Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(186)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/objects.cc

Issue 1936393002: Make array __proto__ manipulations not disturb the species protector (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Fix review issues Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/objects.h ('k') | src/objects-inl.h » ('j') | test/mjsunit/harmony/array-species-constructor.js » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 the V8 project authors. All rights reserved. 1 // Copyright 2015 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/objects.h" 5 #include "src/objects.h"
6 6
7 #include <cmath> 7 #include <cmath>
8 #include <iomanip> 8 #include <iomanip>
9 #include <sstream> 9 #include <sstream>
10 10
(...skipping 1546 matching lines...) Expand 10 before | Expand all | Expand 10 after
1557 1557
1558 1558
1559 MaybeHandle<Object> Object::ArraySpeciesConstructor( 1559 MaybeHandle<Object> Object::ArraySpeciesConstructor(
1560 Isolate* isolate, Handle<Object> original_array) { 1560 Isolate* isolate, Handle<Object> original_array) {
1561 Handle<Context> native_context = isolate->native_context(); 1561 Handle<Context> native_context = isolate->native_context();
1562 Handle<Object> default_species = isolate->array_function(); 1562 Handle<Object> default_species = isolate->array_function();
1563 if (!FLAG_harmony_species) { 1563 if (!FLAG_harmony_species) {
1564 return default_species; 1564 return default_species;
1565 } 1565 }
1566 if (original_array->IsJSArray() && 1566 if (original_array->IsJSArray() &&
1567 Handle<JSReceiver>::cast(original_array)->map()->new_target_is_base() && 1567 Handle<JSArray>::cast(original_array)->HasArrayPrototype(isolate) &&
1568 isolate->IsArraySpeciesLookupChainIntact()) { 1568 isolate->IsArraySpeciesLookupChainIntact()) {
1569 return default_species; 1569 return default_species;
1570 } 1570 }
1571 Handle<Object> constructor = isolate->factory()->undefined_value(); 1571 Handle<Object> constructor = isolate->factory()->undefined_value();
1572 Maybe<bool> is_array = Object::IsArray(original_array); 1572 Maybe<bool> is_array = Object::IsArray(original_array);
1573 MAYBE_RETURN_NULL(is_array); 1573 MAYBE_RETURN_NULL(is_array);
1574 if (is_array.FromJust()) { 1574 if (is_array.FromJust()) {
1575 ASSIGN_RETURN_ON_EXCEPTION( 1575 ASSIGN_RETURN_ON_EXCEPTION(
1576 isolate, constructor, 1576 isolate, constructor,
1577 Object::GetProperty(original_array, 1577 Object::GetProperty(original_array,
(...skipping 13341 matching lines...) Expand 10 before | Expand all | Expand 10 after
14919 // 14. Return true. 14919 // 14. Return true.
14920 return Just(true); 14920 return Just(true);
14921 } 14921 }
14922 14922
14923 14923
14924 Maybe<bool> JSObject::SetPrototype(Handle<JSObject> object, 14924 Maybe<bool> JSObject::SetPrototype(Handle<JSObject> object,
14925 Handle<Object> value, bool from_javascript, 14925 Handle<Object> value, bool from_javascript,
14926 ShouldThrow should_throw) { 14926 ShouldThrow should_throw) {
14927 Isolate* isolate = object->GetIsolate(); 14927 Isolate* isolate = object->GetIsolate();
14928 14928
14929 // Setting the prototype of an Array instance invalidates the species
14930 // protector
14931 // because it could change the constructor property of the instance, which
14932 // could change the @@species constructor.
14933 if (object->IsJSArray() && isolate->IsArraySpeciesLookupChainIntact()) {
14934 isolate->CountUsage(
14935 v8::Isolate::UseCounterFeature::kArrayInstanceProtoModified);
14936 isolate->InvalidateArraySpeciesProtector();
14937 }
14938
14939 #ifdef DEBUG 14929 #ifdef DEBUG
14940 int size = object->Size(); 14930 int size = object->Size();
14941 #endif 14931 #endif
14942 14932
14943 if (from_javascript) { 14933 if (from_javascript) {
14944 if (object->IsAccessCheckNeeded() && 14934 if (object->IsAccessCheckNeeded() &&
14945 !isolate->MayAccess(handle(isolate->context()), object)) { 14935 !isolate->MayAccess(handle(isolate->context()), object)) {
14946 isolate->ReportFailedAccessCheck(object); 14936 isolate->ReportFailedAccessCheck(object);
14947 RETURN_VALUE_IF_SCHEDULED_EXCEPTION(isolate, Nothing<bool>()); 14937 RETURN_VALUE_IF_SCHEDULED_EXCEPTION(isolate, Nothing<bool>());
14948 RETURN_FAILURE(isolate, should_throw, 14938 RETURN_FAILURE(isolate, should_throw,
(...skipping 3940 matching lines...) Expand 10 before | Expand all | Expand 10 after
18889 if (cell->value() != *new_value) { 18879 if (cell->value() != *new_value) {
18890 cell->set_value(*new_value); 18880 cell->set_value(*new_value);
18891 Isolate* isolate = cell->GetIsolate(); 18881 Isolate* isolate = cell->GetIsolate();
18892 cell->dependent_code()->DeoptimizeDependentCodeGroup( 18882 cell->dependent_code()->DeoptimizeDependentCodeGroup(
18893 isolate, DependentCode::kPropertyCellChangedGroup); 18883 isolate, DependentCode::kPropertyCellChangedGroup);
18894 } 18884 }
18895 } 18885 }
18896 18886
18897 } // namespace internal 18887 } // namespace internal
18898 } // namespace v8 18888 } // namespace v8
OLDNEW
« no previous file with comments | « src/objects.h ('k') | src/objects-inl.h » ('j') | test/mjsunit/harmony/array-species-constructor.js » ('J')

Powered by Google App Engine
This is Rietveld 408576698