1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* vim: set ts=8 sts=2 et sw=2 tw=80:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* JS Array interface. */
#ifndef builtin_Array_h
#define builtin_Array_h
#include "mozilla/Attributes.h"
#include "vm/JSObject.h"
namespace js {
class ArrayObject;
MOZ_ALWAYS_INLINE bool IdIsIndex(jsid id, uint32_t* indexp) {
if (id.isInt()) {
int32_t i = id.toInt();
MOZ_ASSERT(i >= 0);
*indexp = uint32_t(i);
return true;
}
if (MOZ_UNLIKELY(!id.isAtom())) {
return false;
}
JSAtom* atom = id.toAtom();
return atom->isIndex(indexp);
}
// The methods below only create dense boxed arrays.
// Create a dense array with no capacity allocated, length set to 0, in the
// normal (i.e. non-tenured) heap.
extern ArrayObject* NewDenseEmptyArray(JSContext* cx);
// Create a dense array with no capacity allocated, length set to 0, in the
// tenured heap.
extern ArrayObject* NewTenuredDenseEmptyArray(JSContext* cx);
// Create a dense array with a set length, but without allocating space for the
// contents. This is useful, e.g., when accepting length from the user.
extern ArrayObject* NewDenseUnallocatedArray(
JSContext* cx, uint32_t length, NewObjectKind newKind = GenericObject);
// Create a dense array with length and capacity == 'length', initialized length
// set to 0.
extern ArrayObject* NewDenseFullyAllocatedArray(
JSContext* cx, uint32_t length, NewObjectKind newKind = GenericObject,
gc::AllocSite* site = nullptr);
// Create a dense array with length == 'length', initialized length set to 0,
// and capacity == 'length' clamped to EagerAllocationMaxLength.
extern ArrayObject* NewDensePartlyAllocatedArray(
JSContext* cx, uint32_t length, NewObjectKind newKind = GenericObject);
// Like NewDensePartlyAllocatedArray, but the array will have |proto| as
// prototype (or Array.prototype if |proto| is nullptr).
extern ArrayObject* NewDensePartlyAllocatedArrayWithProto(JSContext* cx,
uint32_t length,
HandleObject proto);
// Create a dense array from the given array values, which must be rooted.
extern ArrayObject* NewDenseCopiedArray(JSContext* cx, uint32_t length,
const Value* values,
NewObjectKind newKind = GenericObject);
// Create a dense array from the given (linear)string values, which must be
// rooted
extern ArrayObject* NewDenseCopiedArray(JSContext* cx, uint32_t length,
JSLinearString** values,
NewObjectKind newKind = GenericObject);
// Like NewDenseCopiedArray, but the array will have |proto| as prototype (or
// Array.prototype if |proto| is nullptr).
extern ArrayObject* NewDenseCopiedArrayWithProto(JSContext* cx, uint32_t length,
const Value* values,
HandleObject proto);
// Create a dense array with the given shape and length.
extern ArrayObject* NewDenseFullyAllocatedArrayWithShape(
JSContext* cx, uint32_t length, Handle<SharedShape*> shape);
extern ArrayObject* NewArrayWithShape(JSContext* cx, uint32_t length,
Handle<Shape*> shape);
extern bool ToLength(JSContext* cx, HandleValue v, uint64_t* out);
extern bool GetLengthProperty(JSContext* cx, HandleObject obj,
uint64_t* lengthp);
extern bool SetLengthProperty(JSContext* cx, HandleObject obj, uint32_t length);
/*
* Copy 'length' elements from aobj to vp.
*
* This function assumes 'length' is effectively the result of calling
* GetLengthProperty on aobj. vp must point to rooted memory.
*/
extern bool GetElements(JSContext* cx, HandleObject aobj, uint32_t length,
js::Value* vp);
/* Natives exposed for optimization by the interpreter and JITs. */
extern bool intrinsic_ArrayNativeSort(JSContext* cx, unsigned argc,
js::Value* vp);
extern bool array_includes(JSContext* cx, unsigned argc, js::Value* vp);
extern bool array_indexOf(JSContext* cx, unsigned argc, js::Value* vp);
extern bool array_lastIndexOf(JSContext* cx, unsigned argc, js::Value* vp);
extern bool array_pop(JSContext* cx, unsigned argc, js::Value* vp);
extern bool array_join(JSContext* cx, unsigned argc, js::Value* vp);
extern void ArrayShiftMoveElements(ArrayObject* arr);
extern JSObject* ArraySliceDense(JSContext* cx, HandleObject obj, int32_t begin,
int32_t end, HandleObject result);
extern JSObject* ArgumentsSliceDense(JSContext* cx, HandleObject obj,
int32_t begin, int32_t end,
HandleObject result);
extern ArrayObject* NewArrayWithNullProto(JSContext* cx);
/*
* Append the given (non-hole) value to the end of an array. The array must be
* a newborn array -- that is, one which has not been exposed to script for
* arbitrary manipulation. (This method optimizes on the assumption that
* extending the array to accommodate the element will never make the array
* sparse, which requires that the array be completely filled.)
