From 595df968044221497459037560be7b1b329885ae Mon Sep 17 00:00:00 2001 From: "bcrowder@mozilla.com" Date: Wed, 25 Jun 2008 13:50:26 -0700 Subject: [PATCH 1/3] Bug 440473 - Crash [@ Decompile][@ js_GetSrcNoteOffset] with firebug/jQuery, r=igor --- js/src/jscntxt.h | 8 +++++--- js/src/jsscript.cpp | 8 ++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h index a63d6ece738..0c9805e958a 100644 --- a/js/src/jscntxt.h +++ b/js/src/jscntxt.h @@ -61,10 +61,12 @@ JS_BEGIN_EXTERN_C /* * js_GetSrcNote cache to avoid O(n^2) growth in finding a source note for a - * given pc in a script. + * given pc in a script. We use the script->code pointer to tag the cache, + * instead of the script address itself, so that source notes are always found + * by offset from the bytecode with which they were generated. */ typedef struct JSGSNCache { - JSScript *script; + jsbytecode *code; JSDHashTable table; #ifdef JS_GSNMETER uint32 hits; @@ -79,7 +81,7 @@ typedef struct JSGSNCache { #define GSN_CACHE_CLEAR(cache) \ JS_BEGIN_MACRO \ - (cache)->script = NULL; \ + (cache)->code = NULL; \ if ((cache)->table.ops) { \ JS_DHashTableFinish(&(cache)->table); \ (cache)->table.ops = NULL; \ diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp index 8ea1684dff9..c8c98a5ac17 100644 --- a/js/src/jsscript.cpp +++ b/js/src/jsscript.cpp @@ -1532,7 +1532,7 @@ js_DestroyScript(JSContext *cx, JSScript *script) if (script->principals) JSPRINCIPALS_DROP(cx, script->principals); - if (JS_GSN_CACHE(cx).script == script) + if (JS_GSN_CACHE(cx).code == script->code) JS_CLEAR_GSN_CACHE(cx); /* @@ -1638,7 +1638,7 @@ js_GetSrcNoteCached(JSContext *cx, JSScript *script, jsbytecode *pc) if ((uint32)target >= script->length) return NULL; - if (JS_GSN_CACHE(cx).script == script) { + if (JS_GSN_CACHE(cx).code == script->code) { JS_METER_GSN_CACHE(cx, hits); entry = (GSNCacheEntry *) JS_DHashTableOperate(&JS_GSN_CACHE(cx).table, pc, @@ -1660,7 +1660,7 @@ js_GetSrcNoteCached(JSContext *cx, JSScript *script, jsbytecode *pc) } } - if (JS_GSN_CACHE(cx).script != script && + if (JS_GSN_CACHE(cx).code != script->code && script->length >= GSN_CACHE_THRESHOLD) { JS_CLEAR_GSN_CACHE(cx); nsrcnotes = 0; @@ -1686,7 +1686,7 @@ js_GetSrcNoteCached(JSContext *cx, JSScript *script, jsbytecode *pc) entry->sn = sn; } } - JS_GSN_CACHE(cx).script = script; + JS_GSN_CACHE(cx).code = script->code; JS_METER_GSN_CACHE(cx, fills); } } From bf6c509b5760326919e745ff87018fc09dc59431 Mon Sep 17 00:00:00 2001 From: "bcrowder@mozilla.com" Date: Mon, 9 Jun 2008 15:25:33 -0700 Subject: [PATCH 2/3] Bug 435226 - dense arrays yield bogus __count__ values, r=shaver --- js/src/jsarray.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 3c01f7a17b4..1026a1d9b26 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -912,8 +912,8 @@ array_enumerate(JSContext *cx, JSObject *obj, JSIterateOp enum_op, case JSENUMERATE_INIT: JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj)); length = ARRAY_DENSE_LENGTH(obj); - if (idp && !IndexToId(cx, length, idp)) - return JS_FALSE; + if (idp) + *idp = INT_TO_JSVAL(obj->fslots[JSSLOT_ARRAY_COUNT]); ii = NULL; for (i = 0; i != length; ++i) { if (obj->dslots[i] == JSVAL_HOLE) { From 942878bc176e72088ac2173bb501b1e4e8193aa2 Mon Sep 17 00:00:00 2001 From: "bcrowder@mozilla.com" Date: Wed, 25 Jun 2008 14:18:12 -0700 Subject: [PATCH 3/3] Fixing a comment spacing nit. --- js/src/jscntxt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h index 0c9805e958a..cac949d9d86 100644 --- a/js/src/jscntxt.h +++ b/js/src/jscntxt.h @@ -61,7 +61,7 @@ JS_BEGIN_EXTERN_C /* * js_GetSrcNote cache to avoid O(n^2) growth in finding a source note for a - * given pc in a script. We use the script->code pointer to tag the cache, + * given pc in a script. We use the script->code pointer to tag the cache, * instead of the script address itself, so that source notes are always found * by offset from the bytecode with which they were generated. */