Implement immutable prototype chains

Implement immutable prototype chains

This patch implements "immutable prototype exotic objects" from the ECMAScript
spec, which are objects whose __proto__ cannot be changed, but are not otherwise
frozen. They are introduced in order to prevent a Proxy from being introduced
to the prototype chain of the global object.

The API is extended by a SetImmutablePrototype() call in ObjectTemplate, which
can be used to vend new immutable prototype objects. Additionally, Object.prototype
is an immutable prototype object.

In the implementation, a new bit is added to Maps to say whether the prototype is
immutable, which is read by SetPrototype. Map transitions to the immutable prototype
state are not saved in the transition tree because the main use case is just for
the prototype chain of the global object, which there will be only one of per
Context, so no need to take up the extra word for a pointer in each full transition
tree.

BUG=v8:5149
Committed: https://crrev.com/0ff7b4830c82b9e6a9f14d375b05ee64009e1d01
Cr-Commit-Position: refs/heads/master@{#37482}

[Dan Ehrenberg, 2016-06-29 15:30:41]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-29 15:30:47]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-06-29 15:36:07]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-29 15:36:08]

Dry run: Try jobs failed on following builders:
  v8_win_compile_dbg on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_win_compile_dbg/builds/1...)

[Dan Ehrenberg, 2016-06-29 15:57:26]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-29 15:57:35]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-06-29 16:00:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-29 16:00:25]

Dry run: Try jobs failed on following builders:
  v8_android_arm_compile_rel on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_android_arm_compile_rel/...)
  v8_linux64_avx2_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_avx2_rel_ng/buil...)
  v8_linux64_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_rel_ng/builds/8261)
  v8_linux_mips64el_compile_rel on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_mips64el_compile_r...)
  v8_linux_nodcheck_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_nodcheck_rel_ng/bu...)

[Dan Ehrenberg, 2016-06-29 16:58:54]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-29 16:59:02]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-06-29 17:07:40]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-29 17:07:42]

Dry run: Try jobs failed on following builders:
  v8_presubmit on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_presubmit/builds/18432)

[Dan Ehrenberg, 2016-06-29 17:20:36]

Description was changed from

==========
Some fixes for immutable prototype exotic object

BUG=
==========

to

==========
Implement immutable prototype chains

This patch implements "immutable prototype exotic objects" from the ECMAScript
spec, which are objects whose __proto__ cannot be changed, but are not otherwise
frozen. They are introduced in order to prevent a Proxy from being introduced
to the prototype chain of the global object.

The API is extended by a SetImmutablePrototype() call in ObjectTemplate, which
can be used to vend new immutable prototype objects. Additionally,
Object.prototype
is an immutable prototype object.

In the implementation, a new bit is added to Maps to say whether the prototype
is
immutable, which is read by SetPrototype. Map transitions to the immutable
prototype
state are not saved in the transition tree because the main use case is just for
the prototype chain of the global object, which there will be only one of per
Context, so no need to take up the extra word for a pointer in each full
transition
tree.

BUG=v8:5149
==========

[Dan Ehrenberg, 2016-06-29 17:44:57]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-29 17:45:00]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Dan Ehrenberg, 2016-06-29 18:02:23]

littledan@chromium.org changed reviewers:
+ jochen@chromium.org, verwaest@chromium.org

[Dan Ehrenberg, 2016-06-29 18:04:01]

https://codereview.chromium.org/2108203002/diff/80001/test/mjsunit/es6/proxie...
File test/mjsunit/es6/proxies-global-reference.js (right):

https://codereview.chromium.org/2108203002/diff/80001/test/mjsunit/es6/proxie...
test/mjsunit/es6/proxies-global-reference.js:9: assertThrows(()=>a,
ReferenceError);
The loss of this test is a bit unfortunate, but it could be reconstituted with a
cctest which constructs the right sort of global object and manipulates its
proto chain. However, that test will soon be obsolete when the code path is
removed after making Blink's prototype chain immutable per spec.

[commit-bot: I haz the power, 2016-06-29 18:17:57]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-29 18:17:58]

Dry run: This issue passed the CQ dry run.

