jbarnette-johnson 1.0.0.20090326161333 → 1.0.0.20090402144841

data/vendor/spidermonkey/js.msg

@@ -305,3 +305,4 @@ MSG_DEF(JSMSG_NULL_OR_UNDEFINED,      222, 2, JSEXN_TYPEERR, "{0} is {1}")
 MSG_DEF(JSMSG_LET_DECL_NOT_IN_BLOCK,  223, 0, JSEXN_SYNTAXERR, "let declaration not directly within block")
 MSG_DEF(JSMSG_BAD_OBJECT_INIT,        224, 0, JSEXN_SYNTAXERR, "invalid object initializer")
 MSG_DEF(JSMSG_CANT_SET_ARRAY_ATTRS,   225, 0, JSEXN_INTERNALERR, "can't set attributes on indexed array properties")
+MSG_DEF(JSMSG_EVAL_ARITY,             226, 0, JSEXN_TYPEERR, "eval accepts only one parameter")

data/vendor/spidermonkey/jsapi.c

@@ -1173,7 +1173,7 @@ JS_ToggleOptions(JSContext *cx, uint32 options)
 JS_PUBLIC_API(const char *)
 JS_GetImplementationVersion(void)
 {
-    return "JavaScript-C 1.8.0 pre-release 1 2007-10-03";
+    return "JavaScript-C 1.8.0 pre-release 1 2009-02-16";
 }
 
 

data/vendor/spidermonkey/jsarray.c

@@ -116,11 +116,8 @@
 
 JS_STATIC_ASSERT(sizeof(JSScopeProperty) > 4 * sizeof(jsval));
 
-static JSBool
-MakeArraySlow(JSContext *cx, JSObject *obj);
-
 #define ENSURE_SLOW_ARRAY(cx, obj)                                             \
-    (OBJ_GET_CLASS(cx, obj) == &js_SlowArrayClass || MakeArraySlow(cx, obj))
+    (OBJ_GET_CLASS(cx, obj) == &js_SlowArrayClass || js_MakeArraySlow(cx, obj))
 
 /*
  * Determine if the id represents an array index or an XML property index.
@@ -417,7 +414,7 @@ SetArrayElement(JSContext *cx, JSObject *obj, jsuint index, jsval v)
 
     if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
         if (INDEX_TOO_SPARSE(obj, index)) {
-            if (!MakeArraySlow(cx, obj))
+            if (!js_MakeArraySlow(cx, obj))
                 return JS_FALSE;
         } else {
 
@@ -586,7 +583,9 @@ array_length_setter(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
     }
 
     if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
-        if (ARRAY_DENSE_LENGTH(obj) && !ResizeSlots(cx, obj, oldlen, newlen))
+        /* Don't reallocate if we're not actually shrinking our slots. */
+        jsuint oldsize = ARRAY_DENSE_LENGTH(obj);
+        if (oldsize >= newlen && !ResizeSlots(cx, obj, oldsize, newlen))
             return JS_FALSE;
     } else if (oldlen - newlen < (1 << 24)) {
         do {
@@ -646,11 +645,11 @@ array_lookupProperty(JSContext *cx, JSObject *obj, jsid id, JSObject **objp,
      * We have only indexed properties up to DENSELEN (excepting holes), plus
      * the length property. For all else, we delegate to the prototype.
      */
-    if ((!js_IdIsIndex(id, &i) &&
-         id != ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) ||
-        obj->fslots[JSSLOT_ARRAY_LENGTH] == 0 ||
-        i >= ARRAY_DENSE_LENGTH(obj) ||
-        obj->dslots[i] == JSVAL_HOLE)
+    if (id != ATOM_TO_JSID(cx->runtime->atomState.lengthAtom) &&
+        (!js_IdIsIndex(id, &i) ||
+         obj->fslots[JSSLOT_ARRAY_LENGTH] == 0 ||
+         i >= ARRAY_DENSE_LENGTH(obj) ||
+         obj->dslots[i] == JSVAL_HOLE))
     {
         JSObject *proto = STOBJ_GET_PROTO(obj);
 
