Bug 1348099 - Binary search property id when resolve DOM Xrays own property. draft
authorTing-Yu Chou <janus926@gmail.com>
Mon, 12 Jun 2017 12:13:38 +0800
changeset 598064 b5597c22cf230855ee25d6d025442127c7a008fd
parent 597026 416c3c8c4b3db9ba96a103ce7820c9a140a3051d
child 634404 96a54c57fd7592c3c03a6c6b43e2b9f25048232c
push id65126
push userbmo:janus926@gmail.com
push dateWed, 21 Jun 2017 10:37:59 +0000
bugs1348099
milestone56.0a1
Bug 1348099 - Binary search property id when resolve DOM Xrays own property. Currently we resolve a property by iterating every prefable and check whether it is enabled. If it is, we linear search the ids that it manages. This patch changes that to binary searching to find whether the id being resolved is present first, and checking whether its prefable is enabled only when we find it. This improves the performance of property resolution, especially when the property is not present. The patch stores all the property ids a NativePropertiesN owns in a single array of PropertyInfo structs. Each struct contains an id and the information needed to find the corresponding Prefable for the enabled check, as well as the information needed to find the correct property descriptor in the Prefable. We also store an array of indices into the PropertyInfo array, sorted by bits of the corresponding jsid. Given a jsid, this allows us to binary search for the index of the corresponding PropertyInfo, if any. The index array requires 2 bytes for each property, which is ~20k across all our bindings. The extra information stored in each PropertyInfo requires 4 bytes for each property, which is about 40k across all our bindings in 32-bit builds, or 80k in 64-bit builds due to alignment requirements on PropertyInfo. However we save a bit of memory from changing NativePropertiesN's trios to duos. The array of unsorted ids is kept because XrayOwnPropertyKeys() includes only properties that are enabled. Without it, we will need to check every single property to know whether its prefable is enabled or not, which is inefficient. With this patch, initializing property ids takes longer because of the sorting. I measured also insertion sort because I thought the ids should be nearly sorted as they are generated sequentially at run time, but that's not the case and NS_QuickSort() runs faster. MozReview-Commit-ID: Lc4Z1ui3t0o
dom/bindings/BindingUtils.cpp
dom/bindings/BindingUtils.h
dom/bindings/Codegen.py
dom/bindings/DOMJSClass.h
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -1128,16 +1128,97 @@ VariantToJsval(JSContext* aCx, nsIVarian
       Throw(aCx, NS_FAILED(rv) ? rv : NS_ERROR_UNEXPECTED);
     }
     return false;
   }
 
   return true;
 }
 
+static int
+CompareIdsAtIndices(const void* aElement1, const void* aElement2, void* aClosure)
+{
+  const uint16_t index1 = *static_cast<const uint16_t*>(aElement1);
+  const uint16_t index2 = *static_cast<const uint16_t*>(aElement2);
+  const PropertyInfo* ids = static_cast<PropertyInfo*>(aClosure);
+
+  MOZ_ASSERT(JSID_BITS(ids[index1].id) != JSID_BITS(ids[index2].id));
+
+  return JSID_BITS(ids[index1].id) < JSID_BITS(ids[index2].id) ? -1 : 1;
+}
+
+template <typename SpecT>
+static bool
+InitIdsInternal(JSContext* cx, const Prefable<SpecT>* pref, PropertyInfo* ids,
+                PropertyType type)
+{
+  MOZ_ASSERT(pref);
+  MOZ_ASSERT(pref->specs);
+
+  // The index into pref.
+  uint32_t prefIndex = 0;
+
+  do {
+    // We ignore whether the set of ids is enabled and just intern all the IDs,
+    // because this is only done once per application runtime.
+    const SpecT* spec = pref->specs;
+    // The index into spec.
+    uint32_t specIndex = 0;
+    do {
+      if (!JS::PropertySpecNameToPermanentId(cx, spec->name, &ids->id)) {
+        return false;
+      }
+      ids->type = type;
+      ids->prefIndex = prefIndex;
+      ids->specIndex = specIndex++;
+      ++ids;
+    } while ((++spec)->name);
+    ++prefIndex;
+  } while ((++pref)->specs);
+
+  return true;
+}
+
+#define INIT_IDS_IF_DEFINED(TypeName) {                                       \
+  if (nativeProperties->Has##TypeName##s() &&                                 \
+      !InitIdsInternal(cx,                                                    \
+                       nativeProperties->TypeName##s(),                       \
+                       nativeProperties->TypeName##Ids(),                     \
+                       e##TypeName)) {                                        \
+    return false;                                                             \
+  }                                                                           \
+}
+
+bool
+InitIds(JSContext* cx, const NativeProperties* nativeProperties)
+{
+  INIT_IDS_IF_DEFINED(StaticMethod);
+  INIT_IDS_IF_DEFINED(StaticAttribute);
+  INIT_IDS_IF_DEFINED(Method);
+  INIT_IDS_IF_DEFINED(Attribute);
+  INIT_IDS_IF_DEFINED(UnforgeableMethod);
+  INIT_IDS_IF_DEFINED(UnforgeableAttribute);
+  INIT_IDS_IF_DEFINED(Constant);
+
+  // Initialize and sort the index array.
+  uint16_t* indices = nativeProperties->sortedPropertyIndices;
+  for (unsigned int i = 0; i < nativeProperties->idsLength; ++i) {
+    indices[i] = i;
+  }
+  // CompareIdsAtIndices() doesn't actually modify the PropertyInfo array, which
+  // the const_cast here is OK in spite of the signature of NS_QuickSort().
+  NS_QuickSort(indices, nativeProperties->idsLength, sizeof(uint16_t),
+               CompareIdsAtIndices,
+               const_cast<PropertyInfo*>(nativeProperties->PropertyInfos()));
+
+  return true;
+}
+
+#undef INIT_IDS_IF_DEFINED
+
 bool
 QueryInterface(JSContext* cx, unsigned argc, JS::Value* vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   JS::Rooted<JS::Value> thisv(cx, JS_THIS(cx, vp));
   if (thisv.isNull())
     return false;
 
