Implement immutable prototype chains

src/objects.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/objects.h"
 
 #include <cmath>
 #include <iomanip>
 #include <sstream>
 
@@ skipping 8663 matching lines @@
   result->set_migration_target(false);
   result->set_construction_counter(kNoSlackTracking);
 
 #ifdef VERIFY_HEAP
   if (FLAG_verify_heap) result->DictionaryMapVerify();
 #endif
 
   return result;
 }
 
+// Return an immutable prototype exotic object version of the input map.
+// This is not cached in the transition tree because it is only used on

[Toon Verwaest, 2016/06/30 15:35:33]

The comment is a little inaccurate. The JS_GLOBAL_OBJECT_TYPE is dictionary mode
so already wouldn't have cached it. It's used on the prototype chain of the
jsglobalproxy though, which includes other object types I presume.

[Dan Ehrenberg, 2016/06/30 23:12:41]

Changed the comment; WDYT?

+// the global object, and excluding it saves memory on the map transition
+// tree.
+
+// static
+Handle<Map> Map::TransitionToImmutableProto(Handle<Map> map) {
+  Handle<Map> new_map = Map::Copy(map, "ImmutablePrototype");
+  new_map->set_immutable_proto(true);
+  return new_map;
+}
 
 Handle<Map> Map::CopyInitialMap(Handle<Map> map, int instance_size,
                                 int in_object_properties,
                                 int unused_property_fields) {
 #ifdef DEBUG
   Isolate* isolate = map->GetIsolate();
   // Strict function maps have Function as a constructor but the
   // Function's initial map is a sloppy function map. Same holds for
   // GeneratorFunction and its initial map.
   Object* constructor = map->GetConstructor();
@@ skipping 6272 matching lines @@
       real_receiver = PrototypeIterator::GetCurrent<JSObject>(iter);
       iter.Advance();
       all_extensible = all_extensible && real_receiver->map()->is_extensible();
     }
   }
   Handle<Map> map(real_receiver->map());
 
   // Nothing to do if prototype is already set.
   if (map->prototype() == *value) return Just(true);
 
+  bool immutable_proto = object->map()->is_immutable_proto();
+  if (immutable_proto) {
+    RETURN_FAILURE(
+        isolate, should_throw,
+        NewTypeError(MessageTemplate::kImmutablePrototypeSet, object));
+  }
+
   // From 8.6.2 Object Internal Methods
   // ...
   // In addition, if [[Extensible]] is false the value of the [[Class]] and
   // [[Prototype]] internal properties of the object may not be modified.
   // ...
   // Implementation specific extensions that modify [[Class]], [[Prototype]]
   // or [[Extensible]] must not violate the invariants defined in the preceding
   // paragraph.
   if (!all_extensible) {
     RETURN_FAILURE(isolate, should_throw,
@@ skipping 31 matching lines @@
     // KeyedStoreICs need to be cleared to ensure any that involve this
     // map go generic.
     TypeFeedbackVector::ClearAllKeyedStoreICs(isolate);
   }
 
   heap->ClearInstanceofCache();
   DCHECK(size == object->Size());
   return Just(true);
 }
 
+// static
+Maybe<bool> JSObject::SetImmutableProto(Handle<JSObject> object,
+                                        bool from_javascript,
+                                        ShouldThrow should_throw) {
+  Isolate* isolate = object->GetIsolate();
+
+  if (from_javascript) {

[Toon Verwaest, 2016/06/30 15:35:33]

I guess this shouldn't be possible? So shouldn't be available?

[Dan Ehrenberg, 2016/06/30 23:12:41]

Good point, nicer to not have that code. I included it because there's some
possibility that SetImmutableProto may be added as a metaprogramming facility in
the future, but better to add it back only when that happens.

+    if (object->IsAccessCheckNeeded() &&
+        !isolate->MayAccess(handle(isolate->context()), object)) {
+      isolate->ReportFailedAccessCheck(object);
+      RETURN_VALUE_IF_SCHEDULED_EXCEPTION(isolate, Nothing<bool>());
+      RETURN_FAILURE(isolate, should_throw,
+                     NewTypeError(MessageTemplate::kNoAccess));
+    }
+  } else {
+    DCHECK(!object->IsAccessCheckNeeded());
+  }
+
+  Handle<JSObject> real_receiver = object;
+  if (from_javascript) {
+    // Find the first object in the chain whose prototype object is not
+    // hidden.
+    PrototypeIterator iter(isolate, real_receiver, kStartAtPrototype,
+                           PrototypeIterator::END_AT_NON_HIDDEN);
+    while (!iter.IsAtEnd()) {
+      // Casting to JSObject is fine because hidden prototypes are never
+      // JSProxies.
+      real_receiver = PrototypeIterator::GetCurrent<JSObject>(iter);
+      iter.Advance();
+    }
+  }
+  Handle<Map> map(real_receiver->map());
+
+  // Nothing to do if prototype is already set.
+  if (map->is_immutable_proto()) return Just(true);
+  Handle<Map> new_map = Map::TransitionToImmutableProto(map);
+  object->set_map(*new_map);
+  return Just(true);
+}
 
 void JSObject::EnsureCanContainElements(Handle<JSObject> object,
                                         Arguments* args,
                                         uint32_t first_arg,
                                         uint32_t arg_count,
                                         EnsureElementsMode mode) {
   // Elements in |Arguments| are ordered backwards (because they're on the
   // stack), but the method that's called here iterates over them in forward
   // direction.
   return EnsureCanContainElements(
@@ skipping 3962 matching lines @@
 
   Object* data_obj =
       constructor->shared()->get_api_func_data()->access_check_info();
   if (data_obj->IsUndefined(isolate)) return nullptr;
 
   return AccessCheckInfo::cast(data_obj);
 }
 
 }  // namespace internal
 }  // namespace v8