS_NEW_RESOLVE) {
                      newresolve = (JSNewResolveOp)resolve;
                      if (flags == JSRESOLVE_INFER)
-                         flags = InferFlags(cx, flags);
+                         flags = js_InferFlags(cx, flags);
                      obj2 = (clasp->flags & JSCLASS_NEW_RESOLVE_GETS_START)
                             ? start
                             : NULL;
-Line 3869
+Line 3828
                          if (!OBJ_IS_NATIVE(obj2)) {
                              /* Whoops, newresolve handed back a foreign obj2. */
                              JS_ASSERT(obj2 != obj);
-                             ok = OBJ_LOOKUP_PROPERTY(cx, obj2, id, objp, propp);
+                             ok = obj2->lookupProperty(cx, id, objp, propp);
                              if (!ok || *propp)
                                  goto cleanup;
                              JS_LOCK_OBJ(cx, obj2);
-Line 3883
+Line 3842
                               * "too bad!" case.
                               */
                              scope = OBJ_SCOPE(obj2);
-                             if (scope->object == obj2)
+                             if (scope->owned())
-                                 sprop = SCOPE_GET_PROPERTY(scope, id);
+                                 sprop = scope->lookup(id);
                          }
                          if (sprop) {
-                             JS_ASSERT(obj2 == scope->object);
+                             JS_ASSERT(scope == OBJ_SCOPE(obj2));
+                             JS_ASSERT(scope->owned());
                              obj = obj2;
                          } else if (obj2 != obj) {
                              if (OBJ_IS_NATIVE(obj2))
-Line 3907
+Line 3867
                      JS_LOCK_OBJ(cx, obj);
                      JS_ASSERT(OBJ_IS_NATIVE(obj));
                      scope = OBJ_SCOPE(obj);
-                     if (scope->object == obj)
+                     if (scope->owned())
-                         sprop = SCOPE_GET_PROPERTY(scope, id);
+                         sprop = scope->lookup(id);
                  }
              cleanup:
-Line 3923
+Line 3883
          if (sprop) {
              SCOPE_DEPTH_ACCUM(&cx->runtime->protoLookupDepthStats, protoIndex);
              JS_ASSERT(OBJ_SCOPE(obj) == scope);
-             *objp = scope->object;      /* XXXbe hide in jsscope.[ch] */
+             *objp = obj;
              *propp = (JSProperty *) sprop;
              return protoIndex;
          }
-         proto = LOCKED_OBJ_GET_PROTO(obj);
+         proto = obj->getProto();
          JS_UNLOCK_OBJ(cx, obj);
          if (!proto)
              break;
          if (!OBJ_IS_NATIVE(proto)) {
-             if (!OBJ_LOOKUP_PROPERTY(cx, proto, id, objp, propp))
+             if (!proto->lookupProperty(cx, id, objp, propp))
                  return -1;
              return protoIndex + 1;
          }
+         /*
+          * Correctness elsewhere (the property cache and JIT), not here in
+          * particular, depends on all the objects on the prototype chain having
+          * different scopes. This is just a convenient place to check.
+          *
+          * Cloned Block objects do in fact share their prototype's scope -- but
+          * that is really just a memory-saving hack, safe because Blocks cannot
+          * be on the prototype chain of other objects.
+          */
+         JS_ASSERT_IF(OBJ_GET_CLASS(cx, obj) != &js_BlockClass,
+                      OBJ_SCOPE(obj) != OBJ_SCOPE(proto));
          obj = proto;
      }
-Line 3947
+Line 3920
      return protoIndex;
  }
- /*
-  * We cache name lookup results only for the global object or for native
-  * non-global objects without prototype or with prototype that never mutates,
-  * see bug 462734 and bug 487039.
-  */
- static inline bool
- IsCacheableNonGlobalScope(JSObject *obj)
- {
-     JS_ASSERT(STOBJ_GET_PARENT(obj));
-     JSClass *clasp = STOBJ_GET_CLASS(obj);
-     bool cacheable = (clasp == &js_CallClass ||
-                       clasp == &js_BlockClass ||
-                       clasp == &js_DeclEnvClass);
-     JS_ASSERT_IF(cacheable, obj->map->ops->lookupProperty == js_LookupProperty);
-     return cacheable;
- }
  JSPropCacheEntry *
  js_FindPropertyHelper(JSContext *cx, jsid id, JSBool cacheResult,
                        JSObject **objp, JSObject **pobjp, JSProperty **propp)
-Line 3984
+Line 3938
      parent = OBJ_GET_PARENT(cx, obj);
      for (scopeIndex = 0;
           parent
-          ? IsCacheableNonGlobalScope(obj)
+          ? js_IsCacheableNonGlobalScope(obj)
           : obj->map->ops->lookupProperty == js_LookupProperty;
           ++scopeIndex) {
          protoIndex =
-Line 4004
+Line 3958
                       * Block instances on the scope chain are immutable and
                       * always share their scope with compile-time prototypes.
                       */
-                     JS_ASSERT(pobj == OBJ_GET_PROTO(cx, obj));
+                     JS_ASSERT(pobj == obj);
-                     JS_ASSERT(OBJ_SCOPE(obj)->object == pobj);
+                     JS_ASSERT(protoIndex == 0);
-                     JS_ASSERT(protoIndex == 1);
                  } else {
                      /* Call and DeclEnvClass objects have no prototypes. */
                      JS_ASSERT(!OBJ_GET_PROTO(cx, obj));
-Line 4032
+Line 3985
      }
      for (;;) {
-         if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+         if (!obj->lookupProperty(cx, id, &pobj, &prop))
              return NULL;
          if (prop) {
              PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
-Line 4041
+Line 3994
          /*
           * We conservatively assume that a resolve hook could mutate the scope
-          * chain during OBJ_LOOKUP_PROPERTY. So we read parent here again.
+          * chain during JSObject::lookupProperty. So we read parent here again.
           */
          parent = OBJ_GET_PARENT(cx, obj);
          if (!parent) {
-Line 4084
+Line 4037
       * farther checks or lookups. For details see the JSOP_BINDNAME case of
       * js_Interpret.
       */
-     for (int scopeIndex = 0; IsCacheableNonGlobalScope(obj); scopeIndex++) {
+     for (int scopeIndex = 0; js_IsCacheableNonGlobalScope(obj); scopeIndex++) {
          JSObject *pobj;
          JSProperty *prop;
          int protoIndex = js_LookupPropertyWithFlags(cx, obj, id,
-Line 4116
+Line 4069
      do {
          JSObject *pobj;
          JSProperty *prop;
-         if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+         if (!obj->lookupProperty(cx, id, &pobj, &prop))
              return NULL;
          if (prop) {
-             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             pobj->dropProperty(cx, prop);
              break;
          }
          /*
           * We conservatively assume that a resolve hook could mutate the scope
-          * chain during OBJ_LOOKUP_PROPERTY. So we must check if parent is not
+          * chain during JSObject::lookupProperty. So we must check if parent is
-          * null here even if it wasn't before the lookup.
+          * not null here even if it wasn't before the lookup.