@@ -1287,256 +1368,189 @@ XrayCreateFunction(JSContext* cx, JS::Ha
                                 JS::ObjectValue(*obj));
 #endif
   return obj;
 }
 
 static bool
 XrayResolveAttribute(JSContext* cx, JS::Handle<JSObject*> wrapper,
                      JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
-                     const Prefable<const JSPropertySpec>* attributes,
-                     const jsid* attributeIds,
-                     const JSPropertySpec* attributeSpecs,
+                     const Prefable<const JSPropertySpec>& pref,
+                     const JSPropertySpec& attrSpec,
                      JS::MutableHandle<JS::PropertyDescriptor> desc,
                      bool& cacheOnHolder)
 {
-  for (; attributes->specs; ++attributes) {
-    if (attributes->isEnabled(cx, obj)) {
-      // Set i to be the index into our full list of ids/specs that we're
-      // looking at now.
-      size_t i = attributes->specs - attributeSpecs;
-      for ( ; attributeIds[i] != JSID_VOID; ++i) {
-        if (id == attributeIds[i]) {
-          cacheOnHolder = true;
-
-          const JSPropertySpec& attrSpec = attributeSpecs[i];
-          // Because of centralization, we need to make sure we fault in the
-          // JitInfos as well. At present, until the JSAPI changes, the easiest
-          // way to do this is wrap them up as functions ourselves.
-          desc.setAttributes(attrSpec.flags);
-          // They all have getters, so we can just make it.
-          JS::Rooted<JSObject*> funobj(cx,
-            XrayCreateFunction(cx, wrapper, attrSpec.accessors.getter.native, 0, id));
-          if (!funobj)
-            return false;
-          desc.setGetterObject(funobj);
-          desc.attributesRef() |= JSPROP_GETTER;
-          if (attrSpec.accessors.setter.native.op) {
-            // We have a setter! Make it.
-            funobj =
-              XrayCreateFunction(cx, wrapper, attrSpec.accessors.setter.native, 1, id);
-            if (!funobj)
-              return false;
-            desc.setSetterObject(funobj);
-            desc.attributesRef() |= JSPROP_SETTER;
-          } else {
-            desc.setSetter(nullptr);
-          }
-          desc.object().set(wrapper);
-          desc.value().setUndefined();
-          return true;
-        }
-      }
-    }
+  if (!pref.isEnabled(cx, obj)) {
+    return true;
   }
+
+  cacheOnHolder = true;
+
+  // Because of centralization, we need to make sure we fault in the JitInfos as
+  // well. At present, until the JSAPI changes, the easiest way to do this is
+  // wrap them up as functions ourselves.
+  desc.setAttributes(attrSpec.flags);
+  // They all have getters, so we can just make it.
+  JS::Rooted<JSObject*> funobj(cx,
+    XrayCreateFunction(cx, wrapper, attrSpec.accessors.getter.native, 0, id));
+  if (!funobj)
+    return false;
+  desc.setGetterObject(funobj);
+  desc.attributesRef() |= JSPROP_GETTER;
+  if (attrSpec.accessors.setter.native.op) {
+    // We have a setter! Make it.
+    funobj =
+      XrayCreateFunction(cx, wrapper, attrSpec.accessors.setter.native, 1, id);
+    if (!funobj)
+      return false;
+    desc.setSetterObject(funobj);
+    desc.attributesRef() |= JSPROP_SETTER;
+  } else {
+    desc.setSetter(nullptr);
+  }
+  desc.object().set(wrapper);
+  desc.value().setUndefined();
+
   return true;
 }
 
 static bool
 XrayResolveMethod(JSContext* cx, JS::Handle<JSObject*> wrapper,
                   JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
-                  const Prefable<const JSFunctionSpec>* methods,
-                  const jsid* methodIds,
-                  const JSFunctionSpec* methodSpecs,
+                  const Prefable<const JSFunctionSpec>& pref,
+                  const JSFunctionSpec& methodSpec,
                   JS::MutableHandle<JS::PropertyDescriptor> desc,
                   bool& cacheOnHolder)
 {
-  const Prefable<const JSFunctionSpec>* method;
-  for (method = methods; method->specs; ++method) {
-    if (method->isEnabled(cx, obj)) {
-      // Set i to be the index into our full list of ids/specs that we're
-      // looking at now.
-      size_t i = method->specs - methodSpecs;
-      for ( ; methodIds[i] != JSID_VOID; ++i) {
-        if (id == methodIds[i]) {
-          cacheOnHolder = true;
-
-          const JSFunctionSpec& methodSpec = methodSpecs[i];
-          JSObject *funobj;
-          if (methodSpec.selfHostedName) {
-            JSFunction* fun =
-              JS::GetSelfHostedFunction(cx, methodSpec.selfHostedName, id,
-                                        methodSpec.nargs);
-            if (!fun) {
-              return false;
-            }
-            MOZ_ASSERT(!methodSpec.call.op, "Bad FunctionSpec declaration: non-null native");
-            MOZ_ASSERT(!methodSpec.call.info, "Bad FunctionSpec declaration: non-null jitinfo");
-            funobj = JS_GetFunctionObject(fun);
-          } else {
-            funobj = XrayCreateFunction(cx, wrapper, methodSpec.call,
-                                        methodSpec.nargs, id);
-            if (!funobj) {
-              return false;
-            }
-          }
-          desc.value().setObject(*funobj);
-          desc.setAttributes(methodSpec.flags);
-          desc.object().set(wrapper);
-          desc.setSetter(nullptr);
-          desc.setGetter(nullptr);
-          return true;
-        }
-      }
+  if (!pref.isEnabled(cx, obj)) {
+    return true;
+  }
+
+  cacheOnHolder = true;
+
+  JSObject *funobj;
+  if (methodSpec.selfHostedName) {
+    JSFunction* fun =
+      JS::GetSelfHostedFunction(cx, methodSpec.selfHostedName, id,
+                                methodSpec.nargs);
+    if (!fun) {
+      return false;
+    }
+    MOZ_ASSERT(!methodSpec.call.op, "Bad FunctionSpec declaration: non-null native");
+    MOZ_ASSERT(!methodSpec.call.info, "Bad FunctionSpec declaration: non-null jitinfo");
+    funobj = JS_GetFunctionObject(fun);
+  } else {
+    funobj = XrayCreateFunction(cx, wrapper, methodSpec.call,
+                                methodSpec.nargs, id);
+    if (!funobj) {
+      return false;
     }
   }
-  return true;
-}
-
-// Try to resolve a property as an unforgeable property from the given
-// NativeProperties, if it's there.  nativeProperties is allowed to be null (in
-// which case we of course won't resolve anything).
-static bool
-XrayResolveUnforgeableProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
-                               JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
-                               JS::MutableHandle<JS::PropertyDescriptor> desc,
-                               bool& cacheOnHolder,
-                               const NativeProperties* nativeProperties)
-{
-  if (!nativeProperties) {
-    return true;
-  }
-
-  if (nativeProperties->HasUnforgeableAttributes()) {
-    if (!XrayResolveAttribute(cx, wrapper, obj, id,
-                              nativeProperties->UnforgeableAttributes(),
-                              nativeProperties->UnforgeableAttributeIds(),
-                              nativeProperties->UnforgeableAttributeSpecs(),
-                              desc, cacheOnHolder)) {
-      return false;
-    }
-
-    if (desc.object()) {
-      return true;
-    }
-  }
-
-  if (nativeProperties->HasUnforgeableMethods()) {
-    if (!XrayResolveMethod(cx, wrapper, obj, id,
-                           nativeProperties->UnforgeableMethods(),
-                           nativeProperties->UnforgeableMethodIds(),
-                           nativeProperties->UnforgeableMethodSpecs(),
-                           desc, cacheOnHolder)) {
-      return false;
-    }
-
-    if (desc.object()) {
-      return true;
-    }
-  }
+  desc.value().setObject(*funobj);
+  desc.setAttributes(methodSpec.flags);
+  desc.object().set(wrapper);
+  desc.setSetter(nullptr);
+  desc.setGetter(nullptr);
 
