From 24ea5a25b4051b81c053b1a46721ef4f89a1242c Mon Sep 17 00:00:00 2001
From: Terrence Cole <terrence@mozilla.com>
Date: Tue, 28 May 2013 11:23:04 -0700
Subject: [PATCH] Bug 906940 - Exactly root the IsAcceptableThis callback;
 r=jonco,smaug

--HG--
extra : rebase_source : 3b629611a07fc52a532a05c1b56e5aa40b6a67b6
---
 content/xbl/src/nsXBLProtoImplField.cpp         | 17 +++++++++++++----
 js/src/builtin/MapObject.cpp                    | 12 ++++++------
 js/src/builtin/MapObject.h                      |  4 ++--
 js/src/builtin/RegExp.cpp                       |  2 +-
 .../testCallNonGenericMethodOnProxy.cpp         |  2 +-
 js/src/jsapi.cpp                                |  2 +-
 js/src/jsapi.h                                  |  6 +++---
 js/src/jsarray.cpp                              |  2 +-
 js/src/jsbool.cpp                               |  8 ++++----
 js/src/jsdate.cpp                               |  2 +-
 js/src/jsiter.cpp                               |  6 +++---
 js/src/jsnum.cpp                                |  2 +-
 js/src/jsstr.cpp                                |  2 +-
 js/src/jsweakmap.cpp                            |  2 +-
 js/src/vm/GlobalObject.cpp                      |  8 ++++----
 js/src/vm/TypedArrayObject.cpp                  | 10 +++++-----
 js/src/vm/TypedArrayObject.h                    |  6 +++---
 17 files changed, 51 insertions(+), 42 deletions(-)

diff --git a/content/xbl/src/nsXBLProtoImplField.cpp b/content/xbl/src/nsXBLProtoImplField.cpp
index a8c34be703e..224580accce 100644
--- a/content/xbl/src/nsXBLProtoImplField.cpp
+++ b/content/xbl/src/nsXBLProtoImplField.cpp
@@ -105,7 +105,7 @@ static const uint32_t XBLPROTO_SLOT = 0;
 static const uint32_t FIELD_SLOT = 1;
 
 bool
-ValueHasISupportsPrivate(const JS::Value &v)
+ValueHasISupportsPrivate(JS::Handle<JS::Value> v)
 {
   if (!v.isObject()) {
     return false;
@@ -122,6 +122,15 @@ ValueHasISupportsPrivate(const JS::Value &v)
   return (clasp->flags & HAS_PRIVATE_NSISUPPORTS) == HAS_PRIVATE_NSISUPPORTS;
 }
 
+#ifdef DEBUG
+static bool
+ValueHasISupportsPrivate(JSContext* cx, const JS::Value& aVal)
+{
+    JS::Rooted<JS::Value> v(cx, aVal);
+    return ValueHasISupportsPrivate(v);
+}
+#endif
+
 // Define a shadowing property on |this| for the XBL field defined by the
 // contents of the callee's reserved slots.  If the property was defined,
 // *installed will be true, and idp will be set to the property name that was
@@ -137,7 +146,7 @@ InstallXBLField(JSContext* cx,
   //
   // FieldAccessorGuard already determined whether |thisObj| was acceptable as
   // |this| in terms of not throwing a TypeError.  Assert this for good measure.
-  MOZ_ASSERT(ValueHasISupportsPrivate(JS::ObjectValue(*thisObj)));
+  MOZ_ASSERT(ValueHasISupportsPrivate(cx, JS::ObjectValue(*thisObj)));
 
   // But there are some cases where we must accept |thisObj| but not install a
   // property on it, or otherwise touch it.  Hence this split of |this|-vetting
@@ -222,7 +231,7 @@ InstallXBLField(JSContext* cx,
 bool
 FieldGetterImpl(JSContext *cx, JS::CallArgs args)
 {
-  const JS::Value &thisv = args.thisv();
+  JS::Handle<JS::Value> thisv = args.thisv();
   MOZ_ASSERT(ValueHasISupportsPrivate(thisv));
 
