src/isolate.cc - Issue 1689733002: Optimize @@species based on a global 'protector' cell

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/isolate.cc

Issue 1689733002: Optimize @@species based on a global 'protector' cell (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: DCHECK Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/isolate.cc

diff --git a/src/isolate.cc b/src/isolate.cc

index e9a237b412c7434c5ac30313c4b4e81c8e1987f2..9f81d8a99e6effb0b106a61ad07055826098a4e6 100644

--- a/src/isolate.cc

+++ b/src/isolate.cc

@@ -2511,8 +2511,35 @@ bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {

return cell_reports_intact;

}

+bool Isolate::IsArraySpeciesLookupChainIntact() {

+ // Note: It would be nice to have debug checks to make sure that the

+ // species protector is accurate, but this would be hard to do for most of

+ // what the protector stands for:

+ // - You'd need to traverse the heap to check that no Array instance has

+ // a constructor property or a modified __proto__

+ // - To check that Array[Symbol.species] == Array, JS code has to execute,

+ // but JS cannot be invoked in callstack overflow situations

+ // All that could be checked reliably is that

+ // Array.prototype.constructor == Array. Given that limitation, no check is

+ // done here. In place, there are mjsunit tests harmony/array-species* which

+ // ensure that behavior is correct in various invalid protector cases.

+ PropertyCell* species_cell = heap()->species_protector();

+ return species_cell->value()->IsSmi() &&

+ Smi::cast(species_cell->value())->value() == kArrayProtectorValid;

+void Isolate::InvalidateArraySpeciesProtector() {

+ DCHECK(factory()->species_protector()->value()->IsSmi());

+ DCHECK(IsArraySpeciesLookupChainIntact());

+ PropertyCell::SetValueWithInvalidation(

+ factory()->species_protector(),

+ handle(Smi::FromInt(kArrayProtectorInvalid), this));

+ DCHECK(!IsArraySpeciesLookupChainIntact());

void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {

+ DisallowHeapAllocation no_gc;

if (IsFastArrayConstructorPrototypeChainIntact() &&

object->map()->is_prototype_map()) {

Object* context = heap()->native_contexts_list();

@@ -2522,6 +2549,7 @@ void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {

*object ||

current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==

*object) {

+ CountUsage(v8::Isolate::UseCounterFeature::kArrayProtectorDirtied);

PropertyCell::SetValueWithInvalidation(

factory()->array_protector(),

handle(Smi::FromInt(kArrayProtectorInvalid), this));

« no previous file with comments | « src/isolate.h ('k') | src/lookup.h » ('j') | src/lookup.cc » ('J')