   return true;
 }
 
 static bool
+XrayResolveConstant(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                    JS::Handle<JSObject*> obj, JS::Handle<jsid>,
+                    const Prefable<const ConstantSpec>& pref,
+                    const ConstantSpec& constantSpec,
+                    JS::MutableHandle<JS::PropertyDescriptor> desc,
+                    bool& cacheOnHolder)
+{
+  if (!pref.isEnabled(cx, obj)) {
+    return true;
+  }
+
+  cacheOnHolder = true;
+
+  desc.setAttributes(JSPROP_ENUMERATE | JSPROP_READONLY | JSPROP_PERMANENT);
+  desc.object().set(wrapper);
+  desc.value().set(constantSpec.value);
+
+  return true;
+}
+
+struct IdToIndexComparator
+{
+  // The id we're searching for.
+  const jsid& mId;
+  // The list of ids we're searching in.
+  const PropertyInfo* mIds;
+
+  explicit IdToIndexComparator(const jsid& aId, const PropertyInfo* aIds) :
+    mId(aId), mIds(aIds) {}
+  int operator()(const uint16_t aIndex) const {
+    if (JSID_BITS(mId) == JSID_BITS(mIds[aIndex].id)) {
+      return 0;
+    }
+    return JSID_BITS(mId) < JSID_BITS(mIds[aIndex].id) ? -1 : 1;
+  }
+};
+
+#define RESOLVE_CASE(PropType, SpecType, Resolver)                            \
+  case e##PropType: {                                                         \
+    MOZ_ASSERT(nativeProperties->Has##PropType##s());                         \
+    const Prefable<const SpecType>& pref =                                    \
+      nativeProperties->PropType##s()[found.prefIndex];                       \
+    return Resolver(cx, wrapper, obj, id, pref, pref.specs[found.specIndex],  \
+                    desc, cacheOnHolder);                                     \
+  }
+
+static bool
 XrayResolveProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
                     JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
                     JS::MutableHandle<JS::PropertyDescriptor> desc,
                     bool& cacheOnHolder, DOMObjectType type,
                     const NativeProperties* nativeProperties)
 {
-  bool hasMethods = false;
-  if (type == eInterface) {
-    hasMethods = nativeProperties->HasStaticMethods();
-  } else {
-    hasMethods = nativeProperties->HasMethods();
-  }
-  if (hasMethods) {
-    const Prefable<const JSFunctionSpec>* methods;
-    const jsid* methodIds;
-    const JSFunctionSpec* methodSpecs;
-    if (type == eInterface) {
-      methods = nativeProperties->StaticMethods();
-      methodIds = nativeProperties->StaticMethodIds();
-      methodSpecs = nativeProperties->StaticMethodSpecs();
-    } else {
-      methods = nativeProperties->Methods();
-      methodIds = nativeProperties->MethodIds();
-      methodSpecs = nativeProperties->MethodSpecs();
-    }
-    JS::Rooted<jsid> methodId(cx);
-    if (nativeProperties->iteratorAliasMethodIndex != -1 &&
-        id == SYMBOL_TO_JSID(
-                JS::GetWellKnownSymbol(cx, JS::SymbolCode::iterator))) {
-      methodId =
-        nativeProperties->MethodIds()[nativeProperties->iteratorAliasMethodIndex];
-    } else {
-      methodId = id;
-    }
-    if (!XrayResolveMethod(cx, wrapper, obj, methodId, methods, methodIds,
-                           methodSpecs, desc, cacheOnHolder)) {
-      return false;
-    }
-    if (desc.object()) {
-      return true;
-    }
+  if (MOZ_UNLIKELY(nativeProperties->iteratorAliasMethodIndex >= 0) &&
+      id == SYMBOL_TO_JSID(JS::GetWellKnownSymbol(cx, JS::SymbolCode::iterator))) {
+    const Prefable<const JSFunctionSpec>* pref = nativeProperties->Methods();
+    const JSFunctionSpec* spec = pref->specs +
+                                 nativeProperties->iteratorAliasMethodIndex;
+
+    // Iterate to the prefable for the iterator method spec.
+    do {
+      if (pref->specs > spec) {
+          break;
+      }
+    } while ((++pref)->specs);
+    return XrayResolveMethod(cx, wrapper, obj, id, *--pref, *spec, desc,
+                             cacheOnHolder);
   }
 
-  if (type == eInterface) {
-    if (nativeProperties->HasStaticAttributes()) {
-      if (!XrayResolveAttribute(cx, wrapper, obj, id,
-                                nativeProperties->StaticAttributes(),
-                                nativeProperties->StaticAttributeIds(),
-                                nativeProperties->StaticAttributeSpecs(),
-                                desc, cacheOnHolder)) {
-        return false;
-      }
-      if (desc.object()) {
-        return true;
-      }
-    }
-  } else {
-    if (nativeProperties->HasAttributes()) {
-      if (!XrayResolveAttribute(cx, wrapper, obj, id,
-                                nativeProperties->Attributes(),
-                                nativeProperties->AttributeIds(),
-                                nativeProperties->AttributeSpecs(),
-                                desc, cacheOnHolder)) {
-        return false;
-      }
-      if (desc.object()) {
-        return true;
-      }
-    }
-  }
-
-  if (nativeProperties->HasConstants()) {
-    const Prefable<const ConstantSpec>* constant;
-    for (constant = nativeProperties->Constants(); constant->specs; ++constant) {
-      if (constant->isEnabled(cx, obj)) {
-        // Set i to be the index into our full list of ids/specs that we're
-        // looking at now.
-        size_t i = constant->specs - nativeProperties->ConstantSpecs();
-        for ( ; nativeProperties->ConstantIds()[i] != JSID_VOID; ++i) {
-          if (id == nativeProperties->ConstantIds()[i]) {
-            cacheOnHolder = true;
-
-            desc.setAttributes(JSPROP_ENUMERATE | JSPROP_READONLY | JSPROP_PERMANENT);
-            desc.object().set(wrapper);
-            desc.value().set(nativeProperties->ConstantSpecs()[i].value);
-            return true;
-          }
-        }
-      }
+  size_t idx;
+  const PropertyInfo* propertyInfos = nativeProperties->PropertyInfos();
+
+  if (BinarySearchIf(nativeProperties->sortedPropertyIndices, 0,
+                     nativeProperties->idsLength,
+                     IdToIndexComparator(id, propertyInfos), &idx)) {
+    const PropertyInfo& found = propertyInfos[nativeProperties->sortedPropertyIndices[idx]];
+    switch (found.type) {
+    RESOLVE_CASE(StaticMethod, JSFunctionSpec, XrayResolveMethod)
+    RESOLVE_CASE(StaticAttribute, JSPropertySpec, XrayResolveAttribute)
+    RESOLVE_CASE(Method, JSFunctionSpec, XrayResolveMethod)
+    RESOLVE_CASE(Attribute, JSPropertySpec, XrayResolveAttribute)
+    RESOLVE_CASE(UnforgeableMethod, JSFunctionSpec, XrayResolveMethod)
+    RESOLVE_CASE(UnforgeableAttribute, JSPropertySpec, XrayResolveAttribute)
+    RESOLVE_CASE(Constant, ConstantSpec, XrayResolveConstant)
     }
   }
 
