src/objects.cc - Issue 1052253003: Revert of Revert of Protect the emptiness of Array prototype elements with a PropertyCell.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 1052253003: Revert of Revert of Protect the emptiness of Array prototype elements with a PropertyCell. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index 28163662b5dc32885b28ce51158ea8058a6d8a04..a2dd84066a8fc2b5766376b2672ce2cbf5e5e279 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -4902,6 +4902,11 @@

DCHECK(object->HasFastSmiOrObjectElements() ||

object->HasFastDoubleElements() ||

object->HasFastArgumentsElements());

+ // Ensure that notifications fire if the array or object prototypes are

+ // normalizing.

+ isolate->UpdateArrayProtectorOnNormalizeElements(object);

// Compute the effective length and allocate a new backing store.

int length = object->IsJSArray()

? Smi::cast(Handle<JSArray>::cast(object)->length())->value()

@@ -5756,6 +5761,7 @@

Handle<SeededNumberDictionary> new_element_dictionary;

if (!object->elements()->IsDictionary()) {

new_element_dictionary = GetNormalizedElementDictionary(object);

+ isolate->UpdateArrayProtectorOnNormalizeElements(object);

}

Handle<Symbol> transition_marker;

@@ -12415,8 +12421,6 @@

return "transition";

case kPrototypeCheckGroup:

return "prototype-check";

- case kElementsCantBeAddedGroup:

- return "elements-cant-be-added";

case kPropertyCellChangedGroup:

return "property-cell-changed";

case kFieldTypeGroup:

@@ -12514,6 +12518,8 @@

// Nothing to do if prototype is already set.

if (map->prototype() == *value) return value;

+ isolate->UpdateArrayProtectorOnSetPrototype(real_receiver);

PrototypeOptimizationMode mode =

from_javascript ? REGULAR_PROTOTYPE : FAST_PROTOTYPE;

@@ -12735,11 +12741,7 @@

// Array optimizations rely on the prototype lookups of Array objects always

// returning undefined. If there is a store to the initial prototype object,

// make sure all of these optimizations are invalidated.

- if (isolate->is_initial_object_prototype(*object) ||

- isolate->is_initial_array_prototype(*object)) {

- object->map()->dependent_code()->DeoptimizeDependentCodeGroup(isolate,

- DependentCode::kElementsCantBeAddedGroup);

- }

+ isolate->UpdateArrayProtectorOnSetElement(object);

Handle<FixedArray> backing_store(FixedArray::cast(object->elements()));

if (backing_store->map() ==

@@ -17097,4 +17099,15 @@

return value;

}

+// static

+void PropertyCell::SetValueWithInvalidation(Handle<PropertyCell> cell,

+ Handle<Object> new_value) {

+ if (cell->value() != *new_value) {

+ cell->set_value(*new_value);

+ Isolate* isolate = cell->GetIsolate();

+ cell->dependent_code()->DeoptimizeDependentCodeGroup(

+ isolate, DependentCode::kPropertyCellChangedGroup);

+ }

} } // namespace v8::internal

« no previous file with comments | « src/objects.h ('k') | test/cctest/test-api.cc » ('j') | no next file with comments »