Optimize @@species based on a global 'protector' cell

src/isolate.cc

Index: src/isolate.cc
diff --git a/src/isolate.cc b/src/isolate.cc
index e9a237b412c7434c5ac30313c4b4e81c8e1987f2..e397f98fc7954b43f729eca0ea5146f888310a62 100644
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -2511,6 +2511,32 @@ bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {
   return cell_reports_intact;
 }
 
+bool Isolate::IsArraySpeciesLookupChainIntact() {
+  // Note: It would be nice to have debug checks to make sure that the
+  // species protector is accurate, but this would be hard to do for most of
+  // what the protector stands for:
+  // - You'd need to traverse the heap to check that no Array instance has
+  //   a constructor property or a modified __proto__
+  // - To check that Array[Symbol.species] == Array, JS code has to execute,
+  //   but JS cannot be invoked in callstack overflow situations
+  // All that could be checked reliably is that
+  // Array.prototype.constructor == Array. Given that limitation, no check is
+  // done here. In place, there are mjsunit tests harmony/array-species* which
+  // ensure that behavior is correct in various invalid protector cases.
+
+  PropertyCell* species_cell = heap()->species_protector();
+  return species_cell->value()->IsSmi() &&
+         Smi::cast(species_cell->value())->value() == kArrayProtectorValid;
+}
+
+void Isolate::InvalidateArraySpeciesProtector() {
+  CHECK(factory()->species_protector()->value()->IsSmi());

[adamk, 2016/02/19 00:01:17]

Normally this and the surrounding CHECKs would be DCHECKs. Do you really
need/want to do these outside a debug build?

[Dan Ehrenberg, 2016/02/19 00:15:37]

That would be my intuition, except I was copying what the normal Array protector
does, since I assumed those conventions apply here (except the next checks are
new). Anyway, I don't think this path needs to be extremely fast, since you can
only invalidate the species protector once in the lifetime of the isolate, and
these are not expensive checks.

[adamk, 2016/02/19 01:06:01]

I'll leave this to cbruni or other runtime folks since the ArrayProtector is
there's. Consistency seems reasonable.

[Dan Ehrenberg, 2016/02/19 02:16:41]

Actually, I can't find those CHECKS I thought I was copying. Changed to DCHECK.

+  CHECK(IsArraySpeciesLookupChainIntact());
+  PropertyCell::SetValueWithInvalidation(
+      factory()->species_protector(),
+      handle(Smi::FromInt(kArrayProtectorInvalid), this));
+  CHECK(!IsArraySpeciesLookupChainIntact());
+}
 
 void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
   if (IsFastArrayConstructorPrototypeChainIntact() &&
@@ -2522,6 +2548,7 @@ void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
               *object ||
           current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==
               *object) {
+        CountUsage(v8::Isolate::UseCounterFeature::kArrayProtectorDirtied);
         PropertyCell::SetValueWithInvalidation(
             factory()->array_protector(),
             handle(Smi::FromInt(kArrayProtectorInvalid), this));