   JS::Rooted<JSObject*> thisObj(cx, &thisv.toObject());
@@ -263,7 +272,7 @@ FieldGetter(JSContext *cx, unsigned argc, JS::Value *vp)
 bool
 FieldSetterImpl(JSContext *cx, JS::CallArgs args)
 {
-  const JS::Value &thisv = args.thisv();
+  JS::Handle<JS::Value> thisv = args.thisv();
   MOZ_ASSERT(ValueHasISupportsPrivate(thisv));
 
   JS::Rooted<JSObject*> thisObj(cx, &thisv.toObject());
diff --git a/js/src/builtin/MapObject.cpp b/js/src/builtin/MapObject.cpp
index dd0e94fc57a..63951a0ff4a 100644
--- a/js/src/builtin/MapObject.cpp
+++ b/js/src/builtin/MapObject.cpp
@@ -866,7 +866,7 @@ class MapIteratorObject : public JSObject
     static void finalize(FreeOp *fop, JSObject *obj);
 
   private:
-    static inline bool is(const Value &v);
+    static inline bool is(HandleValue v);
     inline ValueMap::Range *range();
     inline MapObject::IteratorKind kind() const;
     static bool next_impl(JSContext *cx, CallArgs args);
@@ -956,7 +956,7 @@ MapIteratorObject::finalize(FreeOp *fop, JSObject *obj)
 }
 
 bool
-MapIteratorObject::is(const Value &v)
+MapIteratorObject::is(HandleValue v)
 {
     return v.isObject() && v.toObject().hasClass(&class_);
 }
@@ -1208,7 +1208,7 @@ MapObject::construct(JSContext *cx, unsigned argc, Value *vp)
 }
 
 bool
-MapObject::is(const Value &v)
+MapObject::is(HandleValue v)
 {
     return v.isObject() && v.toObject().hasClass(&class_) && v.toObject().getPrivate();
 }
@@ -1433,7 +1433,7 @@ class SetIteratorObject : public JSObject
     static void finalize(FreeOp *fop, JSObject *obj);
 
   private:
-    static inline bool is(const Value &v);
+    static inline bool is(HandleValue v);
     inline ValueSet::Range *range();
     inline SetObject::IteratorKind kind() const;
     static bool next_impl(JSContext *cx, CallArgs args);
@@ -1522,7 +1522,7 @@ SetIteratorObject::finalize(FreeOp *fop, JSObject *obj)
 }
 
 bool
-SetIteratorObject::is(const Value &v)
+SetIteratorObject::is(HandleValue v)
 {
     return v.isObject() && v.toObject().is<SetIteratorObject>();
 }
@@ -1683,7 +1683,7 @@ SetObject::construct(JSContext *cx, unsigned argc, Value *vp)
 }
 
 bool
-SetObject::is(const Value &v)
+SetObject::is(HandleValue v)
 {
     return v.isObject() && v.toObject().hasClass(&class_) && v.toObject().getPrivate();
 }
diff --git a/js/src/builtin/MapObject.h b/js/src/builtin/MapObject.h
index 17ccf210577..7b6b81ad199 100644
--- a/js/src/builtin/MapObject.h
+++ b/js/src/builtin/MapObject.h
@@ -99,7 +99,7 @@ class MapObject : public JSObject {
     static void finalize(FreeOp *fop, JSObject *obj);
     static bool construct(JSContext *cx, unsigned argc, Value *vp);
 
-    static bool is(const Value &v);
+    static bool is(HandleValue v);
 
     static bool iterator_impl(JSContext *cx, CallArgs args, IteratorKind kind);
 
@@ -137,7 +137,7 @@ class SetObject : public JSObject {
     static void finalize(FreeOp *fop, JSObject *obj);
     static bool construct(JSContext *cx, unsigned argc, Value *vp);
 
-    static bool is(const Value &v);
+    static bool is(HandleValue v);
 
     static bool iterator_impl(JSContext *cx, CallArgs args, IteratorKind kind);
 
diff --git a/js/src/builtin/RegExp.cpp b/js/src/builtin/RegExp.cpp
index b28030e67a9..fd064a42f58 100644
--- a/js/src/builtin/RegExp.cpp
+++ b/js/src/builtin/RegExp.cpp
@@ -305,7 +305,7 @@ CompileRegExpObject(JSContext *cx, RegExpObjectBuilder &builder, CallArgs args)
 }
 
