[runtime] Introduce a proper %NewArray runtime entry.

src/runtime/runtime-array.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/runtime/runtime-utils.h"
 
 #include "src/arguments.h"
 #include "src/conversions-inl.h"
 #include "src/elements.h"
 #include "src/factory.h"
@@ skipping 215 matching lines @@
   // TODO(adamk): Remove this step when the contract of %GetArrayKeys
   // is changed to let this happen on the JS side.
   Handle<FixedArray> keys = accumulator.GetKeys(KEEP_NUMBERS);
   for (int i = 0; i < keys->length(); i++) {
     if (NumberToUint32(keys->get(i)) >= length) keys->set_undefined(i);
   }
   return *isolate->factory()->NewJSArrayWithElements(keys);
 }
 
 
-static Object* ArrayConstructorCommon(Isolate* isolate,
-                                      Handle<JSFunction> constructor,
-                                      Handle<JSFunction> new_target,
-                                      Handle<AllocationSite> site,
-                                      Arguments* caller_args) {
+namespace {
+
+Object* ArrayConstructorCommon(Isolate* isolate, Handle<JSFunction> constructor,
+                               Handle<JSReceiver> new_target,
+                               Handle<AllocationSite> site,
+                               Arguments* caller_args) {
   Factory* factory = isolate->factory();
 
+  // If called through new, new.target can be:
+  // - a subclass of constructor,
+  // - a proxy wrapper around constructor, or
+  // - the constructor itself.
+  // If called through Reflect.construct, it's guaranteed to be a constructor by
+  // REFLECT_CONSTRUCT_PREPARE.
+  DCHECK(new_target->IsConstructor());
+
   bool holey = false;
-  bool can_use_type_feedback = true;
+  bool can_use_type_feedback = !site.is_null();
   bool can_inline_array_constructor = true;
   if (caller_args->length() == 1) {
     Handle<Object> argument_one = caller_args->at<Object>(0);
     if (argument_one->IsSmi()) {
       int value = Handle<Smi>::cast(argument_one)->value();
       if (value < 0 ||
           JSArray::SetLengthWouldNormalize(isolate->heap(), value)) {
         // the array is a dictionary in this case.
         can_use_type_feedback = false;
       } else if (value != 0) {
         holey = true;
         if (value >= JSArray::kInitialMaxFastElementArray) {
           can_inline_array_constructor = false;
         }
       }
     } else {
       // Non-smi length argument produces a dictionary
       can_use_type_feedback = false;
     }
   }
 
-  Handle<JSArray> array;
-  if (!site.is_null() && can_use_type_feedback) {
-    ElementsKind to_kind = site->GetElementsKind();
-    if (holey && !IsFastHoleyElementsKind(to_kind)) {
-      to_kind = GetHoleyElementsKind(to_kind);
-      // Update the allocation site info to reflect the advice alteration.
-      site->SetElementsKind(to_kind);
-    }
+  // TODO(verwaest): new_target could be a proxy. Read new.target.prototype in
+  // that case.
+  Handle<JSFunction> original_function = Handle<JSFunction>::cast(new_target);
 
-    // We should allocate with an initial map that reflects the allocation site
-    // advice. Therefore we use AllocateJSObjectFromMap instead of passing
-    // the constructor.
-    Handle<Map> initial_map(constructor->initial_map(), isolate);
-    if (to_kind != initial_map->elements_kind()) {
-      initial_map = Map::AsElementsKind(initial_map, to_kind);
-    }
+  JSFunction::EnsureHasInitialMap(constructor);
 
-    // If we don't care to track arrays of to_kind ElementsKind, then
-    // don't emit a memento for them.
-    Handle<AllocationSite> allocation_site;
-    if (AllocationSite::GetMode(to_kind) == TRACK_ALLOCATION_SITE) {
-      allocation_site = site;
-    }
+  // TODO(verwaest): original_function could have non-instance-prototype
+  // (non-JSReceiver), requiring fallback to the intrinsicDefaultProto.
+  Handle<Map> initial_map =
+      JSFunction::EnsureDerivedHasInitialMap(original_function, constructor);
 
-    array = Handle<JSArray>::cast(
-        factory->NewJSObjectFromMap(initial_map, NOT_TENURED, allocation_site));
-  } else {
-    array = Handle<JSArray>::cast(factory->NewJSObject(constructor));
+  ElementsKind to_kind = can_use_type_feedback ? site->GetElementsKind()
+                                               : initial_map->elements_kind();
+  if (holey && !IsFastHoleyElementsKind(to_kind)) {
+    to_kind = GetHoleyElementsKind(to_kind);
+    // Update the allocation site info to reflect the advice alteration.
+    if (!site.is_null()) site->SetElementsKind(to_kind);
+  }
 
-    // We might need to transition to holey
-    ElementsKind kind = constructor->initial_map()->elements_kind();
-    if (holey && !IsFastHoleyElementsKind(kind)) {
-      kind = GetHoleyElementsKind(kind);
-      JSObject::TransitionElementsKind(array, kind);
-    }
+  // We should allocate with an initial map that reflects the allocation site
+  // advice. Therefore we use AllocateJSObjectFromMap instead of passing
+  // the constructor.
+  if (to_kind != initial_map->elements_kind()) {
+    initial_map = Map::AsElementsKind(initial_map, to_kind);
   }
 
