Revert of Revert of Protect the emptiness of Array prototype elements with a PropertyCell.

src/objects.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <iomanip>
 #include <sstream>
 
 #include "src/v8.h"
 
 #include "src/accessors.h"
@@ skipping 4884 matching lines @@
       (array->map() == isolate->heap()->sloppy_arguments_elements_map());
   if (is_arguments) {
     array = handle(FixedArrayBase::cast(
         Handle<FixedArray>::cast(array)->get(1)));
   }
   if (array->IsDictionary()) return Handle<SeededNumberDictionary>::cast(array);
 
   DCHECK(object->HasFastSmiOrObjectElements() ||
          object->HasFastDoubleElements() ||
          object->HasFastArgumentsElements());
+
+  // Ensure that notifications fire if the array or object prototypes are
+  // normalizing.
+  isolate->UpdateArrayProtectorOnNormalizeElements(object);
+
   // Compute the effective length and allocate a new backing store.
   int length = object->IsJSArray()
       ? Smi::cast(Handle<JSArray>::cast(object)->length())->value()
       : array->length();
   int old_capacity = 0;
   int used_elements = 0;
   object->GetElementsCapacityAndUsage(&old_capacity, &used_elements);
   Handle<SeededNumberDictionary> dictionary =
       SeededNumberDictionary::New(isolate, used_elements);
 
@@ skipping 834 matching lines @@
       object->HasFixedTypedArrayElements()) {
     THROW_NEW_ERROR(isolate,
                     NewTypeError("cant_prevent_ext_external_array_elements",
                                  HandleVector(&object, 1)),
                     Object);
   }
 
   Handle<SeededNumberDictionary> new_element_dictionary;
   if (!object->elements()->IsDictionary()) {
     new_element_dictionary = GetNormalizedElementDictionary(object);
+    isolate->UpdateArrayProtectorOnNormalizeElements(object);
   }
 
   Handle<Symbol> transition_marker;
   if (attrs == NONE) {
     transition_marker = isolate->factory()->nonextensible_symbol();
   } else if (attrs == SEALED) {
     transition_marker = isolate->factory()->sealed_symbol();
   } else {
     DCHECK(attrs == FROZEN);
     transition_marker = isolate->factory()->frozen_symbol();
@@ skipping 6639 matching lines @@
 
 
 const char* DependentCode::DependencyGroupName(DependencyGroup group) {
   switch (group) {
     case kWeakCodeGroup:
       return "weak-code";
     case kTransitionGroup:
       return "transition";
     case kPrototypeCheckGroup:
       return "prototype-check";
-    case kElementsCantBeAddedGroup:
-      return "elements-cant-be-added";
     case kPropertyCellChangedGroup:
       return "property-cell-changed";
     case kFieldTypeGroup:
       return "field-type";
     case kInitialMapChangedGroup:
       return "initial-map-changed";
     case kAllocationSiteTenuringChangedGroup:
       return "allocation-site-tenuring-changed";
     case kAllocationSiteTransitionChangedGroup:
       return "allocation-site-transition-changed";
@@ skipping 78 matching lines @@
       }
     }
   }
 
   // Set the new prototype of the object.
   Handle<Map> map(real_receiver->map());
 
   // Nothing to do if prototype is already set.
   if (map->prototype() == *value) return value;
 
+  isolate->UpdateArrayProtectorOnSetPrototype(real_receiver);
+
   PrototypeOptimizationMode mode =
       from_javascript ? REGULAR_PROTOTYPE : FAST_PROTOTYPE;
   Handle<Map> new_map = Map::TransitionToPrototype(map, value, mode);
   DCHECK(new_map->prototype() == *value);
   JSObject::MigrateToMap(real_receiver, new_map);
 
   if (from_javascript && !dictionary_elements_in_chain &&
       new_map->DictionaryElementsInPrototypeChainOnly()) {
     // If the prototype chain didn't previously have element callbacks, then
     // KeyedStoreICs need to be cleared to ensure any that involve this
@@ skipping 200 matching lines @@
                                              LanguageMode language_mode,
                                              bool check_prototype) {
   DCHECK(object->HasFastSmiOrObjectElements() ||
          object->HasFastArgumentsElements());
 
   Isolate* isolate = object->GetIsolate();
 
   // Array optimizations rely on the prototype lookups of Array objects always
   // returning undefined. If there is a store to the initial prototype object,
   // make sure all of these optimizations are invalidated.
-  if (isolate->is_initial_object_prototype(*object) ||
-      isolate->is_initial_array_prototype(*object)) {
-    object->map()->dependent_code()->DeoptimizeDependentCodeGroup(isolate,
-        DependentCode::kElementsCantBeAddedGroup);
-  }
+  isolate->UpdateArrayProtectorOnSetElement(object);
 
   Handle<FixedArray> backing_store(FixedArray::cast(object->elements()));
   if (backing_store->map() ==
       isolate->heap()->sloppy_arguments_elements_map()) {
     backing_store = handle(FixedArray::cast(backing_store->get(1)));
   } else {
     backing_store = EnsureWritableFastElements(object);
   }
   uint32_t capacity = static_cast<uint32_t>(backing_store->length());
 
@@ skipping 4337 matching lines @@
   // Deopt when transitioning from a constant type.
   if (!invalidate && old_type == PropertyCellType::kConstant &&
       new_type != PropertyCellType::kConstant) {
     auto isolate = dictionary->GetIsolate();
     cell->dependent_code()->DeoptimizeDependentCodeGroup(
         isolate, DependentCode::kPropertyCellChangedGroup);
   }
   return value;
 }
 
+
+// static
+void PropertyCell::SetValueWithInvalidation(Handle<PropertyCell> cell,
+                                            Handle<Object> new_value) {
+  if (cell->value() != *new_value) {
+    cell->set_value(*new_value);
+    Isolate* isolate = cell->GetIsolate();
+    cell->dependent_code()->DeoptimizeDependentCodeGroup(
+        isolate, DependentCode::kPropertyCellChangedGroup);
+  }
+}
 } }  // namespace v8::internal