The code to split non-BMP characters into surrogate pairs assumes that
we are actually splitting a character, and will fail when we ask it to
create a zero-length string in the middle of a surrogate pair split.
Special case zero-length substrings to work around this.
The quicksort implementation behaves badly when presented with
non-deterministic comparison functions.
The heapsort is more robust and has fewer edge cases to worry about
in the face of an adversarial comparison function.
Don't use libc qsort (which uses malloc on gnu libc) which can leak
memory if the callback throws an exception.
Implement a simple quicksort (with insertion sort for small fragments).
Also included is a bottom-up heapsort implementation, which may be used
instead if built with -DJS_HEAPSORT=1 preprocessor define.
Split extended characters into surrogate pairs for charCodeAt, string
indexing, and the string slice/subset functions.
Escape surrogate code points in JSON stringify.
Use a huge buffer for compilation, copy into exact size for program.
Merge overlapping and adjoining character class ranges.
This reduces the number of classes needed for badly constructed
character classes like [ABCDEFGHIJKLMNOPQRSTUVWXYZ].
Object.keys was not producing keys for the array part of a flat array.
It was also producing an array of numbers rather than strings for
string objects.
Use a union of a union and the padding + type tag, to let the shrstr
object size be the full 16 bytes to avoid compiler complaints about
stepping out of bounds of the array when it optimizes heavily.
getOwnPropertyDescriptor should create the descriptor object by
using [[DefineOwnProperty]], and not by looking through the prototype
chain where it may invoke getters and setters on the Object.prototype.
If there exists an Object.prototype.get property with a setter, that method is
invoked when it shouldn't. A malicious getter here can delete the property
currently being processed in getOwnPropertyDescriptor, and we'll end up
with a use-after-free bug.
Avoid this problem by following the spec and use js_defproperty rather than
js_setproperty to define own properties in getOwnPropertyDescriptor and
related functions.
An array without holes and with only integer properties can be represented
with a "flat" array part that allows for O(1) property access.
If we ever add a non-integer property, create holes in the array,
the whole array is unpacked into a normal string-keyed object.
Also add fast integer indexing to be used on these arrays, before falling
back to converting the integer to a string property lookup.
Use JS_ARRAYLIMIT to restrict size of arrays to avoid integer overflows and out
of memory thrashing.