@@ -701,13 +700,29 @@ array_getProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
 
     if (!js_IdIsIndex(ID_TO_VALUE(id), &i) || i >= ARRAY_DENSE_LENGTH(obj) ||
         obj->dslots[i] == JSVAL_HOLE) {
+        JSObject *obj2;
+        JSProperty *prop;
+        JSScopeProperty *sprop;
+
         JSObject *proto = STOBJ_GET_PROTO(obj);
         if (!proto) {
             *vp = JSVAL_VOID;
             return JS_TRUE;
         }
 
-        return OBJ_GET_PROPERTY(cx, proto, id, vp);
+        *vp = JSVAL_VOID;
+        if (js_LookupPropertyWithFlags(cx, proto, id, 0, &obj2, &prop) < 0)
+            return JS_FALSE;
+
+        if (prop && OBJ_IS_NATIVE(obj2)) {
+            sprop = (JSScopeProperty *) prop;
+            if (!js_NativeGet(cx, obj, obj2, sprop, vp))
+                return JS_FALSE;
+        }
+
+        if (prop)
+            OBJ_DROP_PROPERTY(cx, obj2, prop);
+        return JS_TRUE;
     }
 
     *vp = obj->dslots[i];
@@ -763,7 +778,7 @@ array_setProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
         return js_SetProperty(cx, obj, id, vp);
 
     if (!js_IdIsIndex(id, &i) || INDEX_TOO_SPARSE(obj, i)) {
-        if (!MakeArraySlow(cx, obj))
+        if (!js_MakeArraySlow(cx, obj))
             return JS_FALSE;
         return js_SetProperty(cx, obj, id, vp);
     }
@@ -1109,8 +1124,8 @@ JSClass js_SlowArrayClass = {
 /*
  * Convert an array object from fast-and-dense to slow-and-flexible.
  */
-static JSBool
-MakeArraySlow(JSContext *cx, JSObject *obj)
+JSBool
+js_MakeArraySlow(JSContext *cx, JSObject *obj)
 {
     JSObjectMap *map, *oldmap;
     uint32 i, length;
@@ -2048,7 +2063,7 @@ array_push(JSContext *cx, uintN argc, jsval *vp)
 
     length = obj->fslots[JSSLOT_ARRAY_LENGTH];
     if (INDEX_TOO_SPARSE(obj, length)) {
-        if (!MakeArraySlow(cx, obj))
+        if (!js_MakeArraySlow(cx, obj))
             return JS_FALSE;
         return array_push_slowly(cx, obj, argc, vp);
     }
@@ -2074,23 +2089,16 @@ array_pop(JSContext *cx, uintN argc, jsval *vp)
     if (!obj)
         return JS_FALSE;
     if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
-        *vp = JSVAL_VOID;
         index = obj->fslots[JSSLOT_ARRAY_LENGTH];
-        if (index == 0)
+        if (index == 0) {
+            *vp = JSVAL_VOID;
             return JS_TRUE;
-        index--;
-        if (index < ARRAY_DENSE_LENGTH(obj)) {
-            *vp = obj->dslots[index];
-            JS_ASSERT(*vp != JSVAL_HOLE);
-            if (index == 0) {
-                JS_free(cx, obj->dslots - 1);
-                obj->dslots = NULL;
-            } else {
-                ARRAY_SET_DENSE_LENGTH(obj, index);
-            }
-            obj->fslots[JSSLOT_ARRAY_COUNT]--;
         }
-
+        index--;
+        if (!GetArrayElement(cx, obj, index, &hole, vp))
+            return JS_FALSE;
+        if (!hole && !DeleteArrayElement(cx, obj, index))
+            return JS_FALSE;
         obj->fslots[JSSLOT_ARRAY_LENGTH] = index;
         return JS_TRUE;
     }

data/vendor/spidermonkey/jsarray.h

@@ -70,6 +70,9 @@ js_NewArrayObject(JSContext *cx, jsuint length, jsval *vector);
 extern JSObject *
 js_NewSlowArrayObject(JSContext *cx);
 