[jochen (gone - plz use gerrit), 2016-06-30 15:15:19]

deferring to Toon

[Toon Verwaest, 2016-06-30 15:35:34]

mostly looking good. I like the internal_field_count cleanup :)

https://codereview.chromium.org/2108203002/diff/80001/src/api-natives.cc
File src/api-natives.cc (right):

https://codereview.chromium.org/2108203002/diff/80001/src/api-natives.cc#newc...
src/api-natives.cc:351: MAYBE_RETURN(JSObject::SetImmutableProto(
I don't think we need to walk the hidden prototype chain since we'll see the
JS_GLOBAL_OBJECT and JS_GLOBAL_PROXY individually; and you should set the flag
on both templates anyway (or we could propagate it at template level). Just make
SetImmutableProto super-simple (just copy the map for immutable proto and set
the map).

https://codereview.chromium.org/2108203002/diff/80001/src/objects-inl.h
File src/objects-inl.h (right):

https://codereview.chromium.org/2108203002/diff/80001/src/objects-inl.h#newco...
src/objects-inl.h:5635: return Smi::cast(value)->value() >> 1;
You probably want to use BitField to designate the bits, decode and combine
them. E.g., set_data(Smi::FromInt(InternalFieldCount::update(data->value(),
new_count)));

https://codereview.chromium.org/2108203002/diff/80001/src/objects.cc
File src/objects.cc (right):

https://codereview.chromium.org/2108203002/diff/80001/src/objects.cc#newcode8685
src/objects.cc:8685: // This is not cached in the transition tree because it is
only used on
The comment is a little inaccurate. The JS_GLOBAL_OBJECT_TYPE is dictionary mode
so already wouldn't have cached it. It's used on the prototype chain of the
jsglobalproxy though, which includes other object types I presume.

https://codereview.chromium.org/2108203002/diff/80001/src/objects.cc#newcode1...
src/objects.cc:15051: if (from_javascript) {
I guess this shouldn't be possible? So shouldn't be available?

[Dan Ehrenberg, 2016-06-30 20:10:23]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-30 20:10:34]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-06-30 20:32:17]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-30 20:32:18]

Dry run: Try jobs failed on following builders:
  v8_linux_arm64_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_arm64_rel_ng/build...)
  v8_linux_arm64_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_arm64_rel_ng_trigg...)
  v8_linux_nodcheck_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_nodcheck_rel_ng/bu...)
  v8_linux_nodcheck_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_nodcheck_rel_ng_tr...)
  v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng/builds/9914)
  v8_win64_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng_triggered/b...)

[Dan Ehrenberg, 2016-06-30 20:46:48]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-30 20:46:55]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Dan Ehrenberg, 2016-06-30 21:57:43]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-30 21:57:45]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-06-30 22:16:32]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-30 22:16:33]

Dry run: Try jobs failed on following builders:
  v8_linux64_avx2_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_avx2_rel_ng/buil...)
  v8_linux64_avx2_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_avx2_rel_ng_trig...)

[Dan Ehrenberg, 2016-06-30 22:42:12]

The CQ bit was checked by littledan@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-30 22:42:23]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-06-30 23:10:34]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-30 23:10:35]

Dry run: This issue passed the CQ dry run.

[Dan Ehrenberg, 2016-06-30 23:12:41]

Addressed comments PTAL

https://codereview.chromium.org/2108203002/diff/80001/src/api-natives.cc
File src/api-natives.cc (right):

https://codereview.chromium.org/2108203002/diff/80001/src/api-natives.cc#newc...
src/api-natives.cc:351: MAYBE_RETURN(JSObject::SetImmutableProto(
On 2016/06/30 at 15:35:33, Toon Verwaest wrote:
> I don't think we need to walk the hidden prototype chain since we'll see the
JS_GLOBAL_OBJECT and JS_GLOBAL_PROXY individually; and you should set the flag
on both templates anyway (or we could propagate it at template level). Just make
SetImmutableProto super-simple (just copy the map for immutable proto and set
the map).

Removed all that extra useless code.

https://codereview.chromium.org/2108203002/diff/80001/src/objects-inl.h
File src/objects-inl.h (right):

https://codereview.chromium.org/2108203002/diff/80001/src/objects-inl.h#newco...
src/objects-inl.h:5635: return Smi::cast(value)->value() >> 1;
On 2016/06/30 at 15:35:33, Toon Verwaest wrote:
> You probably want to use BitField to designate the bits, decode and combine
them. E.g., set_data(Smi::FromInt(InternalFieldCount::update(data->value(),
new_count)));

Done

https://codereview.chromium.org/2108203002/diff/80001/src/objects.cc
File src/objects.cc (right):

https://codereview.chromium.org/2108203002/diff/80001/src/objects.cc#newcode8685
src/objects.cc:8685: // This is not cached in the transition tree because it is
only used on
On 2016/06/30 at 15:35:33, Toon Verwaest wrote:
> The comment is a little inaccurate. The JS_GLOBAL_OBJECT_TYPE is dictionary
mode so already wouldn't have cached it. It's used on the prototype chain of the
jsglobalproxy though, which includes other object types I presume.

