| author | Tooru Fujisawa <arai_a@mac.com> |
| Wed, 23 Dec 2015 12:46:35 +0900 | |
| changeset 292156 | ae46f7e09a221fa5006e4abd2ba458998328d5c4 |
| parent 292155 | f15991a13732a4d966fad452bfc8f769fb258859 |
| child 292157 | ecb8f8821de2ab318eb4a0d863b5d9c1cd97d70f |
| push id | 74764 |
| push user | arai_a@mac.com |
| push date | Thu, 07 Apr 2016 10:49:15 +0000 |
| treeherder | mozilla-inbound@4d0f975a2311 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | efaust |
| bugs | 1165052 |
| milestone | 48.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| js/src/jsarray.cpp | file | annotate | diff | comparison | revisions | |
| js/src/jsarray.h | file | annotate | diff | comparison | revisions | |
| js/src/vm/SelfHosting.cpp | file | annotate | diff | comparison | revisions |
--- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -31,16 +31,17 @@ #include "js/Class.h" #include "js/Conversions.h" #include "vm/ArgumentsObject.h" #include "vm/Interpreter.h" #include "vm/SelfHosting.h" #include "vm/Shape.h" #include "vm/StringBuffer.h" #include "vm/TypedArrayCommon.h" +#include "vm/WrapperObject.h" #include "jsatominlines.h" #include "vm/ArgumentsObject-inl.h" #include "vm/ArrayObject-inl.h" #include "vm/Interpreter-inl.h" #include "vm/NativeObject-inl.h" #include "vm/Runtime-inl.h" @@ -863,25 +864,51 @@ AddLengthProperty(ExclusiveContext* cx, return NativeObject::addProperty(cx, obj, lengthId, array_length_getter, array_length_setter, SHAPE_INVALID_SLOT, JSPROP_PERMANENT | JSPROP_SHARED | JSPROP_SHADOWABLE, 0, /* allowDictionary = */ false); } static bool -IsArrayConstructor(const Value& v) +IsArrayConstructor(const JSObject* obj) { // This must only return true if v is *the* Array constructor for the // current compartment; we rely on the fact that any other Array // constructor would be represented as a wrapper. - return v.isObject() && - v.toObject().is<JSFunction>() && - v.toObject().as<JSFunction>().isNative() && - v.toObject().as<JSFunction>().native() == ArrayConstructor; + return obj->is<JSFunction>() && + obj->as<JSFunction>().isNative() && + obj->as<JSFunction>().native() == ArrayConstructor; +} + +static bool +IsArrayConstructor(const Value& v) +{ + return v.isObject() && IsArrayConstructor(&v.toObject()); +} + +bool +js::IsWrappedArrayConstructor(JSContext* cx, const Value& v, bool* result) +{ + if (!v.isObject()) { + *result = false; + return true; + } + if (v.toObject().is<WrapperObject>()) { + JSObject* obj = CheckedUnwrap(&v.toObject()); + if (!obj) { + JS_ReportError(cx, "Permission denied to access object"); + return false; + } + + *result = IsArrayConstructor(obj); + } else { + *result = false; + } + return true; } /* static */ bool IsArraySpecies(JSContext* cx, HandleObject origArray) { RootedValue ctor(cx); if (!GetPropertyPure(cx, origArray, NameToId(cx->names().constructor), ctor.address())) return false;
--- a/js/src/jsarray.h +++ b/js/src/jsarray.h @@ -201,11 +201,14 @@ ArrayConstructorOneArg(JSContext* cx, Ha extern bool ArrayInfo(JSContext* cx, unsigned argc, Value* vp); #endif /* Array constructor native. Exposed only so the JIT can know its address. */ extern bool ArrayConstructor(JSContext* cx, unsigned argc, Value* vp); +extern bool +IsWrappedArrayConstructor(JSContext* cx, const Value& v, bool* result); + } /* namespace js */ #endif /* jsarray_h */
--- a/js/src/vm/SelfHosting.cpp +++ b/js/src/vm/SelfHosting.cpp @@ -104,16 +104,27 @@ intrinsic_IsArray(JSContext* cx, unsigne args.rval().setBoolean(isArray); } else { args.rval().setBoolean(false); } return true; } static bool +intrinsic_IsWrappedArrayConstructor(JSContext* cx, unsigned argc, Value* vp) +{ + CallArgs args = CallArgsFromVp(argc, vp); + bool result = false; + if (!IsWrappedArrayConstructor(cx, args[0], &result)) + return false; + args.rval().setBoolean(result); + return true; +} + +static bool intrinsic_ToInteger(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); double result; if (!ToInteger(cx, args[0], &result)) return false; args.rval().setNumber(result); return true; @@ -2116,16 +2127,17 @@ static const JSFunctionSpec intrinsic_fu JS_FN("std_SIMD_Bool16x8_extractLane", simd_bool16x8_extractLane, 2,0), JS_FN("std_SIMD_Bool32x4_extractLane", simd_bool32x4_extractLane, 2,0), JS_FN("std_SIMD_Bool64x2_extractLane", simd_bool64x2_extractLane, 2,0), // Helper funtions after this point. JS_INLINABLE_FN("ToObject", intrinsic_ToObject, 1,0, IntrinsicToObject), JS_INLINABLE_FN("IsObject", intrinsic_IsObject, 1,0, IntrinsicIsObject), JS_INLINABLE_FN("IsArray", intrinsic_IsArray, 1,0, ArrayIsArray), + JS_FN("IsWrappedArrayConstructor", intrinsic_IsWrappedArrayConstructor, 1,0), JS_INLINABLE_FN("ToInteger", intrinsic_ToInteger, 1,0, IntrinsicToInteger), JS_INLINABLE_FN("ToString", intrinsic_ToString, 1,0, IntrinsicToString), JS_FN("ToPropertyKey", intrinsic_ToPropertyKey, 1,0), JS_INLINABLE_FN("IsCallable", intrinsic_IsCallable, 1,0, IntrinsicIsCallable), JS_FN("IsConstructor", intrinsic_IsConstructor, 1,0), JS_FN("GetBuiltinConstructorImpl", intrinsic_GetBuiltinConstructor, 1,0), JS_FN("MakeConstructible", intrinsic_MakeConstructible, 2,0), JS_FN("_ConstructFunction", intrinsic_ConstructFunction, 2,0),