+extern JSBool
+js_MakeArraySlow(JSContext *cx, JSObject *obj);
+
 #define JSSLOT_ARRAY_LENGTH            JSSLOT_PRIVATE
 #define JSSLOT_ARRAY_COUNT             (JSSLOT_ARRAY_LENGTH + 1)
 #define JSSLOT_ARRAY_LOOKUP_HOLDER     (JSSLOT_ARRAY_COUNT + 1)

data/vendor/spidermonkey/jscpucfg.c

@@ -183,7 +183,20 @@ int main(int argc, char **argv)
     printf("/* AUTOMATICALLY GENERATED - DO NOT EDIT */\n\n");
 
 #ifdef CROSS_COMPILE
-#if defined(IS_LITTLE_ENDIAN)
+#if defined(__APPLE__)
+    /*
+     * Darwin NSPR uses the same MDCPUCFG (_darwin.cfg) for multiple
+     * processors, and determines which processor to configure for based
+     * on compiler predefined macros.  We do the same thing here.
+     */
+    printf("#ifdef __LITTLE_ENDIAN__\n");
+    printf("#define IS_LITTLE_ENDIAN 1\n");
+    printf("#undef  IS_BIG_ENDIAN\n");
+    printf("#else\n");
+    printf("#undef  IS_LITTLE_ENDIAN\n");
+    printf("#define IS_BIG_ENDIAN 1\n");
+    printf("#endif\n\n");
+#elif defined(IS_LITTLE_ENDIAN)
     printf("#define IS_LITTLE_ENDIAN 1\n");
     printf("#undef  IS_BIG_ENDIAN\n\n");
 #elif defined(IS_BIG_ENDIAN)

data/vendor/spidermonkey/jsdate.c

@@ -478,12 +478,15 @@ msFromTime(jsdouble t)
  * We use the first reseved slot to store UTC time, and the second for caching
  * the local time. The initial value of the cache entry is NaN.
  */
-#define UTC_TIME_SLOT           0
-#define LOCAL_TIME_SLOT         1
+#define JSSLOT_UTC_TIME         JSSLOT_PRIVATE
+#define JSSLOT_LOCAL_TIME       (JSSLOT_PRIVATE + 1)
+
+#define DATE_RESERVED_SLOTS     2
 
 JSClass js_DateClass = {
     js_Date_str,
-    JSCLASS_HAS_RESERVED_SLOTS(2) |  JSCLASS_HAS_CACHED_PROTO(JSProto_Date),
+    JSCLASS_HAS_RESERVED_SLOTS(DATE_RESERVED_SLOTS) |
+    JSCLASS_HAS_CACHED_PROTO(JSProto_Date),
     JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,  JS_PropertyStub,
     JS_EnumerateStub, JS_ResolveStub,   JS_ConvertStub,   JS_FinalizeStub,
     JSCLASS_NO_OPTIONAL_MEMBERS
@@ -926,14 +929,9 @@ date_now(JSContext *cx, uintN argc, jsval *vp)
 static JSBool
 GetUTCTime(JSContext *cx, JSObject *obj, jsval *vp, jsdouble *dp)
 {
-    jsval v;
-
-    if (vp && !JS_InstanceOf(cx, obj, &js_DateClass, vp + 2))
-        return JS_FALSE;
-    if (!JS_GetReservedSlot(cx, obj, UTC_TIME_SLOT, &v))
+    if (!JS_InstanceOf(cx, obj, &js_DateClass, vp ? vp + 2 : NULL))
         return JS_FALSE;
-
-    *dp = *JSVAL_TO_DOUBLE(v);
+    *dp = *JSVAL_TO_DOUBLE(obj->fslots[JSSLOT_UTC_TIME]);
     return JS_TRUE;
 }
 