 JS_ALWAYS_INLINE bool
-IsRegExp(const Value &v)
+IsRegExp(HandleValue v)
 {
     return v.isObject() && v.toObject().is<RegExpObject>();
 }
diff --git a/js/src/jsapi-tests/testCallNonGenericMethodOnProxy.cpp b/js/src/jsapi-tests/testCallNonGenericMethodOnProxy.cpp
index 272a842bb85..f3350bb0ab1 100644
--- a/js/src/jsapi-tests/testCallNonGenericMethodOnProxy.cpp
+++ b/js/src/jsapi-tests/testCallNonGenericMethodOnProxy.cpp
@@ -21,7 +21,7 @@ static JSClass CustomClass = {
 static const uint32_t CUSTOM_SLOT = 0;
 
 static bool
-IsCustomClass(const Value &v)
+IsCustomClass(JS::Handle<JS::Value> v)
 {
   return v.isObject() && JS_GetClass(&v.toObject()) == &CustomClass;
 }
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
index fe76d46b024..e667fdfe90c 100644
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -104,7 +104,7 @@ bool
 JS::detail::CallMethodIfWrapped(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
                                CallArgs args)
 {
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     JS_ASSERT(!test(thisv));
 
     if (thisv.isObject()) {
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
index ce1f7450bde..f1c9f61c732 100644
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -644,7 +644,7 @@ class JS_PUBLIC_API(CustomAutoRooter) : private AutoGCRooter
 };
 
 /* Returns true if |v| is considered an acceptable this-value. */
-typedef bool (*IsAcceptableThis)(const Value &v);
+typedef bool (*IsAcceptableThis)(JS::Handle<JS::Value> v);
 
 /*
  * Implements the guts of a method; guaranteed to be provided an acceptable
@@ -728,7 +728,7 @@ template<IsAcceptableThis Test, NativeImpl Impl>
 JS_ALWAYS_INLINE bool
 CallNonGenericMethod(JSContext *cx, CallArgs args)
 {
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     if (Test(thisv))
         return Impl(cx, args);
 
@@ -738,7 +738,7 @@ CallNonGenericMethod(JSContext *cx, CallArgs args)
 JS_ALWAYS_INLINE bool
 CallNonGenericMethod(JSContext *cx, IsAcceptableThis Test, NativeImpl Impl, CallArgs args)
 {
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     if (Test(thisv))
         return Impl(cx, args);
 
diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index d4b2650edad..02e650a38e1 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -799,7 +799,7 @@ AddLengthProperty(ExclusiveContext *cx, HandleObject obj)
 
 #if JS_HAS_TOSOURCE
 JS_ALWAYS_INLINE bool
-IsArray(const Value &v)
+IsArray(HandleValue v)
 {
     return v.isObject() && v.toObject().is<ArrayObject>();
 }
diff --git a/js/src/jsbool.cpp b/js/src/jsbool.cpp
index f0b45c2e25f..a65d0f0513a 100644
--- a/js/src/jsbool.cpp
+++ b/js/src/jsbool.cpp
@@ -38,7 +38,7 @@ Class BooleanObject::class_ = {
 };
 
 JS_ALWAYS_INLINE bool
-IsBoolean(const Value &v)
+IsBoolean(HandleValue v)
 {
     return v.isBoolean() || (v.isObject() && v.toObject().is<BooleanObject>());
 }
@@ -47,7 +47,7 @@ IsBoolean(const Value &v)
 JS_ALWAYS_INLINE bool
 bool_toSource_impl(JSContext *cx, CallArgs args)
 {
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     JS_ASSERT(IsBoolean(thisv));
 
     bool b = thisv.isBoolean() ? thisv.toBoolean() : thisv.toObject().as<BooleanObject>().unbox();
@@ -74,7 +74,7 @@ bool_toSource(JSContext *cx, unsigned argc, Value *vp)
 JS_ALWAYS_INLINE bool
 bool_toString_impl(JSContext *cx, CallArgs args)
 {
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     JS_ASSERT(IsBoolean(thisv));
 
