[runtime] Avoid @@isConcatSpreadable lookup for fast path Array.prototype.concat

src/isolate.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/isolate.h"
 
 #include <stdlib.h>
 
 #include <fstream>  // NOLINT(readability/streams)
 #include <sstream>
@@ skipping 2468 matching lines @@
   return nullptr;
 }
 
 
 bool Isolate::use_crankshaft() const {
   return FLAG_crankshaft &&
          !serializer_enabled_ &&
          CpuFeatures::SupportsCrankshaft();
 }
 
+bool Isolate::ArrayOrObjectPrototypeIsInContext(Object* object) {

[Toon Verwaest, 2016/04/05 12:57:26]

IsArrayOrObjectPrototype

+  Object* context = heap()->native_contexts_list();
+  while (context != heap()->undefined_value()) {
+    Context* current_context = Context::cast(context);
+    if (current_context->initial_object_prototype() == object ||
+        current_context->initial_array_prototype() == object) {
+      return true;
+    }
+    context = current_context->next_context_link();
+  }
+  return false;
+}
+
+bool Isolate::IsInContextIndex(Object* object, uint32_t index) {
+  DisallowHeapAllocation no_gc;
+  Object* context = heap()->native_contexts_list();
+  while (context == heap()->undefined_value()) {
+    Context* current_context = Context::cast(context);
+    if (current_context->get(index) == object) {
+      return true;
+    }
+    context = current_context->next_context_link();
+  }
+  return false;
+}
 
 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {
   PropertyCell* no_elements_cell = heap()->array_protector();
   bool cell_reports_intact =
       no_elements_cell->value()->IsSmi() &&
       Smi::cast(no_elements_cell->value())->value() == kArrayProtectorValid;
 
 #ifdef DEBUG
   Map* root_array_map =
       get_initial_js_array_map(GetInitialFastElementsKind());
@@ skipping 53 matching lines @@
   // what the protector stands for:
   // - You'd need to traverse the heap to check that no Array instance has
   //   a constructor property or a modified __proto__
   // - To check that Array[Symbol.species] == Array, JS code has to execute,
   //   but JS cannot be invoked in callstack overflow situations
   // All that could be checked reliably is that
   // Array.prototype.constructor == Array. Given that limitation, no check is
   // done here. In place, there are mjsunit tests harmony/array-species* which
   // ensure that behavior is correct in various invalid protector cases.
 
-  PropertyCell* species_cell = heap()->species_protector();
-  return species_cell->value()->IsSmi() &&
-         Smi::cast(species_cell->value())->value() == kArrayProtectorValid;
+  Cell* species_cell = heap()->species_protector();
+  return Smi::cast(species_cell->value())->value() == kArrayProtectorValid;
+}
+
+bool Isolate::IsArrayIsConcatSpreadableLookupChainIntact() {
+  Cell* is_concat_spreadable_cell =
+      heap()->array_is_concat_spreadable_protector();
+  bool is_concat_spreadable_set =
+      Smi::cast(is_concat_spreadable_cell->value())->value() ==
+      kArrayProtectorInvalid;
+#ifdef DEBUG
+  Map* root_array_map = get_initial_js_array_map(GetInitialFastElementsKind());
+  if (root_array_map == NULL) {
+    // Ignore the value of is_concat_spreadable during bootstrap.
+    return !is_concat_spreadable_set;
+  }
+  Handle<Object> array_prototype(array_function()->prototype(), this);
+  Handle<Symbol> key = factory()->is_concat_spreadable_symbol();
+  Handle<Object> value;
+  LookupIterator it(array_prototype, key);
+  if (it.IsFound() && it.state() != LookupIterator::JSPROXY) {
+    MaybeHandle<Object> maybe_value = Object::GetProperty(&it);

[Toon Verwaest, 2016/04/05 12:57:26]

GetDataProperty avoids side effects. You can't just GetProperty. Not sure this
makes sense, as it won't trigger for proxies, interceptors, getters, ...