   return true;
 }
 
+#undef RESOLVE_CASE
+
 static bool
 ResolvePrototypeOrConstructor(JSContext* cx, JS::Handle<JSObject*> wrapper,
                               JS::Handle<JSObject*> obj,
                               size_t protoAndIfaceCacheIndex, unsigned attrs,
                               JS::MutableHandle<JS::PropertyDescriptor> desc,
                               bool& cacheOnHolder)
 {
   JS::Rooted<JSObject*> global(cx, js::GetGlobalForObjectCrossCompartment(obj));
@@ -1617,34 +1631,32 @@ XrayResolveOwnProperty(JSContext* cx, JS
   ResolveOwnProperty resolveOwnProperty =
     nativePropertyHooks->mResolveOwnProperty;
 
   if (type == eNamedPropertiesObject) {
     // None of these should be cached on the holder, since they're dynamic.
     return resolveOwnProperty(cx, wrapper, obj, id, desc);
   }
 
-  // Check for unforgeable properties first.
-  if (IsInstance(type)) {
-    const NativePropertiesHolder& nativeProperties =
-      nativePropertyHooks->mNativeProperties;
-    if (!XrayResolveUnforgeableProperty(cx, wrapper, obj, id, desc, cacheOnHolder,
-                                        nativeProperties.regular)) {
-      return false;
-    }
-
-    if (!desc.object() && xpc::AccessCheck::isChrome(wrapper) &&
-        !XrayResolveUnforgeableProperty(cx, wrapper, obj, id, desc, cacheOnHolder,
-                                        nativeProperties.chromeOnly)) {
-      return false;
-    }
-
-    if (desc.object()) {
-      return true;
-    }
+  if (nativeProperties.regular &&
+      !XrayResolveProperty(cx, wrapper, obj, id, desc, cacheOnHolder, type,
+                           nativeProperties.regular)) {
+    return false;
+  }
+
+  if (!desc.object() &&
+      nativeProperties.chromeOnly &&
+      xpc::AccessCheck::isChrome(js::GetObjectCompartment(wrapper)) &&
+      !XrayResolveProperty(cx, wrapper, obj, id, desc, cacheOnHolder, type,
+                           nativeProperties.chromeOnly)) {
+    return false;
+  }
+
+  if (desc.object()) {
+    return true;
   }
 
   if (IsInstance(type)) {
     if (resolveOwnProperty) {
       if (!resolveOwnProperty(cx, wrapper, obj, id, desc)) {
         return false;
       }
 
@@ -1729,30 +1741,16 @@ XrayResolveOwnProperty(JSContext* cx, JS
 
     // The properties for globals live on the instance, so return here as there
     // are no properties on their interface prototype object.
     if (type == eGlobalInterfacePrototype) {
       return true;
     }
   }
 
-  if (nativeProperties.regular &&
-      !XrayResolveProperty(cx, wrapper, obj, id, desc, cacheOnHolder, type,
-                           nativeProperties.regular)) {
-    return false;
-  }
-
-  if (!desc.object() &&
-      nativeProperties.chromeOnly &&
-      xpc::AccessCheck::isChrome(js::GetObjectCompartment(wrapper)) &&
-      !XrayResolveProperty(cx, wrapper, obj, id, desc, cacheOnHolder, type,
-                           nativeProperties.chromeOnly)) {
-    return false;
-  }
-
   return true;
 }
 
 bool
 XrayDefineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
                    JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
                    JS::Handle<JS::PropertyDescriptor> desc,
                    JS::ObjectOpResult &result, bool *defined)
@@ -1761,53 +1759,85 @@ XrayDefineProperty(JSContext* cx, JS::Ha
     return true;
 
   const DOMProxyHandler* handler = GetDOMProxyHandler(obj);
   return handler->defineProperty(cx, wrapper, id, desc, result, defined);
 }
 
 template<typename SpecType>
 bool
-XrayAttributeOrMethodKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
-                          JS::Handle<JSObject*> obj,
-                          const Prefable<const SpecType>* list,
-                          const jsid* ids, const SpecType* specList,
-                          unsigned flags, JS::AutoIdVector& props)
+XrayAppendPropertyKeys(JSContext* cx, JS::Handle<JSObject*> obj,
+                       const Prefable<const SpecType>* pref,
+                       const PropertyInfo* ids, unsigned flags,
+                       JS::AutoIdVector& props)
 {
-  for (; list->specs; ++list) {
-    if (list->isEnabled(cx, obj)) {
-      // Set i to be the index into our full list of ids/specs that we're
-      // looking at now.
-      size_t i = list->specs - specList;
-      for ( ; ids[i] != JSID_VOID; ++i) {
-        // Skip non-enumerable properties and symbol-keyed properties unless
-        // they are specially requested via flags.
+  do {
+    bool prefIsEnabled = pref->isEnabled(cx, obj);
+    if (prefIsEnabled) {
+      const SpecType* spec = pref->specs;
+      do {
+        const jsid& id = ids++->id;
         if (((flags & JSITER_HIDDEN) ||
-             (specList[i].flags & JSPROP_ENUMERATE)) &&
-            ((flags & JSITER_SYMBOLS) || !JSID_IS_SYMBOL(ids[i])) &&
-            !props.append(ids[i])) {
+             (spec->flags & JSPROP_ENUMERATE)) &&
+            ((flags & JSITER_SYMBOLS) || !JSID_IS_SYMBOL(id)) &&
+            !props.append(id)) {
           return false;
         }
-      }
+      } while ((++spec)->name);
+    }
+    // Break if we have reached the end of pref.
+    if (!(++pref)->specs) {
+      break;
     }
-  }
+    // Advance ids if the previous pref is disabled.
+    if (!prefIsEnabled) {
+      ids += pref->specs - (pref - 1)->specs - 1;
+    }
+  } while (1);
+
   return true;
 }
 
-#define ADD_KEYS_IF_DEFINED(FieldName) {                                      \
-  if (nativeProperties->Has##FieldName##s() &&                                \
-      !XrayAttributeOrMethodKeys(cx, wrapper, obj,                            \
-                                 nativeProperties->FieldName##s(),            \
-                                 nativeProperties->FieldName##Ids(),          \
-                                 nativeProperties->FieldName##Specs(),        \
-                                 flags, props)) {                             \
-    return false;                                                             \
-  }                                                                           \
+template<>
+bool
+XrayAppendPropertyKeys<ConstantSpec>(JSContext* cx, JS::Handle<JSObject*> obj,
+                                     const Prefable<const ConstantSpec>* pref,
+                                     const PropertyInfo* ids, unsigned flags,
+                                     JS::AutoIdVector& props)
+{
+  do {
+    bool prefIsEnabled = pref->isEnabled(cx, obj);
+    if (prefIsEnabled) {
+      const ConstantSpec* spec = pref->specs;
+      do {
+        if (!props.append(ids++->id)) {
+          return false;
+        }
+      } while ((++spec)->name);
+    }
+    if (!(++pref)->specs) {
+      break;
+    }
+    if (!prefIsEnabled) {
+      ids += pref->specs - (pref - 1)->specs - 1;
+    }
+  } while (1);
+
+  return true;
 }
 
