src/objects.cc - Issue 1689733002: Optimize @@species based on a global 'protector' cell

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 1689733002: Optimize @@species based on a global 'protector' cell (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: DCHECK Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index ab3008fe65b95a599379cec3b87c9690fdcff44d..f6def64238a12cb3be0ded9784c4b691b2179ed8 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -1551,8 +1551,14 @@ bool Object::SameValueZero(Object* other) {

MaybeHandle<Object> Object::ArraySpeciesConstructor(

Isolate* isolate, Handle<Object> original_array) {

Handle<Context> native_context = isolate->native_context();

+ Handle<Object> default_species = isolate->array_function();

if (!FLAG_harmony_species) {

- return Handle<Object>(native_context->array_function(), isolate);

+ return default_species;

+ }

+ if (original_array->IsJSArray() &&

+ Handle<JSReceiver>::cast(original_array)->map()->new_target_is_base() &&

+ isolate->IsArraySpeciesLookupChainIntact()) {

+ return default_species;

}

Handle<Object> constructor = isolate->factory()->undefined_value();

Maybe<bool> is_array = Object::IsArray(original_array);

@@ -1586,7 +1592,7 @@ MaybeHandle<Object> Object::ArraySpeciesConstructor(

}

if (constructor->IsUndefined()) {

- return Handle<Object>(native_context->array_function(), isolate);

+ return default_species;

} else {

if (!constructor->IsConstructor()) {

THROW_NEW_ERROR(isolate,

@@ -4144,6 +4150,7 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,

LanguageMode language_mode,

StoreFromKeyed store_mode,

bool* found) {

+ it->UpdateProtector();

ShouldThrow should_throw =

is_sloppy(language_mode) ? DONT_THROW : THROW_ON_ERROR;

@@ -5275,6 +5282,7 @@ MaybeHandle<Object> JSObject::DefineOwnPropertyIgnoreAttributes(

Maybe<bool> JSObject::DefineOwnPropertyIgnoreAttributes(

LookupIterator* it, Handle<Object> value, PropertyAttributes attributes,

ShouldThrow should_throw, AccessorInfoHandling handling) {

+ it->UpdateProtector();

Handle<JSObject> object = Handle<JSObject>::cast(it->GetReceiver());

bool is_observed = object->map()->is_observed() &&

(it->IsElement() || !it->name()->IsPrivate());

@@ -15701,6 +15709,16 @@ Maybe<bool> JSObject::SetPrototype(Handle<JSObject> object,

ShouldThrow should_throw) {

Isolate* isolate = object->GetIsolate();

+ // Setting the prototype of an Array instance invalidates the species

+ // protector

+ // because it could change the constructor property of the instance, which

+ // could change the @@species constructor.

+ if (object->IsJSArray() && isolate->IsArraySpeciesLookupChainIntact()) {

+ isolate->CountUsage(

+ v8::Isolate::UseCounterFeature::kArrayInstanceProtoModified);

+ isolate->InvalidateArraySpeciesProtector();

+ }

const bool observed = from_javascript && object->map()->is_observed();

Handle<Object> old_value;

if (observed) {

« src/lookup.cc ('K') | « src/lookup.cc ('k') | test/mjsunit/harmony/array-species.js » ('j') | no next file with comments »