           */
          JSObject *parent = OBJ_GET_PARENT(cx, obj);
          if (!parent)
-Line 4151
+Line 4104
      JS_ASSERT(OBJ_IS_NATIVE(pobj));
      JS_ASSERT(JS_IS_OBJ_LOCKED(cx, pobj));
      scope = OBJ_SCOPE(pobj);
-     JS_ASSERT(scope->object == pobj);
      slot = sprop->slot;
      *vp = (slot != SPROP_INVALID_SLOT)
-Line 4171
+Line 4123
          return JS_FALSE;
      JS_LOCK_SCOPE(cx, scope);
-     JS_ASSERT(scope->object == pobj);
      if (SLOT_IN_SCOPE(slot, scope) &&
          (JS_LIKELY(cx->runtime->propertyRemovals == sample) ||
-          SCOPE_GET_PROPERTY(scope, sprop->id) == sprop)) {
+          scope->has(sprop))) {
          LOCKED_OBJ_SET_SLOT(pobj, slot, *vp);
      }
-Line 4195
+Line 4146
      JS_ASSERT(OBJ_IS_NATIVE(obj));
      JS_ASSERT(JS_IS_OBJ_LOCKED(cx, obj));
      scope = OBJ_SCOPE(obj);
-     JS_ASSERT(scope->object == obj || (sprop->attrs & JSPROP_SHARED));
      slot = sprop->slot;
      if (slot != SPROP_INVALID_SLOT) {
-Line 4209
+Line 4159
           * Allow API consumers to create shared properties with stub setters.
           * Such properties lack value storage, so setting them is like writing
           * to /dev/null.
-          *
-          * But we can't short-circuit if there's a scripted getter or setter
-          * since we might need to throw. In that case, we let SPROP_SET
-          * decide whether to throw an exception. See bug 478047.
           */
-         if (!(sprop->attrs & JSPROP_GETTER) && SPROP_HAS_STUB_SETTER(sprop)) {
+         if (SPROP_HAS_STUB_SETTER(sprop))
-             JS_ASSERT(!(sprop->attrs & JSPROP_SETTER));
              return JS_TRUE;
-         }
      }
      sample = cx->runtime->propertyRemovals;
-Line 4229
+Line 4173
          return JS_FALSE;
      JS_LOCK_SCOPE(cx, scope);
-     JS_ASSERT(scope->object == obj || (sprop->attrs & JSPROP_SHARED));
      if (SLOT_IN_SCOPE(slot, scope) &&
          (JS_LIKELY(cx->runtime->propertyRemovals == sample) ||
-          SCOPE_GET_PROPERTY(scope, sprop->id) == sprop)) {
+          scope->has(sprop))) {
    set_slot:
-         LOCKED_OBJ_WRITE_BARRIER(cx, obj, slot, *vp);
+         LOCKED_OBJ_WRITE_SLOT(cx, obj, slot, *vp);
      }
      return JS_TRUE;
-Line 4251
+Line 4194
      JS_ASSERT_IF(cacheResult, !JS_ON_TRACE(cx));
      /* Convert string indices to integers if appropriate. */
-     CHECK_FOR_STRING_INDEX(id);
+     id = js_CheckForStringIndex(id);
      aobj = js_GetProtoIfDenseArray(cx, obj);
      protoIndex = js_LookupPropertyWithFlags(cx, aobj, id, cx->resolveFlags,
-Line 4284
+Line 4227
                  flags = JSREPORT_ERROR;
              } else {
                  if (!JS_HAS_STRICT_OPTION(cx) ||
-                     (op != JSOP_GETPROP && op != JSOP_GETELEM)) {
+                     (op != JSOP_GETPROP && op != JSOP_GETELEM) ||
+                     js_CurrentPCIsInImacro(cx)) {
                      return JS_TRUE;
                  }
-Line 4319
+Line 4263
      }
      if (!OBJ_IS_NATIVE(obj2)) {
-         OBJ_DROP_PROPERTY(cx, obj2, prop);
+         obj2->dropProperty(cx, prop);
-         return OBJ_GET_PROPERTY(cx, obj2, id, vp);
+         return obj2->getProperty(cx, id, vp);
      }
      sprop = (JSScopeProperty *) prop;
-Line 4347
+Line 4291
  js_GetMethod(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
               jsval *vp)
  {
+     JSAutoResolveFlags rf(cx, JSRESOLVE_QUALIFIED);
      if (obj->map->ops == &js_ObjectOps ||
          obj->map->ops->getProperty == js_GetProperty) {
          return js_GetPropertyHelper(cx, obj, id, cacheResult, vp);
-Line 4356
+Line 4302
      if (OBJECT_IS_XML(cx, obj))
          return js_GetXMLMethod(cx, obj, id, vp);
  #endif
-     return OBJ_GET_PROPERTY(cx, obj, id, vp);
+     return obj->getProperty(cx, id, vp);
  }
  JS_FRIEND_API(JSBool)
-Line 4403
+Line 4349
          JS_ASSERT_NOT_ON_TRACE(cx);
      /* Convert string indices to integers if appropriate. */
-     CHECK_FOR_STRING_INDEX(id);
+     id = js_CheckForStringIndex(id);
      /*
       * We peek at OBJ_SCOPE(obj) without locking obj. Any race means a failure
       * to seal before sharing, which is inherently ambiguous.
       */
-     if (SCOPE_IS_SEALED(OBJ_SCOPE(obj)) && OBJ_SCOPE(obj)->object == obj) {
+     if (OBJ_SCOPE(obj)->sealed() && OBJ_SCOPE(obj)->object == obj) {
          flags = JSREPORT_ERROR;
          goto read_only_error;
      }
-Line 4420
+Line 4366
          return JS_FALSE;
      if (prop) {
          if (!OBJ_IS_NATIVE(pobj)) {
-             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             pobj->dropProperty(cx, prop);
              prop = NULL;
          }
      } else {
-Line 4436
+Line 4382
       * Now either sprop is null, meaning id was not found in obj or one of its
       * prototypes; or sprop is non-null, meaning id was found in pobj's scope.
       * If JS_THREADSAFE and sprop is non-null, then scope is locked, and sprop
-      * is held: we must OBJ_DROP_PROPERTY or JS_UNLOCK_SCOPE before we return
+      * is held: we must JSObject::dropProperty or JS_UNLOCK_SCOPE before we
-      * (the two are equivalent for native objects, but we use JS_UNLOCK_SCOPE
+      * return (the two are equivalent for native objects, but we use
-      * because it is cheaper).
+      * JS_UNLOCK_SCOPE because it is cheaper).
       */
      attrs = JSPROP_ENUMERATE;
      flags = 0;
-Line 4457
+Line 4403
          attrs = sprop->attrs;
          if ((attrs & JSPROP_READONLY) ||
-             (SCOPE_IS_SEALED(scope) && (attrs & JSPROP_SHARED))) {
+             (scope->sealed() && (attrs & JSPROP_SHARED))) {
              JS_UNLOCK_SCOPE(cx, scope);
              /*
-Line 4476
+Line 4422
                      if (cacheResult)
                          TRACE_2(SetPropHit, JS_NO_PROP_CACHE_FILL, sprop);
                      return JS_TRUE;
+ #ifdef JS_TRACER
                  error: // TRACE_2 jumps here in case of error.