@@ -948,14 +946,12 @@ SetUTCTimePtr(JSContext *cx, JSObject *obj, jsval *vp, jsdouble *dp)
 {
     if (vp && !JS_InstanceOf(cx, obj, &js_DateClass, vp + 2))
         return JS_FALSE;
+    JS_ASSERT_IF(!vp, STOBJ_GET_CLASS(obj) == &js_DateClass);
 
     /* Invalidate local time cache. */
-    if (!JS_SetReservedSlot(cx, obj, LOCAL_TIME_SLOT,
-                            DOUBLE_TO_JSVAL(cx->runtime->jsNaN))) {
-        return JS_FALSE;
-    }
-
-    return JS_SetReservedSlot(cx, obj, UTC_TIME_SLOT, DOUBLE_TO_JSVAL(dp));
+    obj->fslots[JSSLOT_LOCAL_TIME] = DOUBLE_TO_JSVAL(cx->runtime->jsNaN);
+    obj->fslots[JSSLOT_UTC_TIME] = DOUBLE_TO_JSVAL(dp);
+    return JS_TRUE;
 }
 
 /*
@@ -981,8 +977,9 @@ GetAndCacheLocalTime(JSContext *cx, JSObject *obj, jsval *vp, jsdouble *dp)
     jsdouble result;
     jsdouble *cached;
 
-    if (!obj || !JS_GetReservedSlot(cx, obj, LOCAL_TIME_SLOT, &v))
+    if (!obj || !JS_InstanceOf(cx, obj, &js_DateClass, vp ? vp + 2 : NULL))
         return JS_FALSE;
+    v = obj->fslots[JSSLOT_LOCAL_TIME];
 
     result = *JSVAL_TO_DOUBLE(v);
 
@@ -998,10 +995,7 @@ GetAndCacheLocalTime(JSContext *cx, JSObject *obj, jsval *vp, jsdouble *dp)
         if (!cached)
             return JS_FALSE;
 
-        if (!JS_SetReservedSlot(cx, obj, LOCAL_TIME_SLOT,
-                                DOUBLE_TO_JSVAL(cached))) {
-            return JS_FALSE;
-        }
+        obj->fslots[JSSLOT_LOCAL_TIME] = DOUBLE_TO_JSVAL(cached);
     }
 
     *dp = result;
@@ -2028,10 +2022,8 @@ date_constructor(JSContext *cx, JSObject* obj)
     if (!date)
         return NULL;
 
-    JS_SetReservedSlot(cx, obj, UTC_TIME_SLOT,
-                       DOUBLE_TO_JSVAL(date));
-    JS_SetReservedSlot(cx, obj, LOCAL_TIME_SLOT,
-                       DOUBLE_TO_JSVAL(cx->runtime->jsNaN));
+    obj->fslots[JSSLOT_UTC_TIME] = DOUBLE_TO_JSVAL(date);
+    obj->fslots[JSSLOT_LOCAL_TIME] = DOUBLE_TO_JSVAL(cx->runtime->jsNaN);
     return date;
 }
 

data/vendor/spidermonkey/jsdbgapi.c

@@ -732,10 +732,13 @@ JS_SetWatchPoint(JSContext *cx, JSObject *obj, jsval idval,
         return JS_FALSE;
     }
 
-    if (JSVAL_IS_INT(idval))
+    if (JSVAL_IS_INT(idval)) {
         propid = INT_JSVAL_TO_JSID(idval);
-    else if (!js_ValueToStringId(cx, idval, &propid))
-        return JS_FALSE;
+    } else {
+        if (!js_ValueToStringId(cx, idval, &propid))
+            return JS_FALSE;
+        CHECK_FOR_STRING_INDEX(propid);
+    }
 
     if (!js_LookupProperty(cx, obj, propid, &pobj, &prop))
         return JS_FALSE;

data/vendor/spidermonkey/jsgc.c

@@ -3020,8 +3020,16 @@ js_GC(JSContext *cx, JSGCInvocationKind gckind)
         ok = callback(cx, JSGC_BEGIN);
         if (gckind & GC_LOCK_HELD)
             JS_LOCK_GC(rt);
-        if (!ok && gckind != GC_LAST_CONTEXT)
+        if (!ok && gckind != GC_LAST_CONTEXT) {
+            /*
+             * It's possible that we've looped back to this code from the 'goto
+             * restart_at_beginning' below in the GC_SET_SLOT_REQUEST code and
+             * that rt->gcLevel is now 0. Don't return without notifying!
+             */
+            if (rt->gcLevel == 0 && (gckind & GC_LOCK_HELD))
+                JS_NOTIFY_GC_DONE(rt);
             return;
+        }
     }
 