+#define ADD_KEYS_IF_DEFINED(FieldName) {                                        \
+  if (nativeProperties->Has##FieldName##s() &&                                  \
+      !XrayAppendPropertyKeys(cx, obj,                                          \
+                              nativeProperties->FieldName##s(),                 \
+                              nativeProperties->FieldName##Ids(),               \
+                              flags, props)) {                                  \
+    return false;                                                               \
+  }                                                                             \
+}
 
 bool
 XrayOwnPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
                     JS::Handle<JSObject*> obj,
                     unsigned flags, JS::AutoIdVector& props,
                     DOMObjectType type,
                     const NativeProperties* nativeProperties)
 {
@@ -1823,32 +1853,17 @@ XrayOwnPropertyKeys(JSContext* cx, JS::H
   } else if (type == eInterface) {
     ADD_KEYS_IF_DEFINED(StaticMethod);
     ADD_KEYS_IF_DEFINED(StaticAttribute);
   } else if (type != eGlobalInterfacePrototype) {
     MOZ_ASSERT(IsInterfacePrototype(type));
     ADD_KEYS_IF_DEFINED(Method);
     ADD_KEYS_IF_DEFINED(Attribute);
   }
-
-  if (nativeProperties->HasConstants()) {
-    const Prefable<const ConstantSpec>* constant;
-    for (constant = nativeProperties->Constants(); constant->specs; ++constant) {
-      if (constant->isEnabled(cx, obj)) {
-        // Set i to be the index into our full list of ids/specs that we're
-        // looking at now.
-        size_t i = constant->specs - nativeProperties->ConstantSpecs();
-        for ( ; nativeProperties->ConstantIds()[i] != JSID_VOID; ++i) {
-          if (!props.append(nativeProperties->ConstantIds()[i])) {
-            return false;
-          }
-        }
-      }
-    }
-  }
+  ADD_KEYS_IF_DEFINED(Constant);
 
   return true;
 }
 
 #undef ADD_KEYS_IF_DEFINED
 
 bool
 XrayOwnNativePropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -1773,41 +1773,18 @@ AtomizeAndPinJSString(JSContext* cx, jsi
 {
   if (JSString *str = ::JS_AtomizeAndPinString(cx, chars)) {
     id = INTERNED_STRING_TO_JSID(cx, str);
     return true;
   }
   return false;
 }
 
-// Spec needs a name property
-template <typename Spec>
-static bool
-InitIds(JSContext* cx, const Prefable<Spec>* prefableSpecs, jsid* ids)
-{
-  MOZ_ASSERT(prefableSpecs);
-  MOZ_ASSERT(prefableSpecs->specs);
-  do {
-    // We ignore whether the set of ids is enabled and just intern all the IDs,
-    // because this is only done once per application runtime.
-    Spec* spec = prefableSpecs->specs;
-    do {
-      if (!JS::PropertySpecNameToPermanentId(cx, spec->name, ids)) {
-        return false;
-      }
-    } while (++ids, (++spec)->name);
-
-    // We ran out of ids for that pref.  Put a JSID_VOID in on the id
-    // corresponding to the list terminator for the pref.
-    *ids = JSID_VOID;
-    ++ids;
-  } while ((++prefableSpecs)->specs);
-
-  return true;
-}
+bool
+InitIds(JSContext* cx, const NativeProperties* properties);
 
 bool
 QueryInterface(JSContext* cx, unsigned argc, JS::Value* vp);
 
 template <class T>
 struct
 WantsQueryInterface
 {
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -2131,24 +2131,25 @@ class PropertyDefiner:
         else:
             if self.hasNonChromeOnly():
                 return "s" + self.name
         return "nullptr"
 
     def usedForXrays(self):
         return self.descriptor.wantsXrays
 
+    def length(self, chrome):
+        return len(self.chrome) if chrome else len(self.regular)
+        
     def __str__(self):
         # We only need to generate id arrays for things that will end
         # up used via ResolveProperty or EnumerateProperties.
-        str = self.generateArray(self.regular, self.variableName(False),
-                                 self.usedForXrays())
+        str = self.generateArray(self.regular, self.variableName(False))
         if self.hasChromeOnly():
-            str += self.generateArray(self.chrome, self.variableName(True),
-                                      self.usedForXrays())
+            str += self.generateArray(self.chrome, self.variableName(True))
         return str
 
     @staticmethod
     def getStringAttr(member, name):
         attr = member.getExtendedAttribute(name)
         if attr is None:
             return None
         # It's a list of strings
@@ -2165,17 +2166,17 @@ class PropertyDefiner:
             PropertyDefiner.getStringAttr(interfaceMember,
                                           "Pref"),
             PropertyDefiner.getStringAttr(interfaceMember,
                                           "Func"),
             interfaceMember.getExtendedAttribute("SecureContext") is not None,
             nonExposureSet)
 
     def generatePrefableArray(self, array, name, specFormatter, specTerminator,
-                              specType, getCondition, getDataTuple, doIdArrays):
+                              specType, getCondition, getDataTuple):
         """
         This method generates our various arrays.
 
         array is an array of interface members as passed to generateArray
 
         name is the name as passed to generateArray
 
         specFormatter is a function that takes a single argument, a tuple,
@@ -2234,27 +2235,36 @@ class PropertyDefiner:
                                   condition.nonExposedGlobals,
                                   condition.func))
             else:
                 prefableSpecs.append(prefableWithoutDisablersTemplate %
                                      (name, len(specs)))
 
         switchToCondition(self, lastCondition)
 
+        numSpecsOfPrefable = 0
+        maxNumSpecsOfPrefable = 0
+
         for member in array:
             curCondition = getCondition(member, self.descriptor)
             if lastCondition != curCondition:
                 # Terminate previous list
                 specs.append(specTerminator)
+                if numSpecsOfPrefable > maxNumSpecsOfPrefable:
+                    maxNumSpecsOfPrefable = numSpecsOfPrefable
+                numSpecsOfPrefable = 0
                 # And switch to our new condition
                 switchToCondition(self, curCondition)
                 lastCondition = curCondition
             # And the actual spec
             specs.append(specFormatter(getDataTuple(member)))
+            numSpecsOfPrefable += 1
         specs.append(specTerminator)
+        if numSpecsOfPrefable > maxNumSpecsOfPrefable:
+            maxNumSpecsOfPrefable = numSpecsOfPrefable
         prefableSpecs.append("  { nullptr, nullptr }")
 
         specType = "const " + specType
         arrays = fill(
             """
             // We deliberately use brace-elision to make Visual Studio produce better initalization code.
             #if defined(__clang__)
             #pragma clang diagnostic push
@@ -2274,18 +2284,31 @@ class PropertyDefiner:
             };
 
