Bug 776159 - Thread more Handles through jsarray; r=sfink

--HG--
extra : rebase_source : 31c8efb209a6f5a58709429cce4cc0675b537847

js/public/Utility.h

@@ -982,7 +982,7 @@ namespace JS {
  * a live integer value.
  */
 
-inline void PoisonPtr(uintptr_t *v)
+inline void PoisonPtr(void *v)
 {
 #if defined(JSGC_ROOT_ANALYSIS) && defined(DEBUG)
     uint8_t *ptr = (uint8_t *) v + 3;

js/src/gc/Root.h

@@ -395,6 +395,12 @@ class SkipRoot
     JS_DECL_USE_GUARD_OBJECT_NOTIFIER
 };
 
+/*
+ * This typedef is to annotate parameters that we have manually verified do not
+ * need rooting, as opposed to parameters that have not yet been considered.
+ */
+typedef JSObject *RawObject;
+
 #ifdef DEBUG
 JS_FRIEND_API(bool) IsRootingUnnecessaryForContext(JSContext *cx);
 JS_FRIEND_API(void) SetRootingUnnecessaryForContext(JSContext *cx, bool value);

js/src/jsapi.cpp

@@ -4580,11 +4580,12 @@ JS_GetArrayLength(JSContext *cx, JSObject *obj, uint32_t *lengthp)
 }
 
 JS_PUBLIC_API(JSBool)
-JS_SetArrayLength(JSContext *cx, JSObject *obj, uint32_t length)
+JS_SetArrayLength(JSContext *cx, JSObject *objArg, uint32_t length)
 {
     AssertHeapIsIdle(cx);
     CHECK_REQUEST(cx);
-    assertSameCompartment(cx, obj);
+    assertSameCompartment(cx, objArg);
+    RootedObject obj(cx, objArg);
     return js_SetLengthProperty(cx, obj, length);
 }
 

js/src/jsarray.cpp

@@ -141,7 +141,6 @@ js_GetLengthProperty(JSContext *cx, JSObject *obj, uint32_t *lengthp)
         return true;
     }
 
-
     return ToUint32(cx, value, (uint32_t *)lengthp);
 }
 
@@ -486,12 +485,11 @@ SetOrDeleteArrayElement(JSContext *cx, HandleObject obj, double index,
 }
 
 JSBool
-js_SetLengthProperty(JSContext *cx, JSObject *objArg, double length)
+js_SetLengthProperty(JSContext *cx, HandleObject obj, double length)
 {
     Value v = NumberValue(length);
 
     /* We don't support read-only array length yet. */
-    Rooted<JSObject*> obj(cx, objArg);
     return obj->setProperty(cx, obj, cx->runtime->atomState.lengthAtom, &v, false);
 }
 
@@ -688,7 +686,7 @@ array_lookupSpecial(JSContext *cx, HandleObject obj, HandleSpecialId sid,
 }
 
 JSBool
-js_GetDenseArrayElementValue(JSContext *cx, JSObject *obj, jsid id, Value *vp)
+js_GetDenseArrayElementValue(JSContext *cx, HandleObject obj, jsid id, Value *vp)
 {
     JS_ASSERT(obj->isDenseArray());
 
@@ -2396,7 +2394,7 @@ array_pop_dense(JSContext *cx, HandleObject obj, CallArgs &args)
         return false;
 
     args.rval() = elt;
-    
+
     // obj may not be a dense array any more, e.g. if the element was a missing
     // and a getter supplied by the prototype modified the object.
     if (obj->isDenseArray()) {
@@ -2406,7 +2404,7 @@ array_pop_dense(JSContext *cx, HandleObject obj, CallArgs &args)
         obj->setArrayLength(cx, index);
         return true;
     }
-    
+
     return js_SetLengthProperty(cx, obj, index);
 }
 