Changed the comment; WDYT?

https://codereview.chromium.org/2108203002/diff/80001/src/objects.cc#newcode1...
src/objects.cc:15051: if (from_javascript) {
On 2016/06/30 at 15:35:33, Toon Verwaest wrote:
> I guess this shouldn't be possible? So shouldn't be available?

Good point, nicer to not have that code. I included it because there's some
possibility that SetImmutableProto may be added as a metaprogramming facility in
the future, but better to add it back only when that happens.

[Toon Verwaest, 2016-07-01 07:24:45]

lgtm, thanks!

[jochen (gone - plz use gerrit), 2016-07-01 14:16:09]

lgtm with nit

https://codereview.chromium.org/2108203002/diff/160001/include/v8.h
File include/v8.h (right):

https://codereview.chromium.org/2108203002/diff/160001/include/v8.h#newcode4839
include/v8.h:4839: bool ImmutableProto();
nit. IsImmutableProto()?

[Dan Ehrenberg, 2016-07-01 18:51:26]

The CQ bit was checked by littledan@chromium.org

[Dan Ehrenberg, 2016-07-01 18:51:28]

https://codereview.chromium.org/2108203002/diff/160001/include/v8.h
File include/v8.h (right):

https://codereview.chromium.org/2108203002/diff/160001/include/v8.h#newcode4839
include/v8.h:4839: bool ImmutableProto();
On 2016/07/01 at 14:16:09, jochen wrote:
> nit. IsImmutableProto()?

Done

[Dan Ehrenberg, 2016-07-01 18:51:28]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org,
verwaest@chromium.org
Link to the patchset: https://codereview.chromium.org/2108203002/#ps180001
(title: "IsImmutableProto")

[commit-bot: I haz the power, 2016-07-01 18:51:31]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-01 19:17:03]

Committed patchset #10 (id:180001)

[commit-bot: I haz the power, 2016-07-01 19:20:25]

Description was changed from

==========
Implement immutable prototype chains

This patch implements "immutable prototype exotic objects" from the ECMAScript
spec, which are objects whose __proto__ cannot be changed, but are not otherwise
frozen. They are introduced in order to prevent a Proxy from being introduced
to the prototype chain of the global object.

The API is extended by a SetImmutablePrototype() call in ObjectTemplate, which
can be used to vend new immutable prototype objects. Additionally,
Object.prototype
is an immutable prototype object.

In the implementation, a new bit is added to Maps to say whether the prototype
is
immutable, which is read by SetPrototype. Map transitions to the immutable
prototype
state are not saved in the transition tree because the main use case is just for
the prototype chain of the global object, which there will be only one of per
Context, so no need to take up the extra word for a pointer in each full
transition
tree.

BUG=v8:5149
==========

to

==========
Implement immutable prototype chains

This patch implements "immutable prototype exotic objects" from the ECMAScript
spec, which are objects whose __proto__ cannot be changed, but are not otherwise
frozen. They are introduced in order to prevent a Proxy from being introduced
to the prototype chain of the global object.

The API is extended by a SetImmutablePrototype() call in ObjectTemplate, which
can be used to vend new immutable prototype objects. Additionally,
Object.prototype
is an immutable prototype object.

In the implementation, a new bit is added to Maps to say whether the prototype
is
immutable, which is read by SetPrototype. Map transitions to the immutable
prototype
state are not saved in the transition tree because the main use case is just for
the prototype chain of the global object, which there will be only one of per
Context, so no need to take up the extra word for a pointer in each full
transition
tree.

BUG=v8:5149

Committed: https://crrev.com/0ff7b4830c82b9e6a9f14d375b05ee64009e1d01
Cr-Commit-Position: refs/heads/master@{#37482}
==========

[commit-bot: I haz the power, 2016-07-01 19:20:27]

Patchset 10 (id:??) landed as
https://crrev.com/0ff7b4830c82b9e6a9f14d375b05ee64009e1d01
Cr-Commit-Position: refs/heads/master@{#37482}