+    if (maybe_value.ToHandle(&value) && !value->IsUndefined()) {
+      // TODO(cbruni): Currently we do not revert if we unset the
+      // @@isConcatSpreadable property on Array.prototype or Object.prototype
+      // hence the reverse implication doesn't hold.
+      DCHECK(is_concat_spreadable_set);
+      return false;
+    }
+  }
+#endif  // DEBUG
+
+  return !is_concat_spreadable_set;
+}
+
+void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
+  DisallowHeapAllocation no_gc;
+  if (!IsFastArrayConstructorPrototypeChainIntact()) return;
+  if (!object->map()->is_prototype_map()) return;

[Toon Verwaest, 2016/04/05 12:57:26]

This check is probably faster (and will generally hit) than the one above.

+  if (!ArrayOrObjectPrototypeIsInContext(*object)) return;
+  PropertyCell::SetValueWithInvalidation(
+      factory()->array_protector(),
+      handle(Smi::FromInt(kArrayProtectorInvalid), this));
+}
+
+void Isolate::InvalidateArrayIsConcatSpreadableProtector() {
+  DCHECK(factory()->array_is_concat_spreadable_protector()->value()->IsSmi());
+  DCHECK(IsArrayIsConcatSpreadableLookupChainIntact());
+  factory()->array_is_concat_spreadable_protector()->set_value(
+      Smi::FromInt(kArrayProtectorInvalid));
+  DCHECK(!IsArrayIsConcatSpreadableLookupChainIntact());
 }
 
 void Isolate::InvalidateArraySpeciesProtector() {
   DCHECK(factory()->species_protector()->value()->IsSmi());
   DCHECK(IsArraySpeciesLookupChainIntact());
-  PropertyCell::SetValueWithInvalidation(
-      factory()->species_protector(),
-      handle(Smi::FromInt(kArrayProtectorInvalid), this));
+  factory()->species_protector()->set_value(
+      Smi::FromInt(kArrayProtectorInvalid));
   DCHECK(!IsArraySpeciesLookupChainIntact());
 }
 
-void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
+bool Isolate::IsAnyInitialArrayPrototype(Handle<JSArray> array) {
   DisallowHeapAllocation no_gc;
-  if (IsFastArrayConstructorPrototypeChainIntact() &&
-      object->map()->is_prototype_map()) {
-    Object* context = heap()->native_contexts_list();
-    while (!context->IsUndefined()) {
-      Context* current_context = Context::cast(context);
-      if (current_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX) ==
-              *object ||
-          current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==
-              *object) {
-        CountUsage(v8::Isolate::UseCounterFeature::kArrayProtectorDirtied);
-        PropertyCell::SetValueWithInvalidation(
-            factory()->array_protector(),
-            handle(Smi::FromInt(kArrayProtectorInvalid), this));
-        break;
-      }
-      context = current_context->get(Context::NEXT_CONTEXT_LINK);
-    }
-  }
+  return IsInContextIndex(*array, Context::INITIAL_ARRAY_PROTOTYPE_INDEX);
 }
 
 
-bool Isolate::IsAnyInitialArrayPrototype(Handle<JSArray> array) {
-  if (array->map()->is_prototype_map()) {
-    Object* context = heap()->native_contexts_list();
-    while (!context->IsUndefined()) {
-      Context* current_context = Context::cast(context);
-      if (current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==
-          *array) {
-        return true;
-      }
-      context = current_context->get(Context::NEXT_CONTEXT_LINK);
-    }
-  }
-  return false;
-}
-
-
 CallInterfaceDescriptorData* Isolate::call_descriptor_data(int index) {
   DCHECK(0 <= index && index < CallDescriptors::NUMBER_OF_DESCRIPTORS);
   return &call_descriptor_data_[index];
 }
 
 
 base::RandomNumberGenerator* Isolate::random_number_generator() {
   if (random_number_generator_ == NULL) {
     if (FLAG_random_seed != 0) {
       random_number_generator_ =
@@ skipping 363 matching lines @@
   // Then check whether this scope intercepts.
   if ((flag & intercept_mask_)) {
     intercepted_flags_ |= flag;
     return true;
   }
   return false;
 }
 
 }  // namespace internal
 }  // namespace v8