From d30c3db22a669c4a50c5cd4f05e979ada19be51e Mon Sep 17 00:00:00 2001
From: "brendan%mozilla.org"
 <brendan%mozilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Sun, 9 Oct 2005 06:09:21 +0000
Subject: [PATCH] Fix 310425 (r=mrbkap) and check in Igor's fix for 311497
 (r=me).

git-svn-id: svn://10.0.0.236/trunk@181834 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/js/src/jsarray.c  | 50 ++++++++++++++++++---------------------
 mozilla/js/src/jsarray.h  |  5 ++--
 mozilla/js/src/jsopcode.c |  4 ++--
 3 files changed, 28 insertions(+), 31 deletions(-)

diff --git a/mozilla/js/src/jsarray.c b/mozilla/js/src/jsarray.c
index 769487dbcd9..24e4451ef3d 100644
--- a/mozilla/js/src/jsarray.c
+++ b/mozilla/js/src/jsarray.c
@@ -762,16 +762,13 @@ HeapSortHelper(JSBool building, HSortArgs *hsa, size_t lo, size_t hi)
 #undef MEMCPY
 }
 
-JSBool
-js_HeapSort(void *vec, size_t nel, size_t elsize, JSComparator cmp, void *arg)
+void
+js_HeapSort(void *vec, size_t nel, void *pivot, size_t elsize,
+            JSComparator cmp, void *arg)
 {
-    void *pivot;
     HSortArgs hsa;
     size_t i;
 
-    pivot = malloc(elsize);
-    if (!pivot)
-        return JS_FALSE;
     hsa.vec = vec;
     hsa.elsize = elsize;
     hsa.pivot = pivot;
@@ -783,9 +780,6 @@ js_HeapSort(void *vec, size_t nel, size_t elsize, JSComparator cmp, void *arg)
         HeapSortHelper(JS_TRUE, &hsa, i, nel);
     while (nel > 2)
         HeapSortHelper(JS_FALSE, &hsa, 1, --nel);
-
-    free(pivot);
-    return JS_TRUE;
 }
 
 typedef struct CompareArgs {
@@ -919,12 +913,17 @@ array_sort(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
         return JS_TRUE;
     }
 
+    /*
+     * Memory for temporary array incliding one extra jsval as working space
+     * for js_HeapSort.
+     */
+    nbytes = (len + 1) * sizeof(jsval);
+
     /*
      * Test for size_t overflow, which could lead to indexing beyond the end
      * of the malloc'd vector.
      */
-    nbytes = len * sizeof(jsval);
-    if (nbytes != (double) len * sizeof(jsval)) {
+    if (nbytes != (double) (len + 1) * sizeof(jsval)) {
         JS_ReportOutOfMemory(cx);
         return JS_FALSE;
     }
@@ -935,10 +934,10 @@ array_sort(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
     newlen = 0;
 
     /* Root vec, clearing it first in case a GC nests while we're filling it. */
-    memset(vec, 0, len * sizeof(jsval));
+    memset(vec, 0, nbytes);
     fp = cx->fp;
     fp->vars = vec;
-    fp->nvars = len;
+    fp->nvars = len + 1;
 
     for (i = 0; i < len; i++) {
         ca.status = IndexToExistingId(cx, obj, i, &id);
@@ -964,12 +963,9 @@ array_sort(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
     ca.fval = fval;
     ca.localroot = argv + argc;         /* 1 local GC root */
     ca.status = JS_TRUE;
-    if (!js_HeapSort(vec, (size_t) len, sizeof(jsval),
-                     all_strings ? sort_compare_strings : sort_compare,
-                     &ca)) {
-        JS_ReportOutOfMemory(cx);
-        ca.status = JS_FALSE;
-    }
+    js_HeapSort(vec, (size_t) len, vec + len, sizeof(jsval),
+                all_strings ? sort_compare_strings : sort_compare,
+                &ca);
 
     if (ca.status) {
         ca.status = InitArrayElements(cx, obj, newlen, vec);
@@ -1469,22 +1465,22 @@ array_indexOfHelper(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
         direction = 1;
     }
 
-    for (; ; i += direction) {
+    for (;;) {
         jsid id;
         jsval v;
 
         if (!IndexToExistingId(cx, obj, (jsuint)i, &id))
             return JS_FALSE;
-        if (id == JSID_HOLE)
-            continue;
-
-        if (!OBJ_GET_PROPERTY(cx, obj, id, &v))
-            return JS_FALSE;
-        if (js_StrictlyEqual(v, argv[0]))
-            return js_NewNumberValue(cx, i, rval);
+        if (id != JSID_HOLE) {
+            if (!OBJ_GET_PROPERTY(cx, obj, id, &v))
+                return JS_FALSE;
+            if (js_StrictlyEqual(v, argv[0]))
+                return js_NewNumberValue(cx, i, rval);
+        }
 
         if (i == stop)
             goto not_found;
+        i += direction;
     }
 
   not_found:
diff --git a/mozilla/js/src/jsarray.h b/mozilla/js/src/jsarray.h
index 207d7a03bd4..0f43bee079a 100644
--- a/mozilla/js/src/jsarray.h
+++ b/mozilla/js/src/jsarray.h
@@ -72,8 +72,9 @@ js_HasLengthProperty(JSContext *cx, JSObject *obj, jsuint *lengthp);
  */
 typedef int (*JSComparator)(const void *a, const void *b, void *arg);
 
-extern JSBool
-js_HeapSort(void *vec, size_t nel, size_t elsize, JSComparator cmp, void *arg);
+extern void
+js_HeapSort(void *vec, size_t nel, void *pivot, size_t elsize,
+            JSComparator cmp, void *arg);
 
 JS_END_EXTERN_C
 
diff --git a/mozilla/js/src/jsopcode.c b/mozilla/js/src/jsopcode.c
index 687c89cb240..91a0b93b813 100644
--- a/mozilla/js/src/jsopcode.c
+++ b/mozilla/js/src/jsopcode.c
@@ -2104,7 +2104,7 @@ Decompile(SprintStack *ss, jsbytecode *pc, intN nb)
                 jsbytecode *pc2;
                 ptrdiff_t jmplen, off, off2;
                 jsint j, n, low, high;
-                TableEntry *table;
+                TableEntry *table, pivot;
 
                 sn = js_GetSrcNote(jp->script, pc);
                 JS_ASSERT(sn && SN_TYPE(sn) == SRC_SWITCH);
@@ -2147,7 +2147,7 @@ Decompile(SprintStack *ss, jsbytecode *pc, intN nb)
                         }
                         pc2 += jmplen;
                     }
-                    js_HeapSort(table, (size_t) j, sizeof(TableEntry),
+                    js_HeapSort(table, (size_t) j, &pivot, sizeof(TableEntry),
                                 CompareOffsets, NULL);
                 }