[runtime] Fix integer indexed property handling

src/lookup.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/lookup.h"
 
 #include "src/bootstrapper.h"
 #include "src/deoptimizer.h"
 #include "src/elements.h"
 #include "src/isolate-inl.h"
@@ skipping 372 matching lines @@
     JSObject::ReoptimizeIfPrototype(receiver);
   }
 
   holder_map_ = handle(receiver->map(), isolate_);
   ReloadPropertyInformation();
 }
 
 
 bool LookupIterator::HolderIsReceiverOrHiddenPrototype() const {
   DCHECK(has_property_ || state_ == INTERCEPTOR || state_ == JSPROXY);
-  return InternalHolderIsReceiverOrHiddenPrototype();
-}
-
-bool LookupIterator::InternalHolderIsReceiverOrHiddenPrototype() const {
   // Optimization that only works if configuration_ is not mutable.
   if (!check_prototype_chain()) return true;
   DisallowHeapAllocation no_gc;
   if (!receiver_->IsJSReceiver()) return false;
   JSReceiver* current = JSReceiver::cast(*receiver_);
-  JSReceiver* holder = *holder_;
-  if (current == holder) return true;
-  if (!holder->map()->is_hidden_prototype()) return false;
+  JSReceiver* object = *holder_;
+  if (current == object) return true;
+  if (!object->map()->is_hidden_prototype()) return false;
   // JSProxy do not occur as hidden prototypes.
   if (current->IsJSProxy()) return false;
   PrototypeIterator iter(isolate(), current);
   while (!iter.IsAtEnd(PrototypeIterator::END_AT_NON_HIDDEN)) {
-    if (iter.GetCurrent<JSReceiver>() == holder) return true;
+    if (iter.GetCurrent<JSReceiver>() == object) return true;
     iter.Advance();
   }
   return false;
 }
 
 
 Handle<Object> LookupIterator::FetchValue() const {
   Object* result = NULL;
   if (IsElement()) {
     Handle<JSObject> holder = GetHolder<JSObject>();
@@ skipping 96 matching lines @@
     property_dictionary->ValueAtPut(dictionary_entry(), *value);
   } else if (property_details_.type() == v8::internal::DATA) {
     JSObject::cast(*holder)->WriteToField(descriptor_number(), *value);
   } else {
     DCHECK_EQ(v8::internal::DATA_CONSTANT, property_details_.type());
   }
 }
 
 
 bool LookupIterator::IsIntegerIndexedExotic(JSReceiver* holder) {
-  DCHECK(exotic_index_state_ != ExoticIndexState::kNotExotic);
-  if (exotic_index_state_ == ExoticIndexState::kExotic) return true;
-  if (!InternalHolderIsReceiverOrHiddenPrototype()) {
-    exotic_index_state_ = ExoticIndexState::kNotExotic;
-    return false;
-  }
-  DCHECK(exotic_index_state_ == ExoticIndexState::kUninitialized);
-  bool result = false;
-  // Compute and cache result.
-  if (IsElement()) {
-    result = index_ >= JSTypedArray::cast(holder)->length_value();
-  } else if (name()->IsString()) {
-    Handle<String> name_string = Handle<String>::cast(name());
-    if (name_string->length() != 0) {
-      result = IsSpecialIndex(isolate_->unicode_cache(), *name_string);
-    }
-  }
-  exotic_index_state_ =
-      result ? ExoticIndexState::kExotic : ExoticIndexState::kNotExotic;
-  return result;
+  DCHECK(!IsElement());
+  if (!name_->IsString()) return false;
+  if (*receiver_ != holder) return false;
+
+  Handle<String> name_string = Handle<String>::cast(name_);
+  if (name_string->length() == 0) return false;
+
+  return IsSpecialIndex(isolate_->unicode_cache(), *name_string);
 }
 
 
 void LookupIterator::InternalizeName() {
   if (name_->IsUniqueName()) return;
   name_ = factory()->InternalizeString(Handle<String>::cast(name_));
 }
 
 
 bool LookupIterator::HasInterceptor(Map* map) const {
@@ skipping 66 matching lines @@
         return INTERCEPTOR;
       }
     // Fall through.
     case INTERCEPTOR:
       if (IsElement()) {
         JSObject* js_object = JSObject::cast(holder);
         ElementsAccessor* accessor = js_object->GetElementsAccessor();
         FixedArrayBase* backing_store = js_object->elements();
         number_ = accessor->GetEntryForIndex(js_object, backing_store, index_);
         if (number_ == kMaxUInt32) {
-          if (*receiver_ == Object::cast(holder) && holder->IsJSTypedArray()) {
+          if (*receiver_ == holder && holder->IsJSTypedArray()) {
             return INTEGER_INDEXED_EXOTIC;
           }
           return NOT_FOUND;
         }
         property_details_ = accessor->GetDetails(js_object, number_);
-      } else if (exotic_index_state_ != ExoticIndexState::kNotExotic &&
-                 holder->IsJSTypedArray() && IsIntegerIndexedExotic(holder)) {
+      } else if (holder->IsJSTypedArray() && IsIntegerIndexedExotic(holder)) {
         return INTEGER_INDEXED_EXOTIC;
       } else if (!map->is_dictionary_map()) {
         DescriptorArray* descriptors = map->instance_descriptors();
         int number = descriptors->SearchWithCache(*name_, map);
         if (number == DescriptorArray::kNotFound) return NOT_FOUND;
         number_ = static_cast<uint32_t>(number);
         property_details_ = descriptors->GetDetails(number_);
       } else if (map->IsJSGlobalObjectMap()) {
         GlobalDictionary* dict = JSObject::cast(holder)->global_dictionary();
         int number = dict->FindEntry(name_);
@@ skipping 41 matching lines @@
     // Fall through.
     default:
       return NOT_FOUND;
   }
   UNREACHABLE();
   return state_;
 }
 
 }  // namespace internal
 }  // namespace v8