                      return JS_FALSE;
+ #endif
                  }
                  /* Strict mode: report a read-only strict warning. */
-Line 4558
+Line 4506
          }
          if (clasp->flags & JSCLASS_SHARE_ALL_PROPERTIES)
              attrs |= JSPROP_SHARED;
-         sprop = js_AddScopeProperty(cx, scope, id, getter, setter,
+         sprop = scope->add(cx, id, getter, setter, SPROP_INVALID_SLOT, attrs,
-                                     SPROP_INVALID_SLOT, attrs, flags, shortid);
+                            flags, shortid);
          if (!sprop) {
              JS_UNLOCK_SCOPE(cx, scope);
              return JS_FALSE;
-Line 4575
+Line 4523
          /* XXXbe called with obj locked */
          ADD_PROPERTY_HELPER(cx, clasp, obj, scope, sprop, vp,
-                             js_RemoveScopeProperty(cx, scope, id);
+                             scope->remove(cx, id);
                              JS_UNLOCK_SCOPE(cx, scope);
                              return JS_FALSE);
          added = true;
-Line 4621
+Line 4569
              return JS_TRUE;
          }
          if (!OBJ_IS_NATIVE(obj)) {
-             ok = OBJ_GET_ATTRIBUTES(cx, obj, id, prop, attrsp);
+             ok = obj->getAttributes(cx, id, prop, attrsp);
-             OBJ_DROP_PROPERTY(cx, obj, prop);
+             obj->dropProperty(cx, prop);
              return ok;
          }
      }
      sprop = (JSScopeProperty *)prop;
      *attrsp = sprop->attrs;
      if (noprop)
-         OBJ_DROP_PROPERTY(cx, obj, prop);
+         obj->dropProperty(cx, prop);
      return JS_TRUE;
  }
-Line 4647
+Line 4595
          if (!prop)
              return JS_TRUE;
          if (!OBJ_IS_NATIVE(obj)) {
-             ok = OBJ_SET_ATTRIBUTES(cx, obj, id, prop, attrsp);
+             ok = obj->setAttributes(cx, id, prop, attrsp);
-             OBJ_DROP_PROPERTY(cx, obj, prop);
+             obj->dropProperty(cx, prop);
              return ok;
          }
      }
-Line 4656
+Line 4604
      sprop = js_ChangeNativePropertyAttrs(cx, obj, sprop, *attrsp, 0,
                                           sprop->getter, sprop->setter);
      if (noprop)
-         OBJ_DROP_PROPERTY(cx, obj, prop);
+         obj->dropProperty(cx, prop);
      return (sprop != NULL);
  }
-Line 4672
+Line 4620
      *rval = JSVAL_TRUE;
      /* Convert string indices to integers if appropriate. */
-     CHECK_FOR_STRING_INDEX(id);
+     id = js_CheckForStringIndex(id);
      if (!js_LookupProperty(cx, obj, id, &proto, &prop))
          return JS_FALSE;
-Line 4689
+Line 4637
                  if (SPROP_IS_SHARED_PERMANENT(sprop))
                      *rval = JSVAL_FALSE;
              }
-             OBJ_DROP_PROPERTY(cx, proto, prop);
+             proto->dropProperty(cx, prop);
              if (*rval == JSVAL_FALSE)
                  return JS_TRUE;
          }
-Line 4705
+Line 4653
      sprop = (JSScopeProperty *)prop;
      if (sprop->attrs & JSPROP_PERMANENT) {
-         OBJ_DROP_PROPERTY(cx, obj, prop);
+         obj->dropProperty(cx, prop);
          *rval = JSVAL_FALSE;
          return JS_TRUE;
      }
      /* XXXbe called with obj locked */
-     if (!LOCKED_OBJ_GET_CLASS(obj)->delProperty(cx, obj, SPROP_USERID(sprop),
+     if (!obj->getClass()->delProperty(cx, obj, SPROP_USERID(sprop), rval)) {
-                                                 rval)) {
+         obj->dropProperty(cx, prop);
-         OBJ_DROP_PROPERTY(cx, obj, prop);
          return JS_FALSE;
      }
-Line 4721
+Line 4668
      if (SPROP_HAS_VALID_SLOT(sprop, scope))
          GC_POKE(cx, LOCKED_OBJ_GET_SLOT(obj, sprop->slot));
-     ok = js_RemoveScopeProperty(cx, scope, id);
+     ok = scope->remove(cx, id);
-     OBJ_DROP_PROPERTY(cx, obj, prop);
+     obj->dropProperty(cx, prop);
      return ok;
  }
-Line 4736
+Line 4683
      switch (hint) {
        case JSTYPE_STRING:
          /*
+          * Optimize for String objects with standard toString methods. Support
+          * new String(...) instances whether mutated to have their own scope or
+          * not, as well as direct String.prototype references.
+          */
+         if (OBJ_GET_CLASS(cx, obj) == &js_StringClass) {
+             jsid toStringId = ATOM_TO_JSID(cx->runtime->atomState.toStringAtom);
+             JS_LOCK_OBJ(cx, obj);
+             JSScope *scope = OBJ_SCOPE(obj);
+             JSScopeProperty *sprop = scope->lookup(toStringId);
+             JSObject *pobj = obj;
+             if (!sprop) {
+                 pobj = obj->getProto();
+                 if (pobj && OBJ_GET_CLASS(cx, pobj) == &js_StringClass) {
+                     JS_UNLOCK_SCOPE(cx, scope);
+                     JS_LOCK_OBJ(cx, pobj);
+                     scope = OBJ_SCOPE(pobj);
+                     sprop = scope->lookup(toStringId);
+                 }
+             }
+             if (sprop &&
+                 SPROP_HAS_STUB_GETTER(sprop) &&
+                 SPROP_HAS_VALID_SLOT(sprop, scope)) {
+                 jsval fval = LOCKED_OBJ_GET_SLOT(pobj, sprop->slot);
+                 if (VALUE_IS_FUNCTION(cx, fval)) {
+                     JSObject *funobj = JSVAL_TO_OBJECT(fval);
+                     JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
+                     if (FUN_FAST_NATIVE(fun) == js_str_toString) {
+                         JS_UNLOCK_SCOPE(cx, scope);
+                         *vp = obj->fslots[JSSLOT_PRIMITIVE_THIS];
+                         return JS_TRUE;
+                     }
+                 }
+             }
+             JS_UNLOCK_SCOPE(cx, scope);
+         }
+         /*
           * Propagate the exception if js_TryMethod finds an appropriate
           * method, and calling that method returned failure.
           */
-Line 4795
+Line 4785
   * in the object. Instead for the empty enumerator the code uses JSVAL_ZERO as
   * the enumeration state.
   *
-  * JSRuntime.nativeEnumCache caches the enumerators using scope's shape to
+  * JSThreadData.nativeEnumCache caches the enumerators using scope's shape to
   * avoid repeated scanning of scopes for enumerable properties. The cache
   * entry is either JSNativeEnumerator* or, for the empty enumerator, the shape
   * value itself. The latter is stored as (shape << 1) | 1 to ensure that it is
   * always different from JSNativeEnumerator* values.
+  *
+  * We cache the enumerators in the JSENUMERATE_INIT case of js_Enumerate, not
+  * during JSENUMERATE_DESTROY. The GC can invoke the latter case during the
+  * finalization when JSNativeEnumerator contains finalized ids and the
+  * enumerator must be freed.
   */
  struct JSNativeEnumerator {
      /*
       * The index into the ids array. It runs from the length down to 1 when
       * the enumerator is running. It is 0 when the enumerator is finished and
-      * can be reused on a cache hit. Its type is jsword, not uint32, for
+      * can be reused on a cache hit.
-      * compatibility with js_CompareAndSwap.
