From 320e8fda0abe428600cce91e9a6ace0595329187 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Sun, 2 Jul 2017 18:44:51 -0700
Subject: [PATCH] #410, #413: M1370210 M1346217 partial

---
 js/src/jsarray.h           |  8 ++++++--
 js/src/jsatominlines.h     | 38 +++++++++++++++++++++++++-------------
 js/src/vm/NativeObject.cpp | 28 ++++++++++++++--------------
 js/src/vm/Shape.cpp        | 22 ++--------------------
 4 files changed, 47 insertions(+), 49 deletions(-)

diff --git a/js/src/jsarray.h b/js/src/jsarray.h
index 160be920b..bcd62d175 100644
--- a/js/src/jsarray.h
+++ b/js/src/jsarray.h
@@ -18,7 +18,7 @@ namespace js {
 /* 2^32-2, inclusive */
 const uint32_t MAX_ARRAY_INDEX = 4294967294u;
 
-inline bool
+MOZ_ALWAYS_INLINE bool
 IdIsIndex(jsid id, uint32_t* indexp)
 {
     if (JSID_IS_INT(id)) {
@@ -31,7 +31,11 @@ IdIsIndex(jsid id, uint32_t* indexp)
     if (MOZ_UNLIKELY(!JSID_IS_STRING(id)))
         return false;
 
-    return js::StringIsArrayIndex(JSID_TO_ATOM(id), indexp);
+    JSAtom* atom = JSID_TO_ATOM(id);
+    if (atom->length() == 0 || !JS7_ISDEC(atom->latin1OrTwoByteChar(0)))
+        return false;
+
+    return js::StringIsArrayIndex(atom, indexp);
 }
 
 extern JSObject*
diff --git a/js/src/jsatominlines.h b/js/src/jsatominlines.h
index 216a91071..5997c29c0 100644
--- a/js/src/jsatominlines.h
+++ b/js/src/jsatominlines.h
@@ -50,6 +50,14 @@ AtomToId(JSAtom* atom)
 inline bool
 ValueToIdPure(const Value& v, jsid* id)
 {
+    if (v.isString()) {
+        if (v.toString()->isAtom()) {
+            *id = AtomToId(&v.toString()->asAtom());
+            return true;
+        }
+        return false;
+    }
+
     int32_t i;
     if (ValueFitsInInt32(v, &i) && INT_FITS_IN_JSID(i)) {
         *id = INT_TO_JSID(i);
@@ -61,11 +69,7 @@ ValueToIdPure(const Value& v, jsid* id)
         return true;
     }
 
-    if (!v.isString() || !v.toString()->isAtom())
-        return false;
-
-    *id = AtomToId(&v.toString()->asAtom());
-    return true;
+    return false;
 }
 
 template <AllowGC allowGC>
@@ -73,15 +77,23 @@ inline bool
 ValueToId(ExclusiveContext* cx, typename MaybeRooted<Value, allowGC>::HandleType v,
           typename MaybeRooted<jsid, allowGC>::MutableHandleType idp)
 {
-    int32_t i;
-    if (ValueFitsInInt32(v, &i) && INT_FITS_IN_JSID(i)) {
-        idp.set(INT_TO_JSID(i));
-        return true;
-    }
+    if (v.isString()) {
+        if (v.toString()->isAtom()) {
+            idp.set(AtomToId(&v.toString()->asAtom()));
+            return true;
+        }
+        // fall through
+    } else {
+        int32_t i;
+        if (ValueFitsInInt32(v, &i) && INT_FITS_IN_JSID(i)) {
+            idp.set(INT_TO_JSID(i));
+            return true;
+        }
 
-    if (js::IsSymbolOrSymbolWrapper(v)) {
-        idp.set(SYMBOL_TO_JSID(js::ToSymbolPrimitive(v)));
-        return true;
+        if (js::IsSymbolOrSymbolWrapper(v)) {
+            idp.set(SYMBOL_TO_JSID(js::ToSymbolPrimitive(v)));
+            return true;
+        }
     }
 
     JSAtom* atom = ToAtom<allowGC>(cx, v);
diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp
index f0488a546..7a30c1803 100644
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -996,11 +996,12 @@ js::NativeLookupOwnProperty<NoGC>(ExclusiveContext* cx, NativeObject* obj, jsid
 
 /*** [[DefineOwnProperty]] ***********************************************************************/
 
-static inline bool
+static MOZ_ALWAYS_INLINE bool
 CallAddPropertyHook(ExclusiveContext* cx, HandleNativeObject obj, HandleShape shape,
                     HandleValue value)
 {
-    if (JSAddPropertyOp addProperty = obj->getClass()->addProperty) {
+    JSAddPropertyOp addProperty = obj->getClass()->addProperty;
+    if (MOZ_UNLIKELY(addProperty)) {
         if (!cx->shouldBeJSContext())
             return false;
 
