Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(57)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/builtins.cc

Issue 1200053002: Also check for access checks and indexed interceptors before allowing fast moving of elements (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index 493d56e13ac9967da3d71d61f4d38c4c3170c704..9559669780560c6e163388f266c23921b3774e74 100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -184,38 +184,34 @@ static void MoveDoubleElements(FixedDoubleArray* dst, int dst_index,
}
-static bool ArrayPrototypeHasNoElements(Heap* heap, PrototypeIterator* iter) {
+static bool ArrayPrototypeHasNoElements(PrototypeIterator* iter) {
DisallowHeapAllocation no_gc;
for (; !iter->IsAtEnd(); iter->Advance()) {
if (iter->GetCurrent()->IsJSProxy()) return false;
- if (JSObject::cast(iter->GetCurrent())->elements() !=
- heap->empty_fixed_array()) {
- return false;
- }
+ JSObject* current = JSObject::cast(iter->GetCurrent());
+ if (current->IsAccessCheckNeeded()) return false;
+ if (current->HasIndexedInterceptor()) return false;
+ if (current->elements()->length() != 0) return false;
}
return true;
}
-static inline bool IsJSArrayFastElementMovingAllowed(Heap* heap,
+static inline bool IsJSArrayFastElementMovingAllowed(Isolate* isolate,
JSArray* receiver) {
DisallowHeapAllocation no_gc;
- Isolate* isolate = heap->isolate();
- if (!isolate->IsFastArrayConstructorPrototypeChainIntact()) {
- return false;
- }
-
// If the array prototype chain is intact (and free of elements), and if the
// receiver's prototype is the array prototype, then we are done.
Object* prototype = receiver->map()->prototype();
if (prototype->IsJSArray() &&
- isolate->is_initial_array_prototype(JSArray::cast(prototype))) {
+ isolate->is_initial_array_prototype(JSArray::cast(prototype)) &&
+ isolate->IsFastArrayConstructorPrototypeChainIntact()) {
return true;
}
// Slow case.
PrototypeIterator iter(isolate, receiver);
- return ArrayPrototypeHasNoElements(heap, &iter);
+ return ArrayPrototypeHasNoElements(&iter);
}
@@ -231,7 +227,7 @@ static inline MaybeHandle<FixedArrayBase> EnsureJSArrayWithWritableFastElements(
// If there may be elements accessors in the prototype chain, the fast path
// cannot be used if there arguments to add to the array.
Heap* heap = isolate->heap();
- if (args != NULL && !IsJSArrayFastElementMovingAllowed(heap, *array)) {
+ if (args != NULL && !IsJSArrayFastElementMovingAllowed(isolate, *array)) {
return MaybeHandle<FixedArrayBase>();
}
if (array->map()->is_observed()) return MaybeHandle<FixedArrayBase>();
@@ -463,7 +459,7 @@ BUILTIN(ArrayShift) {
EnsureJSArrayWithWritableFastElements(isolate, receiver, NULL, 0);
Handle<FixedArrayBase> elms_obj;
if (!maybe_elms_obj.ToHandle(&elms_obj) ||
- !IsJSArrayFastElementMovingAllowed(heap, JSArray::cast(*receiver))) {
+ !IsJSArrayFastElementMovingAllowed(isolate, JSArray::cast(*receiver))) {
return CallJsBuiltin(isolate, "$arrayShift", args);
}
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
@@ -566,7 +562,6 @@ BUILTIN(ArrayUnshift) {
BUILTIN(ArraySlice) {
HandleScope scope(isolate);
- Heap* heap = isolate->heap();
Handle<Object> receiver = args.receiver();
int len = -1;
int relative_start = 0;
@@ -575,7 +570,7 @@ BUILTIN(ArraySlice) {
DisallowHeapAllocation no_gc;
if (receiver->IsJSArray()) {
JSArray* array = JSArray::cast(*receiver);
- if (!IsJSArrayFastElementMovingAllowed(heap, array)) {
+ if (!IsJSArrayFastElementMovingAllowed(isolate, array)) {
AllowHeapAllocation allow_allocation;
return CallJsBuiltin(isolate, "$arraySlice", args);
}
@@ -934,12 +929,11 @@ BUILTIN(ArrayConcat) {
bool has_double = false;
{
DisallowHeapAllocation no_gc;
- Heap* heap = isolate->heap();
Context* native_context = isolate->context()->native_context();
Object* array_proto = native_context->array_function()->prototype();
PrototypeIterator iter(isolate, array_proto,
PrototypeIterator::START_AT_RECEIVER);
- if (!ArrayPrototypeHasNoElements(heap, &iter)) {
+ if (!ArrayPrototypeHasNoElements(&iter)) {
AllowHeapAllocation allow_allocation;
return CallJsBuiltin(isolate, "$arrayConcat", args);
}
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698