Bug 647425 - Don't try to use js_PrototypeHasIndexedProperties in GetElements; its wrong for arguments objects (r=waldo)

2011-04-07 20:35:02 -07:00
parent 095f56c223
commit e7702c5ac5
7 changed files with 146 additions and 36 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -400,6 +400,19 @@ GetElement(JSContext *cx, JSObject *obj, jsdouble index, JSBool *hole, Value *vp

 namespace js {

+struct STATIC_SKIP_INFERENCE CopyNonHoleArgsTo
+{
+    CopyNonHoleArgsTo(JSObject *aobj, Value *dst) : aobj(aobj), dst(dst) {}
+    JSObject *aobj;
+    Value *dst;
+    bool operator()(uintN argi, Value *src) {
+        if (aobj->getArgsElement(argi).isMagic(JS_ARGS_HOLE))
+            return false;
+        *dst++ = *src;
+        return true;
+    }
+};
+
 bool
 GetElements(JSContext *cx, JSObject *aobj, jsuint length, Value *vp)
 {
@@ -413,21 +426,28 @@ GetElements(JSContext *cx, JSObject *aobj, jsuint length, Value *vp)
    } else if (aobj->isArguments() && !aobj->isArgsLengthOverridden() &&
               !js_PrototypeHasIndexedProperties(cx, aobj)) {
        /*
-         * Two cases, two loops: note how in the case of an active stack frame
-         * backing aobj, even though we copy from fp->argv, we still must check
-         * aobj->getArgsElement(i) for a hole, to handle a delete on the
-         * corresponding arguments element. See args_delProperty.
+         * If the argsobj is for an active call, then the elements are the
+         * live args on the stack. Otherwise, the elements are the args that
+         * were copied into the argsobj by PutActivationObjects when the
+         * function returned. In both cases, it is necessary to fall off the
+         * fast path for deleted properties (MagicValue(JS_ARGS_HOLE) since
+         * this requires general-purpose property lookup.
         */
        if (JSStackFrame *fp = (JSStackFrame *) aobj->getPrivate()) {
            JS_ASSERT(fp->numActualArgs() <= JS_ARGS_LENGTH_MAX);
-            fp->forEachCanonicalActualArg(CopyNonHoleArgsTo(aobj, vp));
+            if (!fp->forEachCanonicalActualArg(CopyNonHoleArgsTo(aobj, vp)))
+                goto found_deleted_prop;
        } else {
            Value *srcbeg = aobj->getArgsElements();
            Value *srcend = srcbeg + length;
-            for (Value *dst = vp, *src = srcbeg; src < srcend; ++dst, ++src)
-                *dst = src->isMagic(JS_ARGS_HOLE) ? UndefinedValue() : *src;
+            for (Value *dst = vp, *src = srcbeg; src < srcend; ++dst, ++src) {
+                if (src->isMagic(JS_ARGS_HOLE))
+                    goto found_deleted_prop;
+                *dst = *src;
+            }
        }
    } else {
+      found_deleted_prop:
        for (uintN i = 0; i < length; i++) {
            if (!aobj->getProperty(cx, INT_TO_JSID(jsint(i)), &vp[i]))
                return JS_FALSE;