Array.prototype lost its length property (583429, r=brendan).

2024-09-13 09:24:08 -07:00 · 2010-07-30 18:24:03 -07:00 · 2010-07-30 18:24:03 -07:00 · 98a47a4f07
commit 98a47a4f07
parent 5891afb00c
2 changed files with 15 additions and 9 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -1080,11 +1080,19 @@ JSObject::makeDenseArraySlow(JSContext *cx)
    if (!scope)
        return JS_FALSE;

-    uint32 capacity = obj->getDenseArrayCapacity();
+    uint32 capacity;

-    /* For a brief moment the object has NULL dslots until we slowify it during construction. */
-    if (obj->dslots)
+    if (obj->dslots) {
+        capacity = obj->getDenseArrayCapacity();
        obj->dslots[-1].setPrivateUint32(JS_INITIAL_NSLOTS + capacity);
+    } else {
+        /*
+         * Array.prototype is constructed as a dense array, but is immediately slowified before
+         * we have time to set capacity.
+         */
+        capacity = 0;
+    }
+
    scope->freeslot = obj->numSlots();

    /* Begin with the length property to share more of the property tree. */
@ -2979,6 +2987,7 @@ js_Array(JSContext *cx, JSObject *obj, uintN argc, Value *argv, Value *rval)
            return JS_FALSE;
        vector = NULL;
    }
+
    return InitArrayObject(cx, obj, length, vector);
 }

@ -3024,7 +3033,7 @@ JS_DEFINE_CALLINFO_3(extern, OBJECT, js_NewPreallocatedArray, CONTEXT, OBJECT, I
 JSObject *
 js_InitArrayClass(JSContext *cx, JSObject *obj)
 {
-    JSObject *proto = js_InitClass(cx, obj, NULL, &js_SlowArrayClass, js_Array, 1,
+    JSObject *proto = js_InitClass(cx, obj, NULL, &js_ArrayClass, js_Array, 1,
                                   NULL, array_methods, NULL, array_static_methods);
    if (!proto)
        return NULL;
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -3399,12 +3399,9 @@ js_InitClass(JSContext *cx, JSObject *obj, JSObject *parent_proto,
        /*
         * Remember the class this function is a constructor for so that
         * we know to create an object of this class when we call the
-         * constructor. Arrays are a special case. We have a slow and a
-         * dense array. While the prototype is a slow array (it has
-         * named properties), we want to make dense arrays with the
-         * constructor, so we have to monkey patch that here.
+         * constructor.
         */
-        FUN_CLASP(fun) = (clasp == &js_SlowArrayClass) ? &js_ArrayClass : clasp;
+        FUN_CLASP(fun) = clasp;

        /*
         * Optionally construct the prototype object, before the class has