+  // If we don't care to track arrays of to_kind ElementsKind, then
+  // don't emit a memento for them.
+  Handle<AllocationSite> allocation_site;
+  if (AllocationSite::GetMode(to_kind) == TRACK_ALLOCATION_SITE) {
+    allocation_site = site;
+  }
+
+  Handle<JSArray> array = Handle<JSArray>::cast(
+      factory->NewJSObjectFromMap(initial_map, NOT_TENURED, allocation_site));
+
   factory->NewJSArrayStorage(array, 0, 0, DONT_INITIALIZE_ARRAY_ELEMENTS);
 
   ElementsKind old_kind = array->GetElementsKind();
   RETURN_FAILURE_ON_EXCEPTION(
       isolate, ArrayConstructInitializeElements(array, caller_args));
   if (!site.is_null() &&
       (old_kind != array->GetElementsKind() || !can_use_type_feedback ||
        !can_inline_array_constructor)) {
     // The arguments passed in caused a transition. This kind of complexity
     // can't be dealt with in the inlined hydrogen array constructor case.
     // We must mark the allocationsite as un-inlinable.
     site->SetDoNotInlineCall();
   }
 
-  // Set up the prototoype using original function.
-  // TODO(dslomov): instead of setting the __proto__,
-  // use and cache the correct map.
-  if (*new_target != *constructor) {
-    if (new_target->has_instance_prototype()) {
-      Handle<Object> prototype(new_target->instance_prototype(), isolate);
-      MAYBE_RETURN(JSObject::SetPrototype(array, prototype, false,
-                                          Object::THROW_ON_ERROR),
-                   isolate->heap()->exception());
-    }
-  }
-
   return *array;
 }
 
+}  // namespace
+
+
+RUNTIME_FUNCTION(Runtime_NewArray) {
+  HandleScope scope(isolate);
+  DCHECK_LE(3, args.length());
+  int const argc = args.length() - 3;
+  // TODO(bmeurer): Remove this Arguments nonsense.
+  Arguments argv(argc, args.arguments() - 1);
+  CONVERT_ARG_HANDLE_CHECKED(JSFunction, constructor, 0);
+  CONVERT_ARG_HANDLE_CHECKED(JSReceiver, new_target, argc + 1);
+  CONVERT_ARG_HANDLE_CHECKED(HeapObject, type_info, argc + 2);
+  // TODO(bmeurer): Use MaybeHandle to pass around the AllocationSite.
+  Handle<AllocationSite> site = type_info->IsAllocationSite()
+                                    ? Handle<AllocationSite>::cast(type_info)
+                                    : Handle<AllocationSite>::null();
+  return ArrayConstructorCommon(isolate, constructor, new_target, site, &argv);
+}
+
 
 RUNTIME_FUNCTION(Runtime_ArrayConstructor) {
   HandleScope scope(isolate);
   // If we get 2 arguments then they are the stub parameters (constructor, type
   // info).  If we get 4, then the first one is a pointer to the arguments
   // passed by the caller, and the last one is the length of the arguments
   // passed to the caller (redundant, but useful to check on the deoptimizer
   // with an assert).
   Arguments empty_args(0, NULL);
   bool no_caller_args = args.length() == 2;
@@ skipping 15 matching lines @@
       *type_info != isolate->heap()->undefined_value()) {
     site = Handle<AllocationSite>::cast(type_info);
     DCHECK(!site->SitePointsToLiteral());
   }
 
   return ArrayConstructorCommon(isolate, constructor, constructor, site,
                                 caller_args);
 }
 
 
-RUNTIME_FUNCTION(Runtime_ArrayConstructorWithSubclassing) {
-  HandleScope scope(isolate);
-  int args_length = args.length();
-  CHECK(args_length >= 2);
-
-  // This variables and checks work around -Werror=strict-overflow.
-  int pre_last_arg_index = args_length - 2;
-  int last_arg_index = args_length - 1;
-  CHECK(pre_last_arg_index >= 0);
-  CHECK(last_arg_index >= 0);
-
-  CONVERT_ARG_HANDLE_CHECKED(JSFunction, constructor, pre_last_arg_index);
-  CONVERT_ARG_HANDLE_CHECKED(JSFunction, new_target, last_arg_index);
-  Arguments caller_args(args_length - 2, args.arguments());
-  return ArrayConstructorCommon(isolate, constructor, new_target,
-                                Handle<AllocationSite>::null(), &caller_args);
-}
-
-
 RUNTIME_FUNCTION(Runtime_InternalArrayConstructor) {
   HandleScope scope(isolate);
   Arguments empty_args(0, NULL);
   bool no_caller_args = args.length() == 1;
   DCHECK(no_caller_args || args.length() == 3);
   int parameters_start = no_caller_args ? 0 : 1;
   Arguments* caller_args =
       no_caller_args ? &empty_args : reinterpret_cast<Arguments*>(args[0]);
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, constructor, parameters_start);
 #ifdef DEBUG
@@ skipping 96 matching lines @@
 
 RUNTIME_FUNCTION(Runtime_FastOneByteArrayJoin) {
   SealHandleScope shs(isolate);
   DCHECK(args.length() == 2);
   // Returning undefined means that this fast path fails and one has to resort
   // to a slow path.
   return isolate->heap()->undefined_value();
 }
 }  // namespace internal
 }  // namespace v8