@@ -3661,7 +3659,7 @@ EnsureNewArrayElements(JSContext *cx, JSObject *obj, uint32_t length)
 
 template<bool allocateCapacity>
 static JS_ALWAYS_INLINE JSObject *
-NewArray(JSContext *cx, uint32_t length, JSObject *proto_)
+NewArray(JSContext *cx, uint32_t length, RawObject protoArg)
 {
     gc::AllocKind kind = GuessArrayGCKind(length);
     JS_ASSERT(CanBeFinalizedInBackground(kind, &ArrayClass));
@@ -3685,7 +3683,8 @@ NewArray(JSContext *cx, uint32_t length, JSObject *proto_)
     }
 
     Rooted<GlobalObject*> parent(cx, parent_);
-    RootedObject proto(cx, proto_);
+    RootedObject proto(cx, protoArg);
+    PoisonPtr(reinterpret_cast<uintptr_t *>(protoArg));
 
     if (!proto && !FindProto(cx, &ArrayClass, parent, &proto))
         return NULL;
@@ -3718,25 +3717,19 @@ NewArray(JSContext *cx, uint32_t length, JSObject *proto_)
 }
 
 JSObject * JS_FASTCALL
-NewDenseEmptyArray(JSContext *cx, JSObject *proto)
+NewDenseEmptyArray(JSContext *cx, RawObject proto /* = NULL */)
 {
     return NewArray<false>(cx, 0, proto);
 }
 
 JSObject * JS_FASTCALL
-NewDenseAllocatedArray(JSContext *cx, uint32_t length, JSObject *proto)
+NewDenseAllocatedArray(JSContext *cx, uint32_t length, RawObject proto /* = NULL */)
 {
     return NewArray<true>(cx, length, proto);
 }
 
 JSObject * JS_FASTCALL
-NewDenseAllocatedEmptyArray(JSContext *cx, uint32_t length, JSObject *proto)
-{
-    return NewArray<true>(cx, length, proto);
-}
-
-JSObject * JS_FASTCALL
-NewDenseUnallocatedArray(JSContext *cx, uint32_t length, JSObject *proto)
+NewDenseUnallocatedArray(JSContext *cx, uint32_t length, RawObject proto /* = NULL */)
 {
     return NewArray<false>(cx, length, proto);
 }
@@ -3745,8 +3738,7 @@ NewDenseUnallocatedArray(JSContext *cx, uint32_t length, JSObject *proto)
 JSObject * JS_FASTCALL
 mjit::stubs::NewDenseUnallocatedArray(VMFrame &f, uint32_t length)
 {
-    JSObject *proto = (JSObject *) f.scratch;
-    JSObject *obj = NewArray<false>(f.cx, length, proto);
+    JSObject *obj = NewArray<false>(f.cx, length, (RawObject)f.scratch);
     if (!obj)
         THROWV(NULL);
 
@@ -3755,7 +3747,7 @@ mjit::stubs::NewDenseUnallocatedArray(VMFrame &f, uint32_t length)
 #endif
 
 JSObject *
-NewDenseCopiedArray(JSContext *cx, uint32_t length, const Value *vp, JSObject *proto /* = NULL */)
+NewDenseCopiedArray(JSContext *cx, uint32_t length, const Value *vp, RawObject proto /* = NULL */)
 {
     // XXX vp may be an internal pointer to an object's dense array elements.
     SkipRoot skip(cx, &vp);
@@ -3785,12 +3777,11 @@ NewSlowEmptyArray(JSContext *cx)
     return obj;
 }
 
-}
-
+} // namespace js
 
 #ifdef DEBUG
 JSBool
-js_ArrayInfo(JSContext *cx, unsigned argc, jsval *vp)
+js_ArrayInfo(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     JSObject *array;

js/src/jsarray.h

@@ -50,30 +50,22 @@ namespace js {
 
 /* Create a dense array with no capacity allocated, length set to 0. */
 extern JSObject * JS_FASTCALL
-NewDenseEmptyArray(JSContext *cx, JSObject *proto=NULL);
+NewDenseEmptyArray(JSContext *cx, RawObject proto = NULL);
 