     bool b = thisv.isBoolean() ? thisv.toBoolean() : thisv.toObject().as<BooleanObject>().unbox();
@@ -92,7 +92,7 @@ bool_toString(JSContext *cx, unsigned argc, Value *vp)
 JS_ALWAYS_INLINE bool
 bool_valueOf_impl(JSContext *cx, CallArgs args)
 {
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     JS_ASSERT(IsBoolean(thisv));
 
     bool b = thisv.isBoolean() ? thisv.toBoolean() : thisv.toObject().as<BooleanObject>().unbox();
diff --git a/js/src/jsdate.cpp b/js/src/jsdate.cpp
index a49dc62837f..eee071b599c 100644
--- a/js/src/jsdate.cpp
+++ b/js/src/jsdate.cpp
@@ -1386,7 +1386,7 @@ DateObject::cachedLocalTime(DateTimeInfo *dtInfo)
 }
 
 JS_ALWAYS_INLINE bool
-IsDate(const Value &v)
+IsDate(HandleValue v)
 {
     return v.isObject() && v.toObject().is<DateObject>();
 }
diff --git a/js/src/jsiter.cpp b/js/src/jsiter.cpp
index 313815242eb..23ff9e8e3c0 100644
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@@ -763,7 +763,7 @@ js::IteratorConstructor(JSContext *cx, unsigned argc, Value *vp)
 }
 
 JS_ALWAYS_INLINE bool
-IsIterator(const Value &v)
+IsIterator(HandleValue v)
 {
     return v.isObject() && v.toObject().hasClass(&PropertyIteratorObject::class_);
 }
@@ -876,7 +876,7 @@ ElementIteratorObject::create(JSContext *cx, Handle<Value> target)
 }
 
 static bool
-IsElementIterator(const Value &v)
+IsElementIterator(HandleValue v)
 {
     return v.isObject() && v.toObject().is<ElementIteratorObject>();
 }
@@ -1633,7 +1633,7 @@ CloseGenerator(JSContext *cx, HandleObject obj)
 }
 
 JS_ALWAYS_INLINE bool
-IsGenerator(const Value &v)
+IsGenerator(HandleValue v)
 {
     return v.isObject() && v.toObject().is<GeneratorObject>();
 }
diff --git a/js/src/jsnum.cpp b/js/src/jsnum.cpp
index a8e8a71539d..ebdf773683e 100644
--- a/js/src/jsnum.cpp
+++ b/js/src/jsnum.cpp
@@ -483,7 +483,7 @@ Number(JSContext *cx, unsigned argc, Value *vp)
 }
 
 JS_ALWAYS_INLINE bool
-IsNumber(const Value &v)
+IsNumber(HandleValue v)
 {
     return v.isNumber() || (v.isObject() && v.toObject().is<NumberObject>());
 }
diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp
index 6d9d8f01746..fd5304b962c 100644
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -460,7 +460,7 @@ ThisToStringForStringProto(JSContext *cx, CallReceiver call)
 }
 
 JS_ALWAYS_INLINE bool
-IsString(const Value &v)
+IsString(HandleValue v)
 {
     return v.isString() || (v.isObject() && v.toObject().is<StringObject>());
 }
diff --git a/js/src/jsweakmap.cpp b/js/src/jsweakmap.cpp
index 4cfc8b2016f..b95eef33470 100644
--- a/js/src/jsweakmap.cpp
+++ b/js/src/jsweakmap.cpp
@@ -126,7 +126,7 @@ GetKeyArg(JSContext *cx, CallArgs &args)
 }
 