+     */
-      */
+     uint32                  cursor;
-     jsword                  cursor;
      uint32                  length;     /* length of ids array */
      uint32                  shape;      /* "shape" number -- see jsscope.h */
-     JSNativeEnumerator      *next;      /* list linking */
      jsid                    ids[1];     /* enumeration id array */
+     static inline size_t size(uint32 length) {
+         JS_ASSERT(length != 0);
+         return offsetof(JSNativeEnumerator, ids) +
+                (size_t) length * sizeof(jsid);
+     }
+     bool isFinished() const {
+         return cursor == 0;
+     }
+     void mark(JSTracer *trc) {
+         JS_ASSERT(length >= 1);
+         jsid *cursor = ids;
+         jsid *end = ids + length;
+         do {
+             js_TraceId(trc, *cursor);
+         } while (++cursor != end);
+     }
  };
  /* The tagging of shape values requires one bit. */
  JS_STATIC_ASSERT((jsuword) SHAPE_OVERFLOW_BIT <=
                   ((jsuword) 1 << (JS_BITS_PER_WORD - 1)));
- static inline size_t
+ static void
- NativeEnumeratorSize(uint32 length)
+ SetEnumeratorCache(JSContext *cx, jsuword *cachep, jsuword newcache)
  {
-     JS_ASSERT(length != 0);
+     jsuword old = *cachep;
-     return offsetof(JSNativeEnumerator, ids) + (size_t) length * sizeof(jsid);
+     *cachep = newcache;
+     if (!(old & jsuword(1)) && old) {
+         /* Free the cached enumerator unless it is running. */
+         JSNativeEnumerator *ne = reinterpret_cast<JSNativeEnumerator *>(old);
+         if (ne->isFinished())
+             cx->free(ne);
+     }
  }
- /*
-  * This function is used to enumerate the properties of native JSObjects
-  * and those host objects that do not define a JSNewEnumerateOp-style iterator
-  * function.
-  */
  JSBool
  js_Enumerate(JSContext *cx, JSObject *obj, JSIterateOp enum_op,
               jsval *statep, jsid *idp)
  {
-     JSClass *clasp;
+     /* Here cx is JSTracer when enum_op is JSENUMERATE_MARK. */
-     JSEnumerateOp enumerate;
+     JSClass *clasp = obj->getClass();
-     JSNativeEnumerator *ne;
+     JSEnumerateOp enumerate = clasp->enumerate;
-     uint32 length, shape;
-     size_t allocated;
-     JSScope *scope;
-     jsuword *cachep, oldcache;
-     JSScopeProperty *sprop;
-     jsid *ids;
-     jsword newcursor;
-     clasp = OBJ_GET_CLASS(cx, obj);
-     enumerate = clasp->enumerate;
      if (clasp->flags & JSCLASS_NEW_ENUMERATE) {
          JS_ASSERT(enumerate != JS_EnumerateStub);
          return ((JSNewEnumerateOp) enumerate)(cx, obj, enum_op, statep, idp);
      }
      switch (enum_op) {
-       case JSENUMERATE_INIT:
+       case JSENUMERATE_INIT: {
          if (!enumerate(cx, obj))
-             return JS_FALSE;
+             return false;
          /*
           * The set of all property ids is pre-computed when the iterator is
-Line 4865
+Line 4867
           * during the iteration.
           *
           * Use a do-while(0) loop to avoid too many nested ifs. If ne is null
-          * after the loop, it indicates an empty enumerator. If allocated is
+          * after the loop, it indicates an empty enumerator.
-          * not zero after the loop, we add the newly allocated ne to the cache
-          * and runtime->nativeEnumerators list.
           */
-         ne = NULL;
+         JSNativeEnumerator *ne;
-         length = 0;
+         uint32 length;
-         allocated = (size_t) 0;
-         JS_LOCK_OBJ(cx, obj);
-         scope = OBJ_SCOPE(obj);
          do {
-             /*
+             uint32 shape = OBJ_SHAPE(obj);
-              * If this object shares a scope with its prototype, don't
-              * enumerate its properties. Otherwise they will be enumerated
-              * a second time when the prototype object is enumerated.
-              */
-             if (scope->object != obj) {
- #ifdef __GNUC__
-                 cachep = NULL;  /* suppress bogus gcc warnings */
- #endif
-                 break;
-             }
              ENUM_CACHE_METER(nativeEnumProbes);
-             shape = scope->shape;
+             jsuword *cachep = &JS_THREAD_DATA(cx)->
-             JS_ASSERT(shape < SHAPE_OVERFLOW_BIT);
+                               nativeEnumCache[NATIVE_ENUM_CACHE_HASH(shape)];
-             cachep = &cx->runtime->
+             jsuword oldcache = *cachep;
-                      nativeEnumCache[NATIVE_ENUM_CACHE_HASH(shape)];
-             oldcache = *cachep;
              if (oldcache & (jsuword) 1) {
-                 if ((uint32) (oldcache >> 1) == shape) {
+                 if (uint32(oldcache >> 1) == shape) {
                      /* scope has a shape with no enumerable properties. */
+                     ne = NULL;
+                     length = 0;
                      break;
                  }
-             } else if (oldcache != (jsuword) 0) {
+             } else if (oldcache != jsuword(0)) {
-                 /*
+                 ne = reinterpret_cast<JSNativeEnumerator *>(oldcache);
-                  * We can safely read ne->shape without taking the GC lock as
-                  * ne is deleted only when running the GC and ne->shape is
-                  * read-only after initialization.
-                  */
-                 ne = (JSNativeEnumerator *) *cachep;
                  JS_ASSERT(ne->length >= 1);
-                 if (ne->shape == shape) {
+                 if (ne->shape == shape && ne->isFinished()) {
-                     /*
+                     /* Mark ne as active. */
-                      * Check that ne is not running with another enumerator
+                     ne->cursor = ne->length;
-                      * and, if so, reuse and mark it as running from now.
-                      */
                      length = ne->length;
-                     if (js_CompareAndSwap(&ne->cursor, 0, length))
+                     JS_ASSERT(!ne->isFinished());
-                         break;
+                     break;
-                     length = 0;
                  }
-                 ne = NULL;
              }
              ENUM_CACHE_METER(nativeEnumMisses);
+             JS_LOCK_OBJ(cx, obj);
              /* Count all enumerable properties in object's scope. */
-             JS_ASSERT(length == 0);
+             JSScope *scope = OBJ_SCOPE(obj);
-             for (sprop = SCOPE_LAST_PROP(scope); sprop; sprop = sprop->parent) {
+             length = 0;
+             for (JSScopeProperty *sprop = SCOPE_LAST_PROP(scope);
+                  sprop;
+                  sprop = sprop->parent) {
                  if ((sprop->attrs & JSPROP_ENUMERATE) &&
                      !(sprop->flags & SPROP_IS_ALIAS) &&
-                     (!SCOPE_HAD_MIDDLE_DELETE(scope) ||
+                     (!scope->hadMiddleDelete() || scope->has(sprop))) {
-                      SCOPE_HAS_PROPERTY(scope, sprop))) {
                      length++;
                  }
              }
              if (length == 0) {
-                 /* cache the scope without enumerable properties. */
+                /*
-                 *cachep = ((jsuword) shape << 1) | (jsuword) 1;
+                 * Cache the scope without enumerable properties unless its
+                 * shape overflows, see bug 440834.
