This is a further precaution against reading a pointer from the wrong
type of object. All of the JS_GetPrivate calls were already protected
with JS_InstanceOf checks if assertions are enabled, and many of them
also if assertions are not enabled.
This change does not fix any bug, but the SMJS builtin classes use
negative tinyids already, so I presume this is the preferred practice.
At least it means the tinyids won't have to be renumbered later if
some of these objects are changed to behave as arrays.
If ECMAScript code does obj[42], then the getProperty or setProperty
function of the JSClass of obj gets 42 as the property ID and must not
treat that as an internal error.
The getProperty and setProperty functions of a JSClass must not assume
that the obj parameter points to an instance of that class. It might
instead point to another object that merely has an instance of the
class in its prototype chain. Thus, do not assert that JS_InstanceOf
returns true there. Instead, run the check even with CONFIG_FASTMEM,
and just return JS_FALSE if it fails.
The two copies of delayed_open in src/ecmascript/spidermonkey/window.c
and in src/ecmascript/see/window.c are identical, so move them
to src/terminal/tab.c and eliminate the duplication.
Until the last change in src/ecmascript/see/window.c, the two copies
of delayed_goto_uri_frame in src/ecmascript/spidermonkey/window.c and
in src/ecmascript/see/window.c were identical. That change applies to
both versions, so move the newer one to src/session/task.c and eliminate
the duplication. Also move struct delayed_open to src/session/session.h.