 /* Create a dense array with length and capacity == 'length', initialized length set to 0. */
 extern JSObject * JS_FASTCALL
-NewDenseAllocatedArray(JSContext *cx, uint32_t length, JSObject *proto=NULL);
-
-/*
- * Create a dense array with length, capacity and initialized length == 'length', and filled with holes.
- * This is a kludge, as the tracer doesn't yet track/update initialized length when initializing
- * array elements.
- */
-extern JSObject * JS_FASTCALL
-NewDenseAllocatedEmptyArray(JSContext *cx, uint32_t length, JSObject *proto=NULL);
+NewDenseAllocatedArray(JSContext *cx, uint32_t length, RawObject proto = NULL);
 
 /*
  * Create a dense array with a set length, but without allocating space for the
  * contents. This is useful, e.g., when accepting length from the user.
  */
 extern JSObject * JS_FASTCALL
-NewDenseUnallocatedArray(JSContext *cx, uint32_t length, JSObject *proto=NULL);
+NewDenseUnallocatedArray(JSContext *cx, uint32_t length, RawObject proto = NULL);
 
 /* Create a dense array with a copy of vp. */
 extern JSObject *
-NewDenseCopiedArray(JSContext *cx, uint32_t length, const Value *vp, JSObject *proto = NULL);
+NewDenseCopiedArray(JSContext *cx, uint32_t length, const Value *vp, RawObject proto = NULL);
 
 /* Create a sparse array. */
 extern JSObject *
@@ -85,7 +77,7 @@ extern JSBool
 js_GetLengthProperty(JSContext *cx, JSObject *obj, uint32_t *lengthp);
 
 extern JSBool
-js_SetLengthProperty(JSContext *cx, JSObject *obj, double length);
+js_SetLengthProperty(JSContext *cx, js::HandleObject obj, double length);
 
 namespace js {
 
@@ -126,7 +118,7 @@ array_shift(JSContext *cx, unsigned argc, js::Value *vp);
 
 #ifdef DEBUG
 extern JSBool
-js_ArrayInfo(JSContext *cx, unsigned argc, jsval *vp);
+js_ArrayInfo(JSContext *cx, unsigned argc, js::Value *vp);
 #endif
 
 /*
@@ -146,7 +138,7 @@ js_PrototypeHasIndexedProperties(JSContext *cx, JSObject *obj);
  * Utility to access the value from the id returned by array_lookupProperty.
  */
 JSBool
-js_GetDenseArrayElementValue(JSContext *cx, JSObject *obj, jsid id,
+js_GetDenseArrayElementValue(JSContext *cx, js::HandleObject obj, jsid id,
                              js::Value *vp);
 
 /* Array constructor native. Exposed only so the JIT can know its address. */

js/src/vm/Debugger.cpp

@@ -1757,7 +1757,7 @@ JSBool
 Debugger::getDebuggees(JSContext *cx, unsigned argc, Value *vp)
 {
     THIS_DEBUGGER(cx, argc, vp, "getDebuggees", args, dbg);
-    RootedObject arrobj(cx, NewDenseAllocatedArray(cx, dbg->debuggees.count(), NULL));
+    RootedObject arrobj(cx, NewDenseAllocatedArray(cx, dbg->debuggees.count()));
     if (!arrobj)
         return false;
     arrobj->ensureDenseArrayInitializedLength(cx, 0, dbg->debuggees.count());
@@ -2330,7 +2330,7 @@ Debugger::findScripts(JSContext *cx, unsigned argc, Value *vp)
     if (!query.findScripts(&scripts))
         return false;
 
-    RootedObject result(cx, NewDenseAllocatedArray(cx, scripts.length(), NULL));
+    RootedObject result(cx, NewDenseAllocatedArray(cx, scripts.length()));
     if (!result)
         return false;
 
@@ -3688,7 +3688,7 @@ DebuggerObject_getParameterNames(JSContext *cx, unsigned argc, Value *vp)
     }
 
     RootedFunction fun(cx, obj->toFunction());
-    JSObject *result = NewDenseAllocatedArray(cx, fun->nargs, NULL);
+    JSObject *result = NewDenseAllocatedArray(cx, fun->nargs);
     if (!result)
         return false;
     result->ensureDenseArrayInitializedLength(cx, 0, fun->nargs);