src/lookup.cc - Issue 1651913005: [runtime] Fix integer indexed property handling

Unified Diff: src/lookup.cc

Issue 1651913005: [runtime] Fix integer indexed property handling (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 4 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/lookup.cc

diff --git a/src/lookup.cc b/src/lookup.cc

index 7d74ffbf570ad65088cee39decb7f9753f682188..4f1fe94c300224b2becd3e193d06b63cf51caab3 100644

--- a/src/lookup.cc

+++ b/src/lookup.cc

@@ -390,23 +390,22 @@ void LookupIterator::TransitionToAccessorPair(Handle<Object> pair,

bool LookupIterator::HolderIsReceiverOrHiddenPrototype() const {

DCHECK(has_property_ || state_ == INTERCEPTOR || state_ == JSPROXY);

- return InternalHolderIsReceiverOrHiddenPrototype();

+ return IsReceiverOrHiddenPrototype(*holder_);

}

-bool LookupIterator::InternalHolderIsReceiverOrHiddenPrototype() const {

+bool LookupIterator::IsReceiverOrHiddenPrototype(JSReceiver* object) const {

// Optimization that only works if configuration_ is not mutable.

if (!check_prototype_chain()) return true;

DisallowHeapAllocation no_gc;

if (!receiver_->IsJSReceiver()) return false;

JSReceiver* current = JSReceiver::cast(*receiver_);

- JSReceiver* holder = *holder_;

- if (current == holder) return true;

- if (!holder->map()->is_hidden_prototype()) return false;

+ if (current == object) return true;

+ if (!object->map()->is_hidden_prototype()) return false;

// JSProxy do not occur as hidden prototypes.

if (current->IsJSProxy()) return false;

PrototypeIterator iter(isolate(), current);

while (!iter.IsAtEnd(PrototypeIterator::END_AT_NON_HIDDEN)) {

- if (iter.GetCurrent<JSReceiver>() == holder) return true;

+ if (iter.GetCurrent<JSReceiver>() == object) return true;

iter.Advance();

}

return false;

@@ -523,26 +522,14 @@ void LookupIterator::WriteDataValue(Handle<Object> value) {

bool LookupIterator::IsIntegerIndexedExotic(JSReceiver* holder) {

- DCHECK(exotic_index_state_ != ExoticIndexState::kNotExotic);

- if (exotic_index_state_ == ExoticIndexState::kExotic) return true;

- if (!InternalHolderIsReceiverOrHiddenPrototype()) {

- exotic_index_state_ = ExoticIndexState::kNotExotic;

- return false;

- }

- DCHECK(exotic_index_state_ == ExoticIndexState::kUninitialized);

- bool result = false;

- // Compute and cache result.

- if (IsElement()) {

- result = index_ >= JSTypedArray::cast(holder)->length_value();

- } else if (name()->IsString()) {

- Handle<String> name_string = Handle<String>::cast(name());

- if (name_string->length() != 0) {

- result = IsSpecialIndex(isolate_->unicode_cache(), *name_string);

- }

- exotic_index_state_ =

- result ? ExoticIndexState::kExotic : ExoticIndexState::kNotExotic;

- return result;

+ DCHECK(!IsElement());

+ if (!name_->IsString()) return false;

+ if (!IsReceiverOrHiddenPrototype(holder)) return false;

+ Handle<String> name_string = Handle<String>::cast(name_);

+ if (name_string->length() == 0) return false;

+ return IsSpecialIndex(isolate_->unicode_cache(), *name_string);

}

@@ -635,8 +622,7 @@ LookupIterator::State LookupIterator::LookupInHolder(Map* const map,

return NOT_FOUND;

}

property_details_ = accessor->GetDetails(js_object, number_);

- } else if (exotic_index_state_ != ExoticIndexState::kNotExotic &&

- holder->IsJSTypedArray() && IsIntegerIndexedExotic(holder)) {

+ } else if (holder->IsJSTypedArray() && IsIntegerIndexedExotic(holder)) {

return INTEGER_INDEXED_EXOTIC;

} else if (!map->is_dictionary_map()) {

DescriptorArray* descriptors = map->instance_descriptors();

« no previous file with comments | « src/lookup.h ('k') | src/objects.h » ('j') | test/mjsunit/regress/regress-integer-indexed-element.js » ('J')