     /* Lock out other GC allocator and collector invocations. */
@@ -3471,7 +3479,7 @@ js_GC(JSContext *cx, JSGCInvocationKind gckind)
         goto restart;
     }
 
-    if (!(rt->shapeGen & SHAPE_OVERFLOW_BIT)) {
+    if (rt->shapeGen < SHAPE_OVERFLOW_BIT - 1) {
         js_EnablePropertyCache(cx);
 #ifdef JS_THREADSAFE
         iter = NULL;

data/vendor/spidermonkey/jsinterp.c

@@ -80,17 +80,22 @@
 #ifdef js_invoke_c__
 
 uint32
-js_GenerateShape(JSContext *cx, JSBool gcLocked)
+js_GenerateShape(JSContext *cx, JSBool gcLocked, JSScopeProperty *sprop)
 {
     JSRuntime *rt;
     uint32 shape;
+    JSTempValueRooter tvr;
 
     rt = cx->runtime;
     shape = JS_ATOMIC_INCREMENT(&rt->shapeGen);
     JS_ASSERT(shape != 0);
     if (shape & SHAPE_OVERFLOW_BIT) {
         rt->gcPoke = JS_TRUE;
+        if (sprop)
+            JS_PUSH_TEMP_ROOT_SPROP(cx, sprop, &tvr);
         js_GC(cx, gcLocked ? GC_LOCK_HELD : GC_NORMAL);
+        if (sprop)
+            JS_POP_TEMP_ROOT(cx, &tvr);
         shape = JS_ATOMIC_INCREMENT(&rt->shapeGen);
         JS_ASSERT(shape != 0);
         JS_ASSERT_IF(shape & SHAPE_OVERFLOW_BIT,
@@ -825,8 +830,10 @@ ComputeThis(JSContext *cx, JSBool lazy, jsval *argv)
         thisp = JSVAL_TO_OBJECT(argv[-1]);
     } else {
         thisp = JSVAL_TO_OBJECT(argv[-1]);
-        if (OBJ_GET_CLASS(cx, thisp) == &js_CallClass)
+        if (OBJ_GET_CLASS(cx, thisp) == &js_CallClass ||
+            OBJ_GET_CLASS(cx, thisp) == &js_BlockClass) {
             return js_ComputeGlobalThis(cx, lazy, argv);
+        }
 
         if (thisp->map->ops->thisObject) {
             /* Some objects (e.g., With) delegate 'this' to another object. */
@@ -1473,12 +1480,6 @@ js_Execute(JSContext *cx, JSObject *chain, JSScript *script,
         frame.callee = NULL;
         frame.fun = NULL;
         frame.thisp = chain;
-        OBJ_TO_OUTER_OBJECT(cx, frame.thisp);
-        if (!frame.thisp) {
-            ok = JS_FALSE;
-            goto out;
-        }
-        flags |= JSFRAME_COMPUTED_THIS;
         frame.argc = 0;
         frame.argv = NULL;
         frame.nvars = script->ngvars;
@@ -1528,6 +1529,15 @@ js_Execute(JSContext *cx, JSObject *chain, JSScript *script,
     }
 
