Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(159)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/objects.cc

Issue 1092043002: Protect the emptiness of Array prototype elements with a PropertyCell. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Try again :p. Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/objects.h ('k') | test/cctest/test-api.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 28163662b5dc32885b28ce51158ea8058a6d8a04..a2dd84066a8fc2b5766376b2672ce2cbf5e5e279 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4902,6 +4902,11 @@ Handle<SeededNumberDictionary> JSObject::NormalizeElements(
DCHECK(object->HasFastSmiOrObjectElements() ||
object->HasFastDoubleElements() ||
object->HasFastArgumentsElements());
+
+ // Ensure that notifications fire if the array or object prototypes are
+ // normalizing.
+ isolate->UpdateArrayProtectorOnNormalizeElements(object);
+
// Compute the effective length and allocate a new backing store.
int length = object->IsJSArray()
? Smi::cast(Handle<JSArray>::cast(object)->length())->value()
@@ -5756,6 +5761,7 @@ MaybeHandle<Object> JSObject::PreventExtensionsWithTransition(
Handle<SeededNumberDictionary> new_element_dictionary;
if (!object->elements()->IsDictionary()) {
new_element_dictionary = GetNormalizedElementDictionary(object);
+ isolate->UpdateArrayProtectorOnNormalizeElements(object);
}
Handle<Symbol> transition_marker;
@@ -12415,8 +12421,6 @@ const char* DependentCode::DependencyGroupName(DependencyGroup group) {
return "transition";
case kPrototypeCheckGroup:
return "prototype-check";
- case kElementsCantBeAddedGroup:
- return "elements-cant-be-added";
case kPropertyCellChangedGroup:
return "property-cell-changed";
case kFieldTypeGroup:
@@ -12515,6 +12519,8 @@ MaybeHandle<Object> JSObject::SetPrototype(Handle<JSObject> object,
// Nothing to do if prototype is already set.
if (map->prototype() == *value) return value;
+ isolate->UpdateArrayProtectorOnSetPrototype(real_receiver);
+
PrototypeOptimizationMode mode =
from_javascript ? REGULAR_PROTOTYPE : FAST_PROTOTYPE;
Handle<Map> new_map = Map::TransitionToPrototype(map, value, mode);
@@ -12735,11 +12741,7 @@ MaybeHandle<Object> JSObject::SetFastElement(Handle<JSObject> object,
// Array optimizations rely on the prototype lookups of Array objects always
// returning undefined. If there is a store to the initial prototype object,
// make sure all of these optimizations are invalidated.
- if (isolate->is_initial_object_prototype(*object) ||
- isolate->is_initial_array_prototype(*object)) {
- object->map()->dependent_code()->DeoptimizeDependentCodeGroup(isolate,
- DependentCode::kElementsCantBeAddedGroup);
- }
+ isolate->UpdateArrayProtectorOnSetElement(object);
Handle<FixedArray> backing_store(FixedArray::cast(object->elements()));
if (backing_store->map() ==
@@ -17097,4 +17099,15 @@ Handle<Object> PropertyCell::UpdateCell(Handle<NameDictionary> dictionary,
return value;
}
+
+// static
+void PropertyCell::SetValueWithInvalidation(Handle<PropertyCell> cell,
+ Handle<Object> new_value) {
+ if (cell->value() != *new_value) {
+ cell->set_value(*new_value);
+ Isolate* isolate = cell->GetIsolate();
+ cell->dependent_code()->DeoptimizeDependentCodeGroup(
+ isolate, DependentCode::kPropertyCellChangedGroup);
+ }
+}
} } // namespace v8::internal
« no previous file with comments | « src/objects.h ('k') | test/cctest/test-api.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698