             """,
             specType=specType,
             name=name,
             disablers='\n'.join(disablers),
             specs=',\n'.join(specs),
             prefableSpecs=',\n'.join(prefableSpecs))
-        if doIdArrays:
-            arrays += "static jsid %s_ids[%i];\n\n" % (name, len(specs))
+
+        if self.usedForXrays():
+            arrays = fill(
+                """
+                $*{arrays}
+                static_assert(${numPrefableSpecs} <= (1 << NUM_BITS_PROPERTY_INFO_PREF_INDEX) - 1,
+                              "We won't fit");
+                static_assert(${maxNumSpecsOfPrefable} <= (1 << NUM_BITS_PROPERTY_INFO_SPEC_INDEX) - 1,
+                              "We won't fit");
+
+                """,
+                arrays=arrays,
+                numPrefableSpecs=len(prefableSpecs)-1,
+                maxNumSpecsOfPrefable=maxNumSpecsOfPrefable)
+
         return arrays
 
 
 # The length of a method is the minimum of the lengths of the
 # argument lists of all its overloads.
 def overloadLength(arguments):
     i = len(arguments)
     while i > 0 and arguments[i - 1].optional:
@@ -2563,17 +2586,17 @@ class MethodDefiner(PropertyDefiner):
             if not descriptor.interface.hasInterfaceObject():
                 # static methods go on the interface object
                 assert not self.hasChromeOnly() and not self.hasNonChromeOnly()
         else:
             if not descriptor.interface.hasInterfacePrototypeObject():
                 # non-static methods go on the interface prototype object
                 assert not self.hasChromeOnly() and not self.hasNonChromeOnly()
 
-    def generateArray(self, array, name, doIdArrays):
+    def generateArray(self, array, name):
         if len(array) == 0:
             return ""
 
         def condition(m, d):
             return m["condition"]
 
         def flags(m):
             unforgeable = " | JSPROP_PERMANENT | JSPROP_READONLY" if self.unforgeable else ""
@@ -2624,17 +2647,17 @@ class MethodDefiner(PropertyDefiner):
                 return '  JS_SYM_FNSPEC(%s, %s, %s, %s, %s, %s)' % fields
             return '  JS_FNSPEC("%s", %s, %s, %s, %s, %s)' % fields
 
         return self.generatePrefableArray(
             array, name,
             formatSpec,
             '  JS_FS_END',
             'JSFunctionSpec',
-            condition, specData, doIdArrays)
+            condition, specData)
 
 
 def IsCrossOriginWritable(attr, descriptor):
     """
     Return whether the IDLAttribute in question is cross-origin writable on the
     interface represented by descriptor.  This is needed to handle the fact that
     some, but not all, interfaces implementing URLUtils want a cross-origin
     writable .href.
@@ -2674,17 +2697,17 @@ class AttrDefiner(PropertyDefiner):
             if not descriptor.interface.hasInterfaceObject():
                 # static attributes go on the interface object
                 assert not self.hasChromeOnly() and not self.hasNonChromeOnly()
         else:
             if not descriptor.interface.hasInterfacePrototypeObject():
                 # non-static attributes go on the interface prototype object
                 assert not self.hasChromeOnly() and not self.hasNonChromeOnly()
 
-    def generateArray(self, array, name, doIdArrays):
+    def generateArray(self, array, name):
         if len(array) == 0:
             return ""
 
         def flags(attr):
             unforgeable = " | JSPROP_PERMANENT" if self.unforgeable else ""
             # Attributes generated as part of a maplike/setlike declaration are
             # not enumerable.
             enumerable = " | JSPROP_ENUMERATE" if not attr.isMaplikeOrSetlikeAttr() else ""
@@ -2757,44 +2780,44 @@ class AttrDefiner(PropertyDefiner):
             return (attr.identifier.name, flags(attr), getter(attr),
                     setter(attr))
 
         return self.generatePrefableArray(
             array, name,
             lambda fields: '  { "%s", %s, %s, %s }' % fields,
             '  { nullptr, 0, nullptr, nullptr, nullptr, nullptr }',
             'JSPropertySpec',
-            PropertyDefiner.getControllingCondition, specData, doIdArrays)
+            PropertyDefiner.getControllingCondition, specData)
 
 
 class ConstDefiner(PropertyDefiner):
     """
     A class for definining constants on the interface object
     """
     def __init__(self, descriptor, name):
         PropertyDefiner.__init__(self, descriptor, name)
         self.name = name
         constants = [m for m in descriptor.interface.members if m.isConst()]
         self.chrome = [m for m in constants if isChromeOnly(m)]
         self.regular = [m for m in constants if not isChromeOnly(m)]
 
-    def generateArray(self, array, name, doIdArrays):
+    def generateArray(self, array, name):
         if len(array) == 0:
             return ""
 
         def specData(const):
             return (const.identifier.name,
                     convertConstIDLValueToJSVal(const.value))
 
         return self.generatePrefableArray(
             array, name,
             lambda fields: '  { "%s", %s }' % fields,
             '  { 0, JS::UndefinedValue() }',
             'ConstantSpec',
-            PropertyDefiner.getControllingCondition, specData, doIdArrays)
+            PropertyDefiner.getControllingCondition, specData)
 
 
 class PropertyArrays():
     def __init__(self, descriptor):
         self.staticMethods = MethodDefiner(descriptor, "StaticMethods",
                                            static=True)
         self.staticAttrs = AttrDefiner(descriptor, "StaticAttributes",
                                        static=True)
@@ -2826,53 +2849,92 @@ class PropertyArrays():
 
 class CGNativeProperties(CGList):
     def __init__(self, descriptor, properties):
         def generateNativeProperties(name, chrome):
             def check(p):
                 return p.hasChromeOnly() if chrome else p.hasNonChromeOnly()
 
             nativePropsInts = []
-            nativePropsTrios = []
+            nativePropsIds = []
+            nativePropsDuos = []
+
+            duosOffset = 0
+            idsOffset = 0
+            for array in properties.arrayNames():
+                propertyArray = getattr(properties, array)
+                if check(propertyArray):
+                    varName = propertyArray.variableName(chrome)
+                    bitfields = "true,  %d /* %s */" % (duosOffset, varName)
+                    duosOffset += 1
+                    nativePropsInts.append(CGGeneric(bitfields))
+
+                    if propertyArray.usedForXrays():
+                        ids = "&%s_propertyInfos[%d]" % (name, idsOffset)
+                        idsOffset += propertyArray.length(chrome)
+                    else:
+                        ids = "nullptr"
+                    duo = "{ %s, %s }" % (varName, ids)
+                    nativePropsDuos.append(CGGeneric(duo))
+                else:
+                    bitfields = "false, 0"
+                    nativePropsInts.append(CGGeneric(bitfields))
 
             iteratorAliasIndex = -1
             for index, item in enumerate(properties.methods.regular):
                 if item.get("hasIteratorAlias"):
                     iteratorAliasIndex = index
                     break
             nativePropsInts.append(CGGeneric(str(iteratorAliasIndex)))
 