     cx->fp = &frame;
+    if (!down) {
+        OBJ_TO_OUTER_OBJECT(cx, frame.thisp);
+        if (!frame.thisp) {
+            ok = JS_FALSE;
+            goto out2;
+        }
+        frame.flags |= JSFRAME_COMPUTED_THIS;
+    }
+
     if (hook) {
         hookData = hook(cx, &frame, JS_TRUE, 0,
                         cx->debugHooks->executeHookData);
@@ -1541,6 +1551,8 @@ js_Execute(JSContext *cx, JSObject *chain, JSScript *script,
         if (hook)
             hook(cx, &frame, JS_FALSE, &ok, hookData);
     }
+
+out2:
     if (mark)
         js_FreeRawStack(cx, mark);
     cx->fp = oldfp;
@@ -1677,63 +1689,84 @@ js_CheckRedeclaration(JSContext *cx, JSObject *obj, jsid id, uintN attrs,
     jsval value;
     const char *type, *name;
 
+    /*
+     * Both objp and propp must be either null or given. When given, *propp
+     * must be null. This way we avoid an extra "if (propp) *propp = NULL" for
+     * the common case of a non-existing property.
+     */
+    JS_ASSERT(!objp == !propp);
+    JS_ASSERT_IF(propp, !*propp);
+
+    /* The JSPROP_INITIALIZER case below may generate a warning. Since we must
+     * drop the property before reporting it, we insists on !propp to avoid
+     * looking up the property again after the reporting is done.
+     */
+    JS_ASSERT_IF(attrs & JSPROP_INITIALIZER, attrs == JSPROP_INITIALIZER);
+    JS_ASSERT_IF(attrs == JSPROP_INITIALIZER, !propp);
+
     if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop))
         return JS_FALSE;
-    if (propp) {
-        *objp = obj2;
-        *propp = prop;
-    }
     if (!prop)
         return JS_TRUE;
 
-    /*
-     * Use prop as a speedup hint to OBJ_GET_ATTRIBUTES, but drop it on error.
-     * An assertion at label bad: will insist that it is null.
-     */
+    /* Use prop as a speedup hint to OBJ_GET_ATTRIBUTES. */
     if (!OBJ_GET_ATTRIBUTES(cx, obj2, id, prop, &oldAttrs)) {
         OBJ_DROP_PROPERTY(cx, obj2, prop);
-#ifdef DEBUG
-        prop = NULL;
-#endif
-        goto bad;
+        return JS_FALSE;
     }
 
     /*
-     * From here, return true, or else goto bad on failure to null out params.
      * If our caller doesn't want prop, drop it (we don't need it any longer).
      */
     if (!propp) {
         OBJ_DROP_PROPERTY(cx, obj2, prop);
         prop = NULL;
+    } else {
+        *objp = obj2;
+        *propp = prop;
     }
 
     if (attrs == JSPROP_INITIALIZER) {
         /* Allow the new object to override properties. */
         if (obj2 != obj)
             return JS_TRUE;
+
+        /* The property must be dropped already. */
+        JS_ASSERT(!prop);
         report = JSREPORT_WARNING | JSREPORT_STRICT;
     } else {
         /* We allow redeclaring some non-readonly properties. */
         if (((oldAttrs | attrs) & JSPROP_READONLY) == 0) {
-            /*
-             * Allow redeclaration of variables and functions, but insist that
-             * the new value is not a getter if the old value was, ditto for
-             * setters -- unless prop is impermanent (in which case anyone
-             * could delete it and redefine it, willy-nilly).
-             */
+            /* Allow redeclaration of variables and functions. */
             if (!(attrs & (JSPROP_GETTER | JSPROP_SETTER)))
                 return JS_TRUE;
+
+            /*
+             * Allow adding a getter only if a property already has a setter
+             * but no getter and similarly for adding a setter. That is, we
+             * allow only the following transitions:
+             *
+             *   no-property --> getter --> getter + setter
+             *   no-property --> setter --> getter + setter
+             */
             if ((~(oldAttrs ^ attrs) & (JSPROP_GETTER | JSPROP_SETTER)) == 0)
                 return JS_TRUE;
+
+            /*
+             * Allow redeclaration of an impermanent property (in which case
+             * anyone could delete it and redefine it, willy-nilly).
+             */
             if (!(oldAttrs & JSPROP_PERMANENT))
                 return JS_TRUE;
         }
+        if (prop)
+            OBJ_DROP_PROPERTY(cx, obj2, prop);
 
