Empty Array prototype elements protection needs to alert on length change.

src/isolate.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stdlib.h>
 
 #include <fstream>  // NOLINT(readability/streams)
 #include <sstream>
 
 #include "src/v8.h"
@@ skipping 2356 matching lines @@
 
 
 bool Isolate::use_crankshaft() const {
   return FLAG_crankshaft &&
          !serializer_enabled_ &&
          CpuFeatures::SupportsCrankshaft();
 }
 
 
 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {
-  Handle<PropertyCell> no_elements_cell =
-      handle(heap()->array_protector(), this);
+  PropertyCell* no_elements_cell = heap()->array_protector();
   bool cell_reports_intact = no_elements_cell->value()->IsSmi() &&
                              Smi::cast(no_elements_cell->value())->value() == 1;
 
 #ifdef DEBUG
   Map* root_array_map =
       get_initial_js_array_map(GetInitialFastElementsKind());
-  JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype());
-  JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype());
+  Context* native_context = context()->native_context();
+  JSObject* initial_array_proto = JSObject::cast(
+      native_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX));
+  JSObject* initial_object_proto = JSObject::cast(
+      native_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX));
 
   if (root_array_map == NULL || initial_array_proto == initial_object_proto) {
     // We are in the bootstrapping process, and the entire check sequence
     // shouldn't be performed.
     return cell_reports_intact;
   }
 
   // Check that the array prototype hasn't been altered WRT empty elements.
   if (root_array_map->prototype() != initial_array_proto) {
     DCHECK_EQ(false, cell_reports_intact);
@@ skipping 22 matching lines @@
     return cell_reports_intact;
   }
 
 #endif
 
   return cell_reports_intact;
 }
 
 
 void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
-  Handle<PropertyCell> array_protector = factory()->array_protector();
   if (IsFastArrayConstructorPrototypeChainIntact() &&
       object->map()->is_prototype_map()) {
     Object* context = heap()->native_contexts_list();
     while (!context->IsUndefined()) {
       Context* current_context = Context::cast(context);
       if (current_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX) ==
               *object ||
           current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==
               *object) {
-        PropertyCell::SetValueWithInvalidation(array_protector,
+        PropertyCell::SetValueWithInvalidation(factory()->array_protector(),
                                                handle(Smi::FromInt(0), this));
         break;
       }
       context = current_context->get(Context::NEXT_CONTEXT_LINK);
     }
   }
 }
 
 
 bool Isolate::IsAnyInitialArrayPrototype(Handle<JSArray> array) {
@@ skipping 301 matching lines @@
   if (prev_ && prev_->Intercept(flag)) return true;
   // Then check whether this scope intercepts.
   if ((flag & intercept_mask_)) {
     intercepted_flags_ |= flag;
     return true;
   }
   return false;
 }
 
 } }  // namespace v8::internal