+                 */
+                 JS_UNLOCK_SCOPE(cx, scope);
+                 if (shape < SHAPE_OVERFLOW_BIT) {
+                     SetEnumeratorCache(cx, cachep,
+                                        (jsuword(shape) << 1) | jsuword(1));
+                 }
+                 ne = NULL;
                  break;
              }
-             allocated = NativeEnumeratorSize(length);
+             ne = (JSNativeEnumerator *)
-             ne = (JSNativeEnumerator *) JS_malloc(cx, allocated);
+                  cx->mallocNoReport(JSNativeEnumerator::size(length));
              if (!ne) {
+                 /* Report the OOM error outside the lock. */
                  JS_UNLOCK_SCOPE(cx, scope);
-                 return JS_FALSE;
+                 JS_ReportOutOfMemory(cx);
+                 return false;
              }
              ne->cursor = length;
              ne->length = length;
              ne->shape = shape;
-             ids = ne->ids;
-             for (sprop = SCOPE_LAST_PROP(scope); sprop; sprop = sprop->parent) {
+             jsid *ids = ne->ids;
+             for (JSScopeProperty *sprop = SCOPE_LAST_PROP(scope);
+                  sprop;
+                  sprop = sprop->parent) {
                  if ((sprop->attrs & JSPROP_ENUMERATE) &&
                      !(sprop->flags & SPROP_IS_ALIAS) &&
-                     (!SCOPE_HAD_MIDDLE_DELETE(scope) ||
+                     (!scope->hadMiddleDelete() || scope->has(sprop))) {
-                      SCOPE_HAS_PROPERTY(scope, sprop))) {
                      JS_ASSERT(ids < ne->ids + length);
                      *ids++ = sprop->id;
                  }
              }
              JS_ASSERT(ids == ne->ids + length);
+             JS_UNLOCK_SCOPE(cx, scope);
+             /*
+              * Do not cache enumerators for objects with with a shape
+              * that had overflowed, see bug 440834.
+              */
+             if (shape < SHAPE_OVERFLOW_BIT)
+                 SetEnumeratorCache(cx, cachep, reinterpret_cast<jsuword>(ne));
          } while (0);
-         JS_UNLOCK_SCOPE(cx, scope);
          if (!ne) {
              JS_ASSERT(length == 0);
-             JS_ASSERT(allocated == 0);
              *statep = JSVAL_ZERO;
          } else {
              JS_ASSERT(length != 0);
-             JS_ASSERT(ne->cursor == (jsword) length);
+             JS_ASSERT(ne->cursor == length);
-             if (allocated != 0) {
+             JS_ASSERT(!(reinterpret_cast<jsuword>(ne) & jsuword(1)));
-                 JS_LOCK_GC(cx->runtime);
-                 if (!js_AddAsGCBytes(cx, allocated)) {
-                     /* js_AddAsGCBytes releases the GC lock on failures. */
-                     JS_free(cx, ne);
-                     return JS_FALSE;
-                 }
-                 ne->next = cx->runtime->nativeEnumerators;
-                 cx->runtime->nativeEnumerators = ne;
-                 JS_ASSERT(((jsuword) ne & (jsuword) 1) == (jsuword) 0);
-                 *cachep = (jsuword) ne;
-                 JS_UNLOCK_GC(cx->runtime);
-             }
              *statep = PRIVATE_TO_JSVAL(ne);
          }
          if (idp)
              *idp = INT_TO_JSVAL(length);
          break;
+       }
        case JSENUMERATE_NEXT:
-       case JSENUMERATE_DESTROY:
+       case JSENUMERATE_DESTROY: {
          if (*statep == JSVAL_ZERO) {
              *statep = JSVAL_NULL;
              break;
          }
-         ne = (JSNativeEnumerator *) JSVAL_TO_PRIVATE(*statep);
+         JSNativeEnumerator *ne = (JSNativeEnumerator *)
+                                  JSVAL_TO_PRIVATE(*statep);
          JS_ASSERT(ne->length >= 1);
          JS_ASSERT(ne->cursor >= 1);
-         /*
-          * We must not access ne->cursor when we set it to zero as it means
-          * that ne is free and another thread can grab it from the cache. So
-          * we set the state to JSVAL_ZERO in the NEXT case to avoid touching
-          * ne->length again in the DESTROY case.
-          */
          if (enum_op == JSENUMERATE_NEXT) {
-             newcursor = ne->cursor - 1;
+             uint32 newcursor = ne->cursor - 1;
              *idp = ne->ids[newcursor];
-             ne->cursor = newcursor;
+             if (newcursor != 0) {
-             if (newcursor == 0)
+                 ne->cursor = newcursor;
-                 *statep = JSVAL_ZERO;
+                 break;
+             }
          } else {
              /* The enumerator has not iterated over all ids. */
+             JS_ASSERT(enum_op == JSENUMERATE_DESTROY);
+         }
+         *statep = JSVAL_ZERO;
+         jsuword *cachep = &JS_THREAD_DATA(cx)->
+                           nativeEnumCache[NATIVE_ENUM_CACHE_HASH(ne->shape)];
+         if (reinterpret_cast<jsuword>(ne) == *cachep) {
+             /* Mark the cached iterator as available. */
              ne->cursor = 0;
+         } else {
+             cx->free(ne);
          }
          break;
+       }
      }
-     return JS_TRUE;
+     return true;
  }
  void
- js_TraceNativeEnumerators(JSTracer *trc)
+ js_MarkEnumeratorState(JSTracer *trc, JSObject *obj, jsval state)
  {
-     JSRuntime *rt;
+     if (JSVAL_IS_TRACEABLE(state)) {
-     JSNativeEnumerator **nep, *ne;
+         JS_CALL_TRACER(trc, JSVAL_TO_TRACEABLE(state),
-     jsid *cursor, *end;
+                        JSVAL_TRACE_KIND(state), "enumerator_value");
+     } else if (obj->map->ops->enumerate == js_Enumerate &&
+                !(obj->getClass()->flags & JSCLASS_NEW_ENUMERATE)) {
+         /* Check if state stores JSNativeEnumerator. */
+         JS_ASSERT(JSVAL_IS_INT(state) ||
+                   JSVAL_IS_NULL(state) ||
+                   JSVAL_IS_VOID(state));
+         if (JSVAL_IS_INT(state) && state != JSVAL_ZERO)
+             ((JSNativeEnumerator *) JSVAL_TO_PRIVATE(state))->mark(trc);
+     }
+ }
+ void
+ js_PurgeCachedNativeEnumerators(JSContext *cx, JSThreadData *data)
+ {
+     jsuword *cachep = &data->nativeEnumCache[0];
+     jsuword *end = cachep + JS_ARRAY_LENGTH(data->nativeEnumCache);
+     for (; cachep != end; ++cachep)
+         SetEnumeratorCache(cx, cachep, jsuword(0));
-     /*
-      * Purge native enumerators cached by shape id, which we are about to
-      * re-number completely when tracing is done for the GC.