         report = JSREPORT_ERROR;
         isFunction = (oldAttrs & (JSPROP_GETTER | JSPROP_SETTER)) != 0;
         if (!isFunction) {
             if (!OBJ_GET_PROPERTY(cx, obj, id, &value))
-                goto bad;
+                return JS_FALSE;
             isFunction = VALUE_IS_FUNCTION(cx, value);
         }
     }
@@ -1751,19 +1784,11 @@ js_CheckRedeclaration(JSContext *cx, JSObject *obj, jsid id, uintN attrs,
            : js_var_str;
     name = js_ValueToPrintableString(cx, ID_TO_VALUE(id));
     if (!name)
-        goto bad;
+        return JS_FALSE;
     return JS_ReportErrorFlagsAndNumber(cx, report,
                                         js_GetErrorMessage, NULL,
                                         JSMSG_REDECLARED_VAR,
                                         type, name);
-
-bad:
-    if (propp) {
-        *objp = NULL;
-        *propp = NULL;
-    }
-    JS_ASSERT(!prop);
-    return JS_FALSE;
 }
 
 JSBool
@@ -4743,16 +4768,6 @@ interrupt:
                     newifp->frame.regs = NULL;
                     newifp->frame.spbase = NULL;
 
-                    /* Call the debugger hook if present. */
-                    hook = cx->debugHooks->callHook;
-                    if (hook) {
-                        newifp->hookData = hook(cx, &newifp->frame, JS_TRUE, 0,
-                                                cx->debugHooks->callHookData);
-                        LOAD_INTERRUPT_HANDLER(cx);
-                    } else {
-                        newifp->hookData = NULL;
-                    }
-
                     /* Scope with a call object parented by callee's parent. */
                     if (JSFUN_HEAVYWEIGHT_TEST(fun->flags) &&
                         !js_GetCallObject(cx, &newifp->frame, parent)) {
@@ -4775,6 +4790,16 @@ interrupt:
                     newifp->frame.regs = &regs;
                     cx->fp = fp = &newifp->frame;
 
+                    /* Call the debugger hook if present. */
+                    hook = cx->debugHooks->callHook;
+                    if (hook) {
+                        newifp->hookData = hook(cx, &newifp->frame, JS_TRUE, 0,
+                                                cx->debugHooks->callHookData);
+                        LOAD_INTERRUPT_HANDLER(cx);
+                    } else {
+                        newifp->hookData = NULL;
+                    }
+
                     inlineCallCount++;
                     JS_RUNTIME_METER(rt, inlineCalls);
 
@@ -5093,7 +5118,7 @@ interrupt:
                 funobj = fp->callee;
                 slot += JSCLASS_RESERVED_SLOTS(&js_FunctionClass);
                 if (!JS_GetReservedSlot(cx, funobj, slot, &rval))
-                    return JS_FALSE;
+                    goto error;
                 if (JSVAL_IS_VOID(rval))
                     rval = JSVAL_NULL;
             } else {
@@ -5151,7 +5176,7 @@ interrupt:
                 /* Store the regexp object value in its cloneIndex slot. */
                 if (fp->fun) {
                     if (!JS_SetReservedSlot(cx, funobj, slot, rval))
-                        return JS_FALSE;
+                        goto error;
                 } else {
                     fp->vars[slot] = rval;
                 }
@@ -5524,6 +5549,7 @@ interrupt:
 
             /* Lookup id in order to check for redeclaration problems. */
             id = ATOM_TO_JSID(atom);
+            prop = NULL;
             if (!js_CheckRedeclaration(cx, obj, id, attrs, &obj2, &prop))
                 goto error;
 
