Optimize @@species based on a global 'protector' cell

src/isolate.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/isolate.h"
 
 #include <stdlib.h>
 
 #include <fstream>  // NOLINT(readability/streams)
 #include <sstream>
@@ skipping 2493 matching lines @@
   if (!iter.IsAtEnd()) {
     DCHECK_EQ(false, cell_reports_intact);
     return cell_reports_intact;
   }
 
 #endif
 
   return cell_reports_intact;
 }
 
+bool Isolate::IsArraySpeciesLookupChainIntact() {
+  // Note: It would be nice to have debug checks to make sure that the
+  // species protector is accurate, but this would be hard to do for most of
+  // what the protector stands for:
+  // - You'd need to traverse the heap to check that no Array instance has
+  //   a constructor property or a modified __proto__
+  // - To check that Array[Symbol.species] == Array, JS code has to execute,
+  //   but JS cannot be invoked in callstack overflow situations
+  // All that could be checked reliably is that
+  // Array.prototype.constructor == Array. Given that limitation, no check is
+  // done here. In place, there are mjsunit tests harmony/array-species* which
+  // ensure that behavior is correct in various invalid protector cases.
+
+  PropertyCell* species_cell = heap()->species_protector();
+  return species_cell->value()->IsSmi() &&
+         Smi::cast(species_cell->value())->value() == kArrayProtectorValid;
+}
+
+void Isolate::InvalidateArraySpeciesProtector() {
+  CHECK(factory()->species_protector()->value()->IsSmi());

[adamk, 2016/02/19 00:01:17]

Normally this and the surrounding CHECKs would be DCHECKs. Do you really
need/want to do these outside a debug build?

[Dan Ehrenberg, 2016/02/19 00:15:37]

That would be my intuition, except I was copying what the normal Array protector
does, since I assumed those conventions apply here (except the next checks are
new). Anyway, I don't think this path needs to be extremely fast, since you can
only invalidate the species protector once in the lifetime of the isolate, and
these are not expensive checks.

[adamk, 2016/02/19 01:06:01]

I'll leave this to cbruni or other runtime folks since the ArrayProtector is
there's. Consistency seems reasonable.

[Dan Ehrenberg, 2016/02/19 02:16:41]

Actually, I can't find those CHECKS I thought I was copying. Changed to DCHECK.

+  CHECK(IsArraySpeciesLookupChainIntact());
+  PropertyCell::SetValueWithInvalidation(
+      factory()->species_protector(),
+      handle(Smi::FromInt(kArrayProtectorInvalid), this));
+  CHECK(!IsArraySpeciesLookupChainIntact());
+}
 
 void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
   if (IsFastArrayConstructorPrototypeChainIntact() &&
       object->map()->is_prototype_map()) {
     Object* context = heap()->native_contexts_list();
     while (!context->IsUndefined()) {
       Context* current_context = Context::cast(context);
       if (current_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX) ==
               *object ||
           current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==
               *object) {
+        CountUsage(v8::Isolate::UseCounterFeature::kArrayProtectorDirtied);
         PropertyCell::SetValueWithInvalidation(
             factory()->array_protector(),
             handle(Smi::FromInt(kArrayProtectorInvalid), this));
         break;
       }
       context = current_context->get(Context::NEXT_CONTEXT_LINK);
     }
   }
 }
 
@@ skipping 322 matching lines @@
   // Then check whether this scope intercepts.
   if ((flag & intercept_mask_)) {
     intercepted_flags_ |= flag;
     return true;
   }
   return false;
 }
 
 }  // namespace internal
 }  // namespace v8