@@ -1013,7 +1014,7 @@ CallAddPropertyHook(ExclusiveContext* cx, HandleNativeObject obj, HandleShape sh
     return true;
 }
 
-static inline bool
+static MOZ_ALWAYS_INLINE bool
 CallAddPropertyHookDense(ExclusiveContext* cx, HandleNativeObject obj, uint32_t index,
                          HandleValue value)
 {
@@ -1026,7 +1027,8 @@ CallAddPropertyHookDense(ExclusiveContext* cx, HandleNativeObject obj, uint32_t
         return true;
     }
 
-    if (JSAddPropertyOp addProperty = obj->getClass()->addProperty) {
+    JSAddPropertyOp addProperty = obj->getClass()->addProperty;
+    if (MOZ_UNLIKELY(addProperty)) {
         if (!cx->shouldBeJSContext())
             return false;
 
@@ -1042,10 +1044,12 @@ CallAddPropertyHookDense(ExclusiveContext* cx, HandleNativeObject obj, uint32_t
     return true;
 }
 
-static bool
-UpdateShapeTypeAndValue(ExclusiveContext* cx, NativeObject* obj, Shape* shape, const Value& value)
+static MOZ_ALWAYS_INLINE void
+UpdateShapeTypeAndValue(ExclusiveContext* cx, NativeObject* obj, Shape* shape,
+                        jsid id, const Value& value)
 {
-    jsid id = shape->propid();
+    MOZ_ASSERT(id == shape->propid());
+
     if (shape->hasSlot()) {
         obj->setSlotWithType(cx, shape, value, /* overwriting = */ false);
 
@@ -1061,7 +1065,6 @@ UpdateShapeTypeAndValue(ExclusiveContext* cx, NativeObject* obj, Shape* shape, c
         MarkTypePropertyNonData(cx, obj, id);
     if (!shape->writable())
         MarkTypePropertyNonWritable(cx, obj, id);
-    return true;
 }
 
 static bool
@@ -1166,8 +1169,7 @@ AddOrChangeProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId id,
     if (!shape)
         return false;
 
-    if (!UpdateShapeTypeAndValue(cx, obj, shape, desc.value()))
-        return false;
+    UpdateShapeTypeAndValue(cx, obj, shape, id, desc.value());
 
     // Clear any existing dense index after adding a sparse indexed property,
     // and investigate converting the object to dense indexes.
@@ -1396,10 +1398,8 @@ js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
         // type for this property that doesn't match the value in the slot.
         // Update the type here, even though this DefineProperty call is
         // otherwise a no-op. (See bug 1125624 comment 13.)
-        if (!IsImplicitDenseOrTypedArrayElement(shape) && desc.hasValue()) {
-            if (!UpdateShapeTypeAndValue(cx, obj, shape, desc.value()))
-                return false;
-        }
+        if (!IsImplicitDenseOrTypedArrayElement(shape) && desc.hasValue())
+            UpdateShapeTypeAndValue(cx, obj, shape, id, desc.value());
         return result.succeed();
     }
 
diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
index 9c495a549..195156e64 100644
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -483,15 +483,7 @@ NativeObject::addProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
     MOZ_ASSERT(!JSID_IS_VOID(id));
     MOZ_ASSERT(getter != JS_PropertyStub);
     MOZ_ASSERT(setter != JS_StrictPropertyStub);
-
-    bool extensible;
-    if (!IsExtensible(cx, obj, &extensible))
-        return nullptr;
-    if (!extensible) {
-        if (cx->isJSContext())
-            obj->reportNotExtensible(cx->asJSContext());
-        return nullptr;
-    }
+    MOZ_ASSERT(obj->nonProxyIsExtensible());
 
     ShapeTable::Entry* entry = nullptr;
     if (obj->inDictionaryMode())
@@ -719,17 +711,7 @@ NativeObject::putProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
          * You can't add properties to a non-extensible object, but you can change
          * attributes of properties in such objects.
          */
-        bool extensible;
-
-        if (!IsExtensible(cx, obj, &extensible))
-            return nullptr;
-
-        if (!extensible) {
-            if (cx->isJSContext())
-                obj->reportNotExtensible(cx->asJSContext());
-            return nullptr;
-        }
-
+        MOZ_ASSERT(obj->nonProxyIsExtensible());
         return addPropertyInternal(cx, obj, id, getter, setter, slot, attrs, flags,
                                    entry, true);
     }