*/
extern bool NewbornArrayPush(JSContext* cx, HandleObject obj, const Value& v);
extern ArrayObject* ArrayConstructorOneArg(JSContext* cx,
Handle<ArrayObject*> templateObject,
int32_t lengthInt);
#ifdef DEBUG
extern bool ArrayInfo(JSContext* cx, unsigned argc, Value* vp);
#endif
/* Array constructor native. Exposed only so the JIT can know its address. */
extern bool ArrayConstructor(JSContext* cx, unsigned argc, Value* vp);
// Like Array constructor, but doesn't perform GetPrototypeFromConstructor.
extern bool array_construct(JSContext* cx, unsigned argc, Value* vp);
extern JSString* ArrayToSource(JSContext* cx, HandleObject obj);
extern bool IsCrossRealmArrayConstructor(JSContext* cx, JSObject* obj,
bool* result);
extern bool ObjectMayHaveExtraIndexedOwnProperties(JSObject* obj);
extern bool ObjectMayHaveExtraIndexedProperties(JSObject* obj);
extern bool PrototypeMayHaveIndexedProperties(NativeObject* obj);
// JS::IsArray has multiple overloads, use js::IsArrayFromJit to disambiguate.
extern bool IsArrayFromJit(JSContext* cx, HandleObject obj, bool* isArray);
extern bool ArrayLengthGetter(JSContext* cx, HandleObject obj, HandleId id,
MutableHandleValue vp);
extern bool ArrayLengthSetter(JSContext* cx, HandleObject obj, HandleId id,
HandleValue v, ObjectOpResult& result);
class MOZ_NON_TEMPORARY_CLASS ArraySpeciesLookup final {
/*
* An ArraySpeciesLookup holds the following:
*
* Array.prototype (arrayProto_)
* To ensure that the incoming array has the standard proto.
*
* Array.prototype's shape (arrayProtoShape_)
* To ensure that Array.prototype has not been modified.
*
* Array (arrayConstructor_)
* Array's shape (arrayConstructorShape_)
* To ensure that Array has not been modified.
*
* Array.prototype's slot number for constructor (arrayProtoConstructorSlot_)
* To quickly retrieve and ensure that the Array constructor
* stored in the slot has not changed.
*
* Array's slot number for the @@species getter. (arraySpeciesGetterSlot_)
* Array's canonical value for @@species (canonicalSpeciesFunc_)
* To quickly retrieve and ensure that the @@species getter for Array
* has not changed.
*
* MOZ_INIT_OUTSIDE_CTOR fields below are set in |initialize()|. The
* constructor only initializes a |state_| field, that defines whether the
* other fields are accessible.
*/
// Pointer to canonical Array.prototype and Array.
MOZ_INIT_OUTSIDE_CTOR NativeObject* arrayProto_;
MOZ_INIT_OUTSIDE_CTOR NativeObject* arrayConstructor_;
// Shape of matching Array, and slot containing the @@species property, and
// the canonical value.
MOZ_INIT_OUTSIDE_CTOR Shape* arrayConstructorShape_;
MOZ_INIT_OUTSIDE_CTOR uint32_t arraySpeciesGetterSlot_;
MOZ_INIT_OUTSIDE_CTOR JSFunction* canonicalSpeciesFunc_;
// Shape of matching Array.prototype object, and slot containing the
// constructor for it.
MOZ_INIT_OUTSIDE_CTOR Shape* arrayProtoShape_;
MOZ_INIT_OUTSIDE_CTOR uint32_t arrayProtoConstructorSlot_;
enum class State : uint8_t {
// Flags marking the lazy initialization of the above fields.
Uninitialized,
Initialized,
// The disabled flag is set when we don't want to try optimizing
// anymore because core objects were changed.
Disabled
};
State state_ = State::Uninitialized;
// Initialize the internal fields.
void initialize(JSContext* cx);
// Reset the cache.
void reset();
// Check if the global array-related objects have not been messed with
// in a way that would disable this cache.
bool isArrayStateStillSane();
public:
/** Construct an |ArraySpeciesLookup| in the uninitialized state. */
ArraySpeciesLookup() { reset(); }
// Try to optimize the @@species lookup for an array.
bool tryOptimizeArray(JSContext* cx, ArrayObject* array);
// Purge the cache and all info associated with it.
void purge() {
if (state_ == State::Initialized) {
reset();
}
}
};
} /* namespace js */
#endif /* builtin_Array_h */
|