src/builtins.cc - Issue 1689733002: Optimize @@species based on a global 'protector' cell

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/builtins.cc

Issue 1689733002: Optimize @@species based on a global 'protector' cell (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: DCHECK Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/builtins.cc

diff --git a/src/builtins.cc b/src/builtins.cc

index 474b76fc15567de1f04c4dfe65a5aa8edcb4143f..c9c8629c17d9632fbeee44fc65f1c8976bcb223c 100644

--- a/src/builtins.cc

+++ b/src/builtins.cc

@@ -483,19 +483,14 @@ BUILTIN(ArraySlice) {

int relative_end = 0;

bool is_sloppy_arguments = false;

- // TODO(littledan): Look up @@species only once, not once here and

- // again in the JS builtin. Pass the species out?

- Handle<Object> species;

- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(

- isolate, species, Object::ArraySpeciesConstructor(isolate, receiver));

- if (*species != isolate->context()->native_context()->array_function()) {

- return CallJsIntrinsic(isolate, isolate->array_slice(), args);

- }

if (receiver->IsJSArray()) {

DisallowHeapAllocation no_gc;

JSArray* array = JSArray::cast(*receiver);

if (!array->HasFastElements() ||

- !IsJSArrayFastElementMovingAllowed(isolate, array)) {

+ !IsJSArrayFastElementMovingAllowed(isolate, array) ||

+ !isolate->IsArraySpeciesLookupChainIntact() ||

+ // If this is a subclass of Array, then call out to JS

+ !array->map()->new_target_is_base()) {

AllowHeapAllocation allow_allocation;

return CallJsIntrinsic(isolate, isolate->array_slice(), args);

}

@@ -573,15 +568,11 @@ BUILTIN(ArraySplice) {

MaybeHandle<FixedArrayBase> maybe_elms_obj =

EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 3);

Handle<FixedArrayBase> elms_obj;

- if (!maybe_elms_obj.ToHandle(&elms_obj)) {

- return CallJsIntrinsic(isolate, isolate->array_splice(), args);

- }

- // TODO(littledan): Look up @@species only once, not once here and

- // again in the JS builtin. Pass the species out?

- Handle<Object> species;

- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(

- isolate, species, Object::ArraySpeciesConstructor(isolate, receiver));

- if (*species != isolate->context()->native_context()->array_function()) {

+ if (!maybe_elms_obj.ToHandle(&elms_obj) ||

+ // If this is a subclass of Array, then call out to JS

+ !JSArray::cast(*receiver)->map()->new_target_is_base() ||

+ // If anything with @@species has been messed with, call out to JS

+ !isolate->IsArraySpeciesLookupChainIntact()) {

return CallJsIntrinsic(isolate, isolate->array_splice(), args);

}

Handle<JSArray> array = Handle<JSArray>::cast(receiver);

« no previous file with comments | « include/v8.h ('k') | src/heap/heap.h » ('j') | src/lookup.cc » ('J')