@@ -5545,11 +5571,11 @@ interrupt:
              * by the JSOP_*GVAR opcodes.
              */
             if (index < script->ngvars &&
-                (attrs & JSPROP_PERMANENT) &&
                 obj2 == obj &&
                 OBJ_IS_NATIVE(obj)) {
                 sprop = (JSScopeProperty *) prop;
-                if (SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
+                if ((sprop->attrs & JSPROP_PERMANENT) &&
+                    SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
                     SPROP_HAS_STUB_GETTER(sprop) &&
                     SPROP_HAS_STUB_SETTER(sprop)) {
                     /*

data/vendor/spidermonkey/jsinterp.h

@@ -162,8 +162,12 @@ typedef struct JSInlineFrame {
 
 #define SHAPE_OVERFLOW_BIT      JS_BIT(32 - PCVCAP_TAGBITS)
 
+/*
+ * When sprop is not null and the shape generation triggers the GC due to a
+ * shape overflow, the functions roots sprop.
+ */
 extern uint32
-js_GenerateShape(JSContext *cx, JSBool gcLocked);
+js_GenerateShape(JSContext *cx, JSBool gcLocked, JSScopeProperty *sprop);
 
 struct JSPropCacheEntry {
     jsbytecode          *kpc;           /* pc if vcap tag is <= 1, else atom */

data/vendor/spidermonkey/jsmath.c

@@ -556,8 +556,7 @@ js_InitMathClass(JSContext *cx, JSObject *obj)
 {
     JSObject *Math;
 
-    Math = JS_DefineObject(cx, obj, js_Math_str, &js_MathClass, NULL,
-                           JSPROP_READONLY | JSPROP_PERMANENT);
+    Math = JS_DefineObject(cx, obj, js_Math_str, &js_MathClass, NULL, 0);
     if (!Math)
         return NULL;
     if (!JS_DefineFunctions(cx, Math, math_static_methods))

data/vendor/spidermonkey/jsnum.c

@@ -309,7 +309,7 @@ num_toLocaleString(JSContext *cx, uintN argc, jsval *vp)
     JSString *numStr, *str;
     const char *num, *end, *tmpSrc;
     char *buf, *tmpDest;
-    const char *dec;
+    const char *nint;
     int digits, size, remainder, nrepeat;
 
     /*
@@ -324,17 +324,28 @@ num_toLocaleString(JSContext *cx, uintN argc, jsval *vp)
     if (!num)
         return JS_FALSE;
 
-    /* Find bit before the decimal. */
-    dec = strchr(num, '.');
-    digits = dec ? dec - num : (int)strlen(num);
+    /*
+     * Find the first non-integer value, whether it be a letter as in
+     * 'Infinite', a decimal point, or an 'e' from exponential notation.
+     */
+    nint = num;
+    if (*nint == '-')
+        nint++;
+    while (*nint >= '0' && *nint <= '9')
+        nint++;
+    digits = nint - num;
     end = num + digits;
+    if (!digits)
+        return JS_TRUE;
 
     rt = cx->runtime;
     thousandsLength = strlen(rt->thousandsSeparator);
     decimalLength = strlen(rt->decimalSeparator);
 
     /* Figure out how long resulting string will be. */
-    size = digits + (dec ? decimalLength + strlen(dec + 1) : 0);
+    size = digits + (*nint ? strlen(nint + 1) + 1 : 0);
+    if (*nint == '.')
+        size += decimalLength;
 
     numGrouping = tmpGroup = rt->numGrouping;
     remainder = digits;
@@ -376,12 +387,12 @@ num_toLocaleString(JSContext *cx, uintN argc, jsval *vp)
             tmpGroup--;
     }
 
-    if (dec) {
+    if (*nint == '.') {
         strcpy(tmpDest, rt->decimalSeparator);
         tmpDest += decimalLength;
-        strcpy(tmpDest, dec + 1);
+        strcpy(tmpDest, nint + 1);
     } else {
-        *tmpDest++ = '\0';
+        strcpy(tmpDest, nint);
     }
 
     if (cx->localeCallbacks && cx->localeCallbacks->localeToUnicode)