 JS_ALWAYS_INLINE bool
-IsWeakMap(const Value &v)
+IsWeakMap(HandleValue v)
 {
     return v.isObject() && v.toObject().is<WeakMapObject>();
 }
diff --git a/js/src/vm/GlobalObject.cpp b/js/src/vm/GlobalObject.cpp
index 7f3b1466254..9e9ec9f1132 100644
--- a/js/src/vm/GlobalObject.cpp
+++ b/js/src/vm/GlobalObject.cpp
@@ -53,7 +53,7 @@ ThrowTypeError(JSContext *cx, unsigned argc, Value *vp)
 }
 
 static bool
-TestProtoGetterThis(const Value &v)
+TestProtoGetterThis(HandleValue v)
 {
     return !v.isNullOrUndefined();
 }
@@ -63,7 +63,7 @@ ProtoGetterImpl(JSContext *cx, CallArgs args)
 {
     JS_ASSERT(TestProtoGetterThis(args.thisv()));
 
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     if (thisv.isPrimitive() && !BoxNonStrictThis(cx, args))
         return false;
 
@@ -90,7 +90,7 @@ size_t sSetProtoCalled = 0;
 } // namespace js
 
 static bool
-TestProtoSetterThis(const Value &v)
+TestProtoSetterThis(HandleValue v)
 {
     if (v.isNullOrUndefined())
         return false;
@@ -108,7 +108,7 @@ ProtoSetterImpl(JSContext *cx, CallArgs args)
 {
     JS_ASSERT(TestProtoSetterThis(args.thisv()));
 
-    const Value &thisv = args.thisv();
+    HandleValue thisv = args.thisv();
     if (thisv.isPrimitive()) {
         JS_ASSERT(!thisv.isNullOrUndefined());
 
diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp
index c954f4ac9d3..1e22432cde5 100644
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -124,7 +124,7 @@ ToClampedIndex(JSContext *cx, HandleValue v, uint32_t length, uint32_t *out)
  */
 
 JS_ALWAYS_INLINE bool
-IsArrayBuffer(const Value &v)
+IsArrayBuffer(HandleValue v)
 {
     return v.isObject() && v.toObject().hasClass(&ArrayBufferObject::class_);
 }
@@ -1441,7 +1441,7 @@ class TypedArrayObjectTemplate : public TypedArrayObject
         return &TypedArrayObject::classes[ArrayTypeID()];
     }
 
-    static bool is(const Value &v) {
+    static bool is(HandleValue v) {
         return v.isObject() && v.toObject().hasClass(fastClass());
     }
 
@@ -1895,7 +1895,7 @@ class TypedArrayObjectTemplate : public TypedArrayObject
         return fromBuffer(cx, dataObj, byteOffset, length, proto);
     }
 
-    static bool IsThisClass(const Value &v) {
+    static bool IsThisClass(HandleValue v) {
         return v.isObject() && v.toObject().hasClass(fastClass());
     }
 
@@ -3984,7 +3984,7 @@ js_InitTypedArrayClasses(JSContext *cx, HandleObject obj)
 }
 
 bool
-js::IsTypedArrayConstructor(const Value &v, uint32_t type)
+js::IsTypedArrayConstructor(HandleValue v, uint32_t type)
 {
     switch (type) {
       case TypedArrayObject::TYPE_INT8:
@@ -4010,7 +4010,7 @@ js::IsTypedArrayConstructor(const Value &v, uint32_t type)
 }
 
 bool
-js::IsTypedArrayBuffer(const Value &v)
+js::IsTypedArrayBuffer(HandleValue v)
 {
     return v.isObject() && v.toObject().is<ArrayBufferObject>();
 }
diff --git a/js/src/vm/TypedArrayObject.h b/js/src/vm/TypedArrayObject.h
index 97e9229d9e6..d45dae9bac0 100644
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@@ -415,10 +415,10 @@ IsTypedArrayProtoClass(const Class *clasp)
 }
 
 bool
-IsTypedArrayConstructor(const Value &v, uint32_t type);
+IsTypedArrayConstructor(HandleValue v, uint32_t type);
 
 bool
-IsTypedArrayBuffer(const Value &v);
+IsTypedArrayBuffer(HandleValue v);
 
 static inline unsigned
 TypedArrayShift(ArrayBufferView::ViewType viewType)
@@ -450,7 +450,7 @@ class DataViewObject : public ArrayBufferViewObject
   private:
     static Class protoClass;
 
-    static bool is(const Value &v) {
+    static bool is(HandleValue v) {
         return v.isObject() && v.toObject().hasClass(&class_);
     }