-      */
-     rt = trc->context->runtime;
-     if (IS_GC_MARKING_TRACER(trc)) {
-         memset(&rt->nativeEnumCache, 0, sizeof rt->nativeEnumCache);
  #ifdef JS_DUMP_ENUM_CACHE_STATS
-         printf("nativeEnumCache hit rate %g%%\n",
+     printf("nativeEnumCache hit rate %g%%\n",
-.0 * (rt->nativeEnumProbes - rt->nativeEnumMisses) /
+.0 * (cx->runtime->nativeEnumProbes -
-                rt->nativeEnumProbes);
+                     cx->runtime->nativeEnumMisses) /
+            cx->runtime->nativeEnumProbes);
  #endif
-     }
-     nep = &rt->nativeEnumerators;
-     while ((ne = *nep) != NULL) {
-         JS_ASSERT(ne->length != 0);
-         if (ne->cursor != 0) {
-             /* Trace ids of the running enumerator. */
-             cursor = ne->ids;
-             end = cursor + ne->length;
-             do {
-                 TRACE_ID(trc, *cursor);
-             } while (++cursor != end);
-         } else if (IS_GC_MARKING_TRACER(trc)) {
-             js_RemoveAsGCBytes(rt, NativeEnumeratorSize(ne->length));
-             *nep = ne->next;
-             JS_free(trc->context, ne);
-             continue;
-         }
-         nep = &ne->next;
-     }
  }
  JSBool
-Line 5086
+Line 5073
          break;
        default:
-         if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &pobj, &prop))
+         if (!obj->lookupProperty(cx, id, &pobj, &prop))
              return JS_FALSE;
          if (!prop) {
              if (!writing)
-Line 5097
+Line 5084
          }
          if (!OBJ_IS_NATIVE(pobj)) {
-             OBJ_DROP_PROPERTY(cx, pobj, prop);
+             pobj->dropProperty(cx, prop);
              /* Avoid diverging for non-natives that reuse js_CheckAccess. */
              if (pobj->map->ops->checkAccess == js_CheckAccess) {
-Line 5107
+Line 5094
                  }
                  break;
              }
-             return OBJ_CHECK_ACCESS(cx, pobj, id, mode, vp, attrsp);
+             return pobj->checkAccess(cx, id, mode, vp, attrsp);
          }
          sprop = (JSScopeProperty *)prop;
-Line 5117
+Line 5104
                    ? LOCKED_OBJ_GET_SLOT(pobj, sprop->slot)
                    : JSVAL_VOID;
          }
-         OBJ_DROP_PROPERTY(cx, pobj, prop);
+         pobj->dropProperty(cx, prop);
      }
      /*
-Line 5158
+Line 5145
      while ((tmp = OBJ_GET_PARENT(cx, obj)) != NULL)
          obj = tmp;
-     if (!OBJ_GET_PROPERTY(cx, obj,
+     if (!obj->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.ExecutionContextAtom), &xcval))
-                           ATOM_TO_JSID(cx->runtime->atomState
-                                        .ExecutionContextAtom),
-                           &xcval)) {
          return JS_FALSE;
-     }
      if (JSVAL_IS_PRIMITIVE(xcval)) {
          JS_ReportError(cx, "invalid ExecutionContext in global object");
          return JS_FALSE;
      }
-     if (!OBJ_GET_PROPERTY(cx, JSVAL_TO_OBJECT(xcval),
+     if (!JSVAL_TO_OBJECT(xcval)->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.currentAtom),
-                           ATOM_TO_JSID(cx->runtime->atomState.currentAtom),
+                                              rval)) {
-                           rval)) {
          return JS_FALSE;
      }
      return JS_TRUE;
-Line 5190
+Line 5172
          JSBool ok;
          callee = JSVAL_TO_OBJECT(argv[-2]);
-         if (!OBJ_GET_PROPERTY(cx, callee,
+         if (!callee->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.__call__Atom), &fval))
-                               ATOM_TO_JSID(cx->runtime->atomState.__call__Atom),
-                               &fval)) {
              return JS_FALSE;
-         }
          if (VALUE_IS_FUNCTION(cx, fval)) {
              if (!GetCurrentExecutionContext(cx, obj, &nargv[2]))
                  return JS_FALSE;
-Line 5232
+Line 5211
          JSBool ok;
          callee = JSVAL_TO_OBJECT(argv[-2]);
-         if (!OBJ_GET_PROPERTY(cx, callee,
+         if (!callee->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.__construct__Atom),
-                               ATOM_TO_JSID(cx->runtime->atomState
+                                  &cval)) {
-                                            .__construct__Atom),
-                               &cval)) {
              return JS_FALSE;
          }
          if (VALUE_IS_FUNCTION(cx, cval)) {
-Line 5272
+Line 5249
      {
          jsval fval, rval;
-         if (!OBJ_GET_PROPERTY(cx, obj,
+         if (!obj->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.__hasInstance__Atom), &fval))
-                               ATOM_TO_JSID(cx->runtime->atomState
-                                            .__hasInstance__Atom),
-                               &fval)) {
              return JS_FALSE;
-         }
          if (VALUE_IS_FUNCTION(cx, fval)) {
              if (!js_InternalCall(cx, obj, fval, 1, &v, &rval))
                  return JS_FALSE;
-Line 5320
+Line 5293
          return JS_FALSE;
      if (VALUE_IS_FUNCTION(cx, v)) {
          ctor = JSVAL_TO_OBJECT(v);
-         if (!OBJ_GET_PROPERTY(cx, ctor,
+         if (!ctor->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom), &v))
-                               ATOM_TO_JSID(cx->runtime->atomState
-                                            .classPrototypeAtom),
-                               &v)) {
              return JS_FALSE;
-         }
          if (!JSVAL_IS_PRIMITIVE(v)) {
              /*
               * Set the newborn root in case v is otherwise unreferenced.
-Line 5366
+Line 5335
      atom = cx->runtime->atomState.constructorAtom;
      JS_ASSERT(id == ATOM_TO_JSID(atom));
-     return OBJ_CHECK_ACCESS(cx, obj, ATOM_TO_JSID(atom), JSACC_READ,
+     return obj->checkAccess(cx, ATOM_TO_JSID(atom), JSACC_READ, vp, &attrs);
-                             vp, &attrs);
  }
  static JSBool
-Line 5378
+Line 5346
      atom = cx->runtime->atomState.constructorAtom;
      JS_ASSERT(id == ATOM_TO_JSID(atom));
-     return OBJ_CHECK_ACCESS(cx, obj, ATOM_TO_JSID(atom), JSACC_WRITE,
+     return obj->checkAccess(cx, ATOM_TO_JSID(atom), JSACC_WRITE, vp, &attrs);
-                             vp, &attrs);
  }
  JSBool
-Line 5392
+Line 5359
       * reset), while native or "system" constructors have DontEnum | ReadOnly |
       * DontDelete.
       */
-     if (!OBJ_DEFINE_PROPERTY(cx, ctor,
+     if (!ctor->defineProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom),
-                              ATOM_TO_JSID(cx->runtime->atomState
+                               OBJECT_TO_JSVAL(proto), JS_PropertyStub, JS_PropertyStub,
-                                           .classPrototypeAtom),
+                               attrs)) {
-                              OBJECT_TO_JSVAL(proto),
-                              JS_PropertyStub, JS_PropertyStub,
-                              attrs, NULL)) {
          return JS_FALSE;
      }
-Line 5405
+Line 5369
       * ECMA says that Object.prototype.constructor, or f.prototype.constructor
       * for a user-defined function f, is DontEnum.