-            offset = 0
-            for array in properties.arrayNames():
-                propertyArray = getattr(properties, array)
-                if check(propertyArray):
-                    varName = propertyArray.variableName(chrome)
-                    bitfields = "true,  %d /* %s */" % (offset, varName)
-                    offset += 1
-                    nativePropsInts.append(CGGeneric(bitfields))
-
-                    if propertyArray.usedForXrays():
-                        ids = "%(name)s_ids"
-                    else:
-                        ids = "nullptr"
-                    trio = "{ %(name)s, " + ids + ", %(name)s_specs }"
-                    trio = trio % {'name': varName}
-                    nativePropsTrios.append(CGGeneric(trio))
-                else:
-                    bitfields = "false, 0"
-                    nativePropsInts.append(CGGeneric(bitfields))
-
-            nativePropsTrios = \
-                [CGWrapper(CGIndenter(CGList(nativePropsTrios, ",\n")),
+            nativePropsDuos = \
+                [CGWrapper(CGIndenter(CGList(nativePropsDuos, ",\n")),
                            pre='{\n', post='\n}')]
-            nativeProps = nativePropsInts + nativePropsTrios
+
             pre = ("static const NativePropertiesN<%d> %s = {\n" %
-                   (offset, name))
+                   (duosOffset, name))
+            post = "\n};\n"
+            if descriptor.wantsXrays:
+                pre = fill(
+                    """
+                    static uint16_t ${name}_sortedPropertyIndices[${size}];
+                    static PropertyInfo ${name}_propertyInfos[${size}];
+
+                    $*{pre}
+                    """,
+                    name=name,
+                    size=idsOffset,
+                    pre=pre)
+                if iteratorAliasIndex >= 0:
+                    post = fill(
+                        """
+                        $*{post}
+                        static_assert(${iteratorAliasIndex} < (1 << CHAR_BIT * sizeof(${name}.iteratorAliasMethodIndex) - 1) - 1,
+                                      "We won't fit");
+                        """,
+                        post=post,
+                        iteratorAliasIndex=iteratorAliasIndex,
+                        name=name)
+                post = fill(
+                    """
+                    $*{post}
+                    static_assert(${numIds} <= (1 << CHAR_BIT * sizeof(${name}.idsLength)) - 1,
+                                  "We won't fit");
+                    """,
+                    post=post,
+                    numIds=idsOffset,
+                    name=name)
+                nativePropsInts.append(CGGeneric("%d" % idsOffset))
+                nativePropsIds.append(CGGeneric("%s_sortedPropertyIndices" % name))
+            else:
+                nativePropsInts.append(CGGeneric("0"))
+                nativePropsIds.append(CGGeneric("nullptr"))
+            nativeProps = nativePropsInts + nativePropsIds + nativePropsDuos
             return CGWrapper(CGIndenter(CGList(nativeProps, ",\n")),
-                             pre=pre, post="\n};\n")
+                             pre=pre, post=post)
 
         nativeProperties = []
         if properties.hasNonChromeOnly():
             nativeProperties.append(
                 generateNativeProperties("sNativeProperties", False))
         if properties.hasChromeOnly():
             nativeProperties.append(
                 generateNativeProperties("sChromeOnlyNativeProperties", True))
@@ -2977,26 +3039,23 @@ class CGCreateInterfaceObjectsMethod(CGA
             }
             """,
             type=constructorProtoType,
             getConstructorProto=getConstructorProto)
 
         idsToInit = []
         # There is no need to init any IDs in bindings that don't want Xrays.
         if self.descriptor.wantsXrays:
-            for var in self.properties.arrayNames():
-                props = getattr(self.properties, var)
-                # We only have non-chrome ids to init if we have no chrome ids.
-                if props.hasChromeOnly():
-                    idsToInit.append(props.variableName(True))
-                if props.hasNonChromeOnly():
-                    idsToInit.append(props.variableName(False))
+            if self.properties.hasNonChromeOnly():
+                idsToInit.append("sNativeProperties")
+            if self.properties.hasChromeOnly():
+                idsToInit.append("sChromeOnlyNativeProperties")
         if len(idsToInit) > 0:
-            initIdCalls = ["!InitIds(aCx, %s, %s_ids)" % (varname, varname)
-                           for varname in idsToInit]
+            initIdCalls = ["!InitIds(aCx, %s.Upcast())" % (properties)
+                           for properties in idsToInit]
             idsInitedFlag = CGGeneric("static bool sIdsInited = false;\n")
             setFlag = CGGeneric("sIdsInited = true;\n")
             initIdConditionals = [CGIfWrapper(CGGeneric("return;\n"), call)
                                   for call in initIdCalls]
             initIds = CGList([idsInitedFlag,
                               CGIfWrapper(CGList(initIdConditionals + [setFlag]),
                                           "!sIdsInited && NS_IsMainThread()")])
         else:
--- a/dom/bindings/DOMJSClass.h
+++ b/dom/bindings/DOMJSClass.h
@@ -165,107 +165,151 @@ struct Prefable {
   PrefableDisablers* const disablers;
 
   // Array of specs, terminated in whatever way is customary for T.
   // Null to indicate a end-of-array for Prefable, when such an
   // indicator is needed.
   const T* const specs;
 };
 
