Object.keys was not producing keys for the array part of a flat array.
It was also producing an array of numbers rather than strings for
string objects.
Use a union of a union and the padding + type tag, to let the shrstr
object size be the full 16 bytes to avoid compiler complaints about
stepping out of bounds of the array when it optimizes heavily.
getOwnPropertyDescriptor should create the descriptor object by
using [[DefineOwnProperty]], and not by looking through the prototype
chain where it may invoke getters and setters on the Object.prototype.
If there exists an Object.prototype.get property with a setter, that method is
invoked when it shouldn't. A malicious getter here can delete the property
currently being processed in getOwnPropertyDescriptor, and we'll end up
with a use-after-free bug.
Avoid this problem by following the spec and use js_defproperty rather than
js_setproperty to define own properties in getOwnPropertyDescriptor and
related functions.
An array without holes and with only integer properties can be represented
with a "flat" array part that allows for O(1) property access.
If we ever add a non-integer property, create holes in the array,
the whole array is unpacked into a normal string-keyed object.
Also add fast integer indexing to be used on these arrays, before falling
back to converting the integer to a string property lookup.
Use JS_ARRAYLIMIT to restrict size of arrays to avoid integer overflows and out
of memory thrashing.
Previously, each iteration (except the 1st) did this amount of calls:
2x strlen(result-so-far) + 2x strlen(element) + strlen(sep)
Where except one strlen(element) they're implicit inside strcat, and
of sizes which we already know.
Now each iteration does one strlen(element), and no strcat.
The big speedup is avoiding strlen of the result so far (twice) on
each iteration - O(N^2), but the other extra 2x strlen can add up too.
Join of an array of 2000 strings of 80 chars each:
Windows: before: 80ms, after: 2ms
Linux: before: 20ms, after: 2ms
Measured using Date.now()
A macro JS_CHECKVERSION(major, minor, patch) can be used to test the
version if your code depends on API features added in a given version.
#if JS_CHECKVERSION(1, 2, 0)
... use new API ...
#else
... don't use new API ...
#endif
Calling js_call with n < 0 led to us popping a negative number of items
from the stack, which could make us miss the stack size check.
Sanitize all uses of function.length in Function.prototype.apply and
Function.prototype.bind.
The object in the 'this' slot may be overwritten if the constructor converts
it to a primitive value. Save the original object in an explicit stack slot
to keep it safe for returning afterwards.
For simplicity of implementation, use the minimal standard generator
described in "Random Number Generators: Good ones are hard to find"
by Park & Miller (ACM 1988, Volume 31, Number 10).
