[accessors] second-chance typed array field lookup

src/accessors.cc

Index: src/accessors.cc
diff --git a/src/accessors.cc b/src/accessors.cc
index 6544e7197c1283f50f9e686643650589f1ff7aab..0c65caf84d2a18b121d3e1e2ae2dae33314acb38 100644
--- a/src/accessors.cc
+++ b/src/accessors.cc
@@ -99,22 +99,35 @@ bool Accessors::IsJSArrayBufferViewFieldAccessor(Handle<Map> map,
   Isolate* isolate = name->GetIsolate();
 
   switch (map->instance_type()) {
-    case JS_TYPED_ARRAY_TYPE:
-      // %TypedArray%.prototype is non-configurable, and so are the following
-      // named properties on %TypedArray%.prototype, so we can directly inline
-      // the field-load for typed array maps that still use their
-      // %TypedArray%.prototype.
-      if (JSFunction::cast(map->GetConstructor())->prototype() !=
-          map->prototype()) {
+    case JS_TYPED_ARRAY_TYPE: {
+      if (!CheckForName(name, isolate->factory()->length_string(),
+                        JSTypedArray::kLengthOffset, object_offset) &&
+          !CheckForName(name, isolate->factory()->byte_length_string(),
+                        JSTypedArray::kByteLengthOffset, object_offset) &&
+          !CheckForName(name, isolate->factory()->byte_offset_string(),
+                        JSTypedArray::kByteOffsetOffset, object_offset)) {
         return false;
       }
-      return CheckForName(name, isolate->factory()->length_string(),
-                          JSTypedArray::kLengthOffset, object_offset) ||
-             CheckForName(name, isolate->factory()->byte_length_string(),
-                          JSTypedArray::kByteLengthOffset, object_offset) ||
-             CheckForName(name, isolate->factory()->byte_offset_string(),
-                          JSTypedArray::kByteOffsetOffset, object_offset);
 
+      // Check if the property is overridden on the instance.
+      DescriptorArray* descriptors = map->instance_descriptors();

[Jakob Kummerow, 2015/09/10 11:33:56]

Before this is safe, you need to bail out for dictionary maps:

if (map->is_dictionary_map()) return false;

[fedor.indutny, 2015/09/10 11:56:28]

I knew I should do this! :) Thanks!

+      int descriptor = descriptors->SearchWithCache(*name, *map);
+      if (descriptor != DescriptorArray::kNotFound) return false;
+
+      Handle<Object> proto = Handle<Object>(map->prototype(), isolate);
+      if (!proto->IsJSReceiver()) return false;
+
+      // Check if the property is overridden in the prototype chain.

[Jakob Kummerow, 2015/09/10 11:33:56]

s/overridden/defined/

[fedor.indutny, 2015/09/10 11:56:28]

Acknowledged.

+      LookupIterator it(proto, name);
+      if (it.state() == LookupIterator::NOT_FOUND) return false;

[Jakob Kummerow, 2015/09/10 11:33:56]

if (!it.IsFound()) return false;

[fedor.indutny, 2015/09/10 11:56:28]

Acknowledged.

+
+      Object* original_proto =
+          JSFunction::cast(map->GetConstructor())->prototype();
+
+      // Property is not configurable. It is enough to verify that
+      // the holder is the same.
+      return *it.GetHolder<Object>() == original_proto;
+    }
     case JS_DATA_VIEW_TYPE:
       return CheckForName(name, isolate->factory()->byte_length_string(),
                           JSDataView::kByteLengthOffset, object_offset) ||