-// Conceptually, NativeProperties has seven (Prefable<T>*, jsid*, T*) trios
+enum PropertyType {
+  eStaticMethod,
+  eStaticAttribute,
+  eMethod,
+  eAttribute,
+  eUnforgeableMethod,
+  eUnforgeableAttribute,
+  eConstant,
+  ePropertyTypeCount
+};
+
+#define NUM_BITS_PROPERTY_INFO_TYPE        3
+#define NUM_BITS_PROPERTY_INFO_PREF_INDEX 13
+#define NUM_BITS_PROPERTY_INFO_SPEC_INDEX 16
+
+struct PropertyInfo {
+  jsid id;
+  // One of PropertyType, will be used for accessing the corresponding Duo in
+  // NativePropertiesN.duos[].
+  uint32_t type: NUM_BITS_PROPERTY_INFO_TYPE;
+  // The index to Duo.mPrefables[].
+  uint32_t prefIndex: NUM_BITS_PROPERTY_INFO_PREF_INDEX;
+  // The index to Duo.mPrefables[prefIndex].specs[].
+  uint32_t specIndex: NUM_BITS_PROPERTY_INFO_SPEC_INDEX;
+};
+
+static_assert(ePropertyTypeCount <= 1 << NUM_BITS_PROPERTY_INFO_TYPE,
+              "We can't fit the bit field");
+
+// Conceptually, NativeProperties has seven (Prefable<T>*, PropertyInfo*) duos
 // (where T is one of JSFunctionSpec, JSPropertySpec, or ConstantSpec), one for
 // each of: static methods and attributes, methods and attributes, unforgeable
 // methods and attributes, and constants.
 //
-// That's 21 pointers, but in most instances most of the trios are all null,
-// and there are many instances. To save space we use a variable-length type,
+// That's 14 pointers, but in most instances most of the duos are all null, and
+// there are many instances. To save space we use a variable-length type,
 // NativePropertiesN<N>, to hold the data and getters to access it. It has N
-// actual trios (stored in trios[]), plus four bits for each of the 7 possible
-// trios: 1 bit that states if that trio is present, and 3 that state that
-// trio's offset (if present) in trios[].
+// actual duos (stored in duos[]), plus four bits for each of the 7 possible
+// duos: 1 bit that states if that duo is present, and 3 that state that duo's
+// offset (if present) in duos[].
 //
-// All trio accesses should be done via the getters, which contain assertions
-// that check we don't overrun the end of the struct. (The trio data members are
+// All duo accesses should be done via the getters, which contain assertions
+// that check we don't overrun the end of the struct. (The duo data members are
 // public only so they can be statically initialized.) These assertions should
 // never fail so long as (a) accesses to the variable-length part are guarded by
 // appropriate Has*() calls, and (b) all instances are well-formed, i.e. the
 // value of N matches the number of mHas* members that are true.
 //
+// We store all the property ids a NativePropertiesN owns in a single array of
+// PropertyInfo structs. Each struct contains an id and the information needed
+// to find the corresponding Prefable for the enabled check, as well as the
+// information needed to find the correct property descriptor in the
+// Prefable. We also store an array of indices into the PropertyInfo array,
+// sorted by bits of the corresponding jsid. Given a jsid, this allows us to
+// binary search for the index of the corresponding PropertyInfo, if any.
+//
 // Finally, we define a typedef of NativePropertiesN<7>, NativeProperties, which
 // we use as a "base" type used to refer to all instances of NativePropertiesN.
 // (7 is used because that's the maximum valid parameter, though any other
 // value 1..6 could also be used.) This is reasonable because of the
 // aforementioned assertions in the getters. Upcast() is used to convert
 // specific instances to this "base" type.
 //
 template <int N>
 struct NativePropertiesN {
-  // Trio structs are stored in the trios[] array, and each element in the
-  // array could require a different T. Therefore, we can't use the correct
-  // type for mPrefables and mSpecs. Instead we use void* and cast to the
-  // correct type in the getters.
-  struct Trio {
+  // Duo structs are stored in the duos[] array, and each element in the array
+  // could require a different T. Therefore, we can't use the correct type for
+  // mPrefables. Instead we use void* and cast to the correct type in the
+  // getters.
+  struct Duo {
     const /*Prefable<const T>*/ void* const mPrefables;
-    const jsid* const mIds;
-    const /*T*/ void* const mSpecs;
+    PropertyInfo* const mIds;
   };
 
-  const int32_t iteratorAliasMethodIndex;
-
   constexpr const NativePropertiesN<7>* Upcast() const {
     return reinterpret_cast<const NativePropertiesN<7>*>(this);
   }
 
+  const PropertyInfo* PropertyInfos() const {
+    return duos[0].mIds;
+  }
+
 #define DO(SpecT, FieldName) \
 public: \
-  /* The bitfields indicating the trio's presence and (if present) offset. */ \
+  /* The bitfields indicating the duo's presence and (if present) offset. */ \
   const uint32_t mHas##FieldName##s:1; \
   const uint32_t m##FieldName##sOffset:3; \
 private: \
-  const Trio* FieldName##sTrio() const { \
+  const Duo* FieldName##sDuo() const { \
     MOZ_ASSERT(Has##FieldName##s()); \
-    return &trios[m##FieldName##sOffset]; \
+    return &duos[m##FieldName##sOffset]; \
   } \
 public: \
   bool Has##FieldName##s() const { \
     return mHas##FieldName##s; \
   } \
   const Prefable<const SpecT>* FieldName##s() const { \
     return static_cast<const Prefable<const SpecT>*> \
-                      (FieldName##sTrio()->mPrefables); \
+                      (FieldName##sDuo()->mPrefables); \
   } \
-  const jsid* FieldName##Ids() const { \
-    return FieldName##sTrio()->mIds; \
-  } \
-  const SpecT* FieldName##Specs() const { \
-    return static_cast<const SpecT*>(FieldName##sTrio()->mSpecs); \
+  PropertyInfo* FieldName##Ids() const { \
+    return FieldName##sDuo()->mIds; \
   }
 
   DO(JSFunctionSpec, StaticMethod)
   DO(JSPropertySpec, StaticAttribute)
   DO(JSFunctionSpec, Method)
   DO(JSPropertySpec, Attribute)
   DO(JSFunctionSpec, UnforgeableMethod)
   DO(JSPropertySpec, UnforgeableAttribute)
   DO(ConstantSpec,   Constant)
 
 #undef DO
 
-  const Trio trios[N];
+  // The index to the iterator method in Methods()->specs[].
+  const int16_t iteratorAliasMethodIndex;
+  // The number of properties that the duos manage.
+  const uint16_t idsLength;
+  // The sorted indices array from sorting property ids, which will be used when
+  // we binary search a resolving property.
+  uint16_t* sortedPropertyIndices;
+
+  const Duo duos[N];
 };
 
-// Ensure the struct has the expected size. The 8 is for the
-// iteratorAliasMethodIndex plus the bitfields; the rest is for trios[].
+// Ensure the struct has the expected size. The 8 is for the bitfields plus
+// iteratorAliasMethodIndex and idsLength; the rest is for the idsSortedIndex,
+// and duos[].
 static_assert(sizeof(NativePropertiesN<1>) == 8 +  3*sizeof(void*), "1 size");
-static_assert(sizeof(NativePropertiesN<2>) == 8 +  6*sizeof(void*), "2 size");
-static_assert(sizeof(NativePropertiesN<3>) == 8 +  9*sizeof(void*), "3 size");
-static_assert(sizeof(NativePropertiesN<4>) == 8 + 12*sizeof(void*), "4 size");
-static_assert(sizeof(NativePropertiesN<5>) == 8 + 15*sizeof(void*), "5 size");
-static_assert(sizeof(NativePropertiesN<6>) == 8 + 18*sizeof(void*), "6 size");
-static_assert(sizeof(NativePropertiesN<7>) == 8 + 21*sizeof(void*), "7 size");
+static_assert(sizeof(NativePropertiesN<2>) == 8 +  5*sizeof(void*), "2 size");
+static_assert(sizeof(NativePropertiesN<3>) == 8 +  7*sizeof(void*), "3 size");
+static_assert(sizeof(NativePropertiesN<4>) == 8 +  9*sizeof(void*), "4 size");
+static_assert(sizeof(NativePropertiesN<5>) == 8 + 11*sizeof(void*), "5 size");
+static_assert(sizeof(NativePropertiesN<6>) == 8 + 13*sizeof(void*), "6 size");
+static_assert(sizeof(NativePropertiesN<7>) == 8 + 15*sizeof(void*), "7 size");
 
 // The "base" type.
 typedef NativePropertiesN<7> NativeProperties;
 
 struct NativePropertiesHolder
 {
   const NativeProperties* regular;
   const NativeProperties* chromeOnly;