       */
-     return OBJ_DEFINE_PROPERTY(cx, proto,
+     return proto->defineProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.constructorAtom),
-                                ATOM_TO_JSID(cx->runtime->atomState
+                                  OBJECT_TO_JSVAL(ctor), CheckCtorGetAccess, CheckCtorSetAccess, 0);
-                                             .constructorAtom),
-                                OBJECT_TO_JSVAL(ctor),
-                                CheckCtorGetAccess, CheckCtorSetAccess,
-, NULL);
  }
  JSBool
-Line 5423
+Line 5383
      JS_STATIC_ASSERT(JSVAL_INT == 1);
      JS_STATIC_ASSERT(JSVAL_DOUBLE == 2);
      JS_STATIC_ASSERT(JSVAL_STRING == 4);
-     JS_STATIC_ASSERT(JSVAL_BOOLEAN == 6);
+     JS_STATIC_ASSERT(JSVAL_SPECIAL == 6);
      static JSClass *const PrimitiveClasses[] = {
          &js_NumberClass,    /* INT     */
          &js_NumberClass,    /* DOUBLE  */
-Line 5437
+Line 5397
      JS_ASSERT(!JSVAL_IS_OBJECT(*vp));
      JS_ASSERT(!JSVAL_IS_VOID(*vp));
      clasp = PrimitiveClasses[JSVAL_TAG(*vp) - 1];
-     obj = js_NewObject(cx, clasp, NULL, NULL, 0);
+     obj = js_NewObject(cx, clasp, NULL, NULL);
      if (!obj)
          return JS_FALSE;
-     STOBJ_SET_SLOT(obj, JSSLOT_PRIVATE, *vp);
+     obj->fslots[JSSLOT_PRIMITIVE_THIS] = *vp;
      *vp = OBJECT_TO_JSVAL(obj);
      return JS_TRUE;
  }
-Line 5454
+Line 5414
          obj = NULL;
      } else if (JSVAL_IS_OBJECT(v)) {
          obj = JSVAL_TO_OBJECT(v);
-         if (!OBJ_DEFAULT_VALUE(cx, obj, JSTYPE_OBJECT, &v))
+         if (!obj->defaultValue(cx, JSTYPE_OBJECT, &v))
              return JS_FALSE;
          if (!JSVAL_IS_PRIMITIVE(v))
              obj = JSVAL_TO_OBJECT(v);
-Line 5643
+Line 5603
  void
  js_PrintObjectSlotName(JSTracer *trc, char *buf, size_t bufsize)
  {
-     JSObject *obj;
-     uint32 slot;
-     JSScope *scope;
-     jsval nval;
-     JSScopeProperty *sprop;
-     JSClass *clasp;
-     uint32 key;
-     const char *slotname;
      JS_ASSERT(trc->debugPrinter == js_PrintObjectSlotName);
-     obj = (JSObject *)trc->debugPrintArg;
-     slot = (uint32)trc->debugPrintIndex;
+     JSObject *obj = (JSObject *)trc->debugPrintArg;
+     uint32 slot = (uint32)trc->debugPrintIndex;
+     JS_ASSERT(slot >= JSSLOT_START(obj->getClass()));
+     JSScopeProperty *sprop;
      if (OBJ_IS_NATIVE(obj)) {
-         scope = OBJ_SCOPE(obj);
+         JSScope *scope = OBJ_SCOPE(obj);
          sprop = SCOPE_LAST_PROP(scope);
          while (sprop && sprop->slot != slot)
              sprop = sprop->parent;
-Line 5666
+Line 5620
      }
      if (!sprop) {
-         switch (slot) {
+         const char *slotname = NULL;
-           case JSSLOT_PROTO:
+         JSClass *clasp = obj->getClass();
-             JS_snprintf(buf, bufsize, "__proto__");
+         if (clasp->flags & JSCLASS_IS_GLOBAL) {
-             break;
+             uint32 key = slot - JSSLOT_START(clasp);
-           case JSSLOT_PARENT:
+ #define JS_PROTO(name,code,init)                                              \
-             JS_snprintf(buf, bufsize, "__parent__");
-             break;
-           default:
-             slotname = NULL;
-             clasp = LOCKED_OBJ_GET_CLASS(obj);
-             if (clasp->flags & JSCLASS_IS_GLOBAL) {
-                 key = slot - JSSLOT_START(clasp);
- #define JS_PROTO(name,code,init) \
      if ((code) == key) { slotname = js_##name##_str; goto found; }
  #include "jsproto.tbl"
  #undef JS_PROTO
-             }
-           found:
-             if (slotname)
-                 JS_snprintf(buf, bufsize, "CLASS_OBJECT(%s)", slotname);
-             else
-                 JS_snprintf(buf, bufsize, "**UNKNOWN SLOT %ld**", (long)slot);
-             break;
          }
+       found:
+         if (slotname)
+             JS_snprintf(buf, bufsize, "CLASS_OBJECT(%s)", slotname);
+         else
+             JS_snprintf(buf, bufsize, "**UNKNOWN SLOT %ld**", (long)slot);
      } else {
-         nval = ID_TO_VALUE(sprop->id);
+         jsval nval = ID_TO_VALUE(sprop->id);
          if (JSVAL_IS_INT(nval)) {
              JS_snprintf(buf, bufsize, "%ld", (long)JSVAL_TO_INT(nval));
          } else if (JSVAL_IS_STRING(nval)) {
-Line 5706
+Line 5650
  void
  js_TraceObject(JSTracer *trc, JSObject *obj)
  {
-     JSContext *cx;
-     JSScope *scope;
-     JSBool traceScope;
-     JSScopeProperty *sprop;
-     JSClass *clasp;
-     size_t nslots, i;
-     jsval v;
      JS_ASSERT(OBJ_IS_NATIVE(obj));
-     cx = trc->context;
-     scope = OBJ_SCOPE(obj);
-     traceScope = (scope->object == obj);
-     if (!traceScope) {
-         JSObject *pobj = obj;
+     JSContext *cx = trc->context;
+     JSScope *scope = OBJ_SCOPE(obj);
+     if (scope->owned() && IS_GC_MARKING_TRACER(trc)) {
          /*
-          * Because obj does not own scope, we should be able to assert that an
+          * Check whether we should shrink the object's slots. Skip this check
-          * object on obj's prototype chain does -- or scope's properties might
+          * if the scope is shared, since for Block objects and flat closures
-          * go untraced. It indeed turns out that you can disconnect an object
+          * that share their scope, scope->freeslot can be an underestimate.
-          * from the prototype object whose scope it shares, so we may have to
-          * mark scope even though scope->object != obj.
           */
-         while ((pobj = LOCKED_OBJ_GET_PROTO(pobj)) != NULL) {
+         size_t slots = scope->freeslot;
-             if (pobj == scope->object)
+         if (STOBJ_NSLOTS(obj) != slots)
-                 break;
+             js_ShrinkSlots(cx, obj, slots);
-         }
-         JS_ASSERT_IF(pobj, OBJ_SCOPE(pobj) == scope);
-         traceScope = !pobj;
      }
-     if (traceScope) {
  #ifdef JS_DUMP_SCOPE_METERS
-         MeterEntryCount(scope->entryCount);
+     MeterEntryCount(scope->entryCount);
  #endif
-         sprop = SCOPE_LAST_PROP(scope);
+     scope->trace(trc);
-         if (sprop) {
-             JS_ASSERT(SCOPE_HAS_PROPERTY(scope, sprop));
-             /* Regenerate property cache shape ids if GC'ing. */
-             if (IS_GC_MARKING_TRACER(trc)) {
-                 uint32 shape, oldshape;
-                 shape = js_RegenerateShapeForGC(cx);
-                 if (!(sprop->flags & SPROP_MARK)) {
-                     oldshape = sprop->shape;
-                     sprop->shape = shape;
-                     sprop->flags |= SPROP_FLAG_SHAPE_REGEN;
-                     if (scope->shape != oldshape)
-                         shape = js_RegenerateShapeForGC(cx);
-                 }
-                 scope->shape = shape;
-             }
-             /* Trace scope's property tree ancestor line. */
-             do {
-                 if (SCOPE_HAD_MIDDLE_DELETE(scope) &&
-                     !SCOPE_HAS_PROPERTY(scope, sprop)) {
-                     continue;
-                 }
-                 TRACE_SCOPE_PROPERTY(trc, sprop);
-             } while ((sprop = sprop->parent) != NULL);
-         }
-     }
      if (!JS_CLIST_IS_EMPTY(&cx->runtime->watchPointList))
          js_TraceWatchPoints(trc, obj);
      /* No one runs while the GC is running, so we can use LOCKED_... here. */
-     clasp = LOCKED_OBJ_GET_CLASS(obj);
+     JSClass *clasp = obj->getClass();
      if (clasp->mark) {
          if (clasp->flags & JSCLASS_MARK_IS_TRACE)
              ((JSTraceOp) clasp->mark)(trc, obj);
-Line 5785
+Line 5683
              (void) clasp->mark(cx, obj, trc);
      }
+     obj->traceProtoAndParent(trc);
      /*
       * An unmutated object that shares a prototype object's scope. We can't
       * tell how many slots are in use in obj by looking at its scope, so we
-Line 5794
+Line 5694
       * don't move it up and unify it with the |if (!traceScope)| section
       * above.
