src/objects.cc - Issue 1228113003: Fix non-standard element handling

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 1228113003: Fix non-standard element handling (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Remove handle Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index eb115613daced16427f55e78cd3a14424d5bc3e3..fad135e3a4bc0494d58ceda2172367ced6a55f17 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -4799,6 +4799,16 @@ static Handle<SeededNumberDictionary> CopyFastElementsToDictionary(

}

+void JSObject::RequireSlowElements(SeededNumberDictionary* dictionary) {

+ if (dictionary->requires_slow_elements()) return;

+ dictionary->set_requires_slow_elements();

+ // TODO(verwaest): Remove this hack.

+ if (map()->is_prototype_map()) {

+ GetHeap()->ClearAllICsByKind(Code::KEYED_STORE_IC);

+ }

Handle<SeededNumberDictionary> JSObject::NormalizeElements(

Handle<JSObject> object) {

DCHECK(!object->HasExternalArrayElements() &&

@@ -5440,7 +5450,7 @@ MaybeHandle<Object> JSObject::PreventExtensions(Handle<JSObject> object) {

DCHECK(object->HasDictionaryElements() || object->HasSlowArgumentsElements());

// Make sure that we never go back to fast case.

- dictionary->set_requires_slow_elements();

+ object->RequireSlowElements(*dictionary);

// Do a map transition, other objects with this map may still

// be extensible.

@@ -5613,7 +5623,7 @@ MaybeHandle<Object> JSObject::PreventExtensionsWithTransition(

if (object->elements() != isolate->heap()->empty_slow_element_dictionary()) {

SeededNumberDictionary* dictionary = object->element_dictionary();

// Make sure we never go back to the fast case

- dictionary->set_requires_slow_elements();

+ object->RequireSlowElements(dictionary);

if (attrs != NONE) {

ApplyAttributesToDictionary(dictionary, attrs);

}

@@ -6234,11 +6244,20 @@ bool Map::DictionaryElementsInPrototypeChainOnly() {

if (iter.GetCurrent()->IsJSProxy()) return true;

// String wrappers have non-configurable, non-writable elements.

if (iter.GetCurrent()->IsStringWrapper()) return true;

+ JSObject* current = JSObject::cast(iter.GetCurrent());

- if (IsDictionaryElementsKind(

- JSObject::cast(iter.GetCurrent())->map()->elements_kind())) {

+ if (current->HasDictionaryElements() &&

+ current->element_dictionary()->requires_slow_elements()) {

return true;

}

+ if (current->HasSlowArgumentsElements()) {

+ FixedArray* parameter_map = FixedArray::cast(current->elements());

+ Object* arguments = parameter_map->get(1);

+ if (SeededNumberDictionary::cast(arguments)->requires_slow_elements()) {

+ return true;

+ }

}

return false;

@@ -14670,6 +14689,8 @@ void SeededNumberDictionary::UpdateMaxNumberKey(uint32_t key) {

// Check if this index is high enough that we should require slow

// elements.

if (key > kRequiresSlowElementsLimit) {

+ // TODO(verwaest): Remove this hack.

+ GetHeap()->ClearAllICsByKind(Code::KEYED_STORE_IC);

set_requires_slow_elements();

return;

}

« no previous file with comments | « src/objects.h ('k') | test/mjsunit/element-read-only.js » ('j') | no next file with comments »