       */
-     nslots = STOBJ_NSLOTS(obj);
+     uint32 nslots = STOBJ_NSLOTS(obj);
-     if (scope->object == obj && scope->freeslot < nslots)
+     if (scope->owned() && scope->freeslot < nslots)
          nslots = scope->freeslot;
+     JS_ASSERT(nslots >= JSSLOT_START(clasp));
-     for (i = 0; i != nslots; ++i) {
+     for (uint32 i = JSSLOT_START(clasp); i != nslots; ++i) {
-         v = STOBJ_GET_SLOT(obj, i);
+         jsval v = STOBJ_GET_SLOT(obj, i);
          if (JSVAL_IS_TRACEABLE(v)) {
              JS_SET_TRACING_DETAILS(trc, js_PrintObjectSlotName, obj, i);
              JS_CallTracer(trc, JSVAL_TO_TRACEABLE(v), JSVAL_TRACE_KIND(v));
-Line 5815
+Line 5716
      /*
       * Clear our scope and the property cache of all obj's properties only if
-      * obj owns the scope (i.e., not if obj is unmutated and therefore sharing
+      * obj owns the scope (i.e., not if obj is sharing another object's scope).
-      * its prototype's scope).  NB: we do not clear any reserved slots lying
+      * NB: we do not clear any reserved slots lying below JSSLOT_FREE(clasp).
-      * below JSSLOT_FREE(clasp).
       */
      JS_LOCK_OBJ(cx, obj);
      scope = OBJ_SCOPE(obj);
-     if (scope->object == obj) {
+     if (scope->owned()) {
          /* Now that we're done using scope->lastProp/table, clear scope. */
-         js_ClearScope(cx, scope);
+         scope->clear(cx);
          /* Clear slot values and reset freeslot so we're consistent. */
          i = STOBJ_NSLOTS(obj);
-         n = JSSLOT_FREE(LOCKED_OBJ_GET_CLASS(obj));
+         n = JSSLOT_FREE(obj->getClass());
          while (--i >= n)
              STOBJ_SET_SLOT(obj, i, JSVAL_VOID);
          scope->freeslot = n;
-Line 5835
+Line 5735
      JS_UNLOCK_OBJ(cx, obj);
  }
- jsval
+ /* On failure the function unlocks the object. */
- js_GetRequiredSlot(JSContext *cx, JSObject *obj, uint32 slot)
+ static bool
+ ReservedSlotIndexOK(JSContext *cx, JSObject *obj, JSClass *clasp,
+                     uint32 index, uint32 limit)
  {
-     jsval v;
+     JS_ASSERT(JS_IS_OBJ_LOCKED(cx, obj));
+     /* Check the computed, possibly per-instance, upper bound. */
+     if (clasp->reserveSlots)
+         limit += clasp->reserveSlots(cx, obj);
+     if (index >= limit) {
+         JS_UNLOCK_OBJ(cx, obj);
+         JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
+                              JSMSG_RESERVED_SLOT_RANGE);
+         return false;
+     }
+     return true;
+ }
+ bool
+ js_GetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval *vp)
+ {
+     if (!OBJ_IS_NATIVE(obj)) {
+         *vp = JSVAL_VOID;
+         return true;
+     }
+     JSClass *clasp = obj->getClass();
+     uint32 limit = JSCLASS_RESERVED_SLOTS(clasp);
      JS_LOCK_OBJ(cx, obj);
-     v = (slot < STOBJ_NSLOTS(obj)) ? STOBJ_GET_SLOT(obj, slot) : JSVAL_VOID;
+     if (index >= limit && !ReservedSlotIndexOK(cx, obj, clasp, index, limit))
+         return false;
+     uint32 slot = JSSLOT_START(clasp) + index;
+     *vp = (slot < STOBJ_NSLOTS(obj)) ? STOBJ_GET_SLOT(obj, slot) : JSVAL_VOID;
      JS_UNLOCK_OBJ(cx, obj);
-     return v;
+     return true;
  }
- JSBool
+ bool
- js_SetRequiredSlot(JSContext *cx, JSObject *obj, uint32 slot, jsval v)
+ js_SetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval v)
  {
-     JSScope *scope;
+     if (!OBJ_IS_NATIVE(obj))
-     uint32 nslots;
+         return true;
-     JSClass *clasp;
+     JSClass *clasp = OBJ_GET_CLASS(cx, obj);
+     uint32 limit = JSCLASS_RESERVED_SLOTS(clasp);
      JS_LOCK_OBJ(cx, obj);
-     scope = OBJ_SCOPE(obj);
+     if (index >= limit && !ReservedSlotIndexOK(cx, obj, clasp, index, limit))
+         return false;
+     uint32 slot = JSSLOT_START(clasp) + index;
      if (slot >= JS_INITIAL_NSLOTS && !obj->dslots) {
          /*
-          * At this point, obj may or may not own scope.  If some path calls
+          * At this point, obj may or may not own scope, and we may or may not
-          * js_GetMutableScope but does not add a slot-owning property, then
+          * need to allocate dslots. If scope is shared, scope->freeslot may not
-          * scope->object == obj but obj->dslots will be null. If obj shares a
+          * be accurate for obj (see comment below).
-          * prototype's scope, then we cannot update scope->map here. Instead
-          * we rely on STOBJ_NSLOTS(obj) to get the number of available slots
-          * in obj after we allocate dynamic slots.
-          *
-          * See js_TraceObject, before the slot tracing, where we make a special
-          * case for unmutated (scope->object != obj) objects.
           */
-         clasp = LOCKED_OBJ_GET_CLASS(obj);
+         uint32 nslots = JSSLOT_FREE(clasp);
-         nslots = JSSLOT_FREE(clasp);
          if (clasp->reserveSlots)
              nslots += clasp->reserveSlots(cx, obj);
          JS_ASSERT(slot < nslots);
-         if (!js_ReallocSlots(cx, obj, nslots, JS_TRUE)) {
+         if (!AllocSlots(cx, obj, nslots)) {
-             JS_UNLOCK_SCOPE(cx, scope);
+             JS_UNLOCK_OBJ(cx, obj);
-             return JS_FALSE;
+             return false;
          }
      }
-     /* Whether or not we grew nslots, we may need to advance freeslot. */
+     /*
-     if (scope->object == obj && slot >= scope->freeslot)
+      * Whether or not we grew nslots, we may need to advance freeslot.
+      *
+      * If scope is shared, do not modify scope->freeslot. It is OK for freeslot
+      * to be an underestimate in objects with shared scopes, as they will get
+      * their own scopes before mutating, and elsewhere (e.g. js_TraceObject) we
+      * use STOBJ_NSLOTS(obj) rather than rely on freeslot.
+      */
+     JSScope *scope = OBJ_SCOPE(obj);
+     if (scope->owned() && slot >= scope->freeslot)
          scope->freeslot = slot + 1;
      STOBJ_SET_SLOT(obj, slot, v);
      GC_POKE(cx, JS_NULL);
      JS_UNLOCK_SCOPE(cx, scope);
-     return JS_TRUE;
+     return true;
  }
  JSObject *
-Line 5926
+Line 5861
                           JSMSG_GETTER_ONLY, NULL);
  }
  JS_FRIEND_API(JSBool)
  js_GetterOnlyPropertyStub(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
  {
-Line 5978
+Line 5912
  void