Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(489)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins/builtins.cc

Issue 2158793003: [builtins] move array builtins into its own file. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@declares
Patch Set: rebase Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « BUILD.gn ('k') | src/builtins/builtins-array.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/builtins/builtins.h" 5 #include "src/builtins/builtins.h"
6 #include "src/builtins/builtins-utils.h"
6 7
7 #include "src/api-arguments.h" 8 #include "src/api-arguments.h"
8 #include "src/api-natives.h" 9 #include "src/api-natives.h"
9 #include "src/base/ieee754.h" 10 #include "src/base/ieee754.h"
10 #include "src/base/once.h" 11 #include "src/base/once.h"
11 #include "src/bootstrapper.h" 12 #include "src/bootstrapper.h"
12 #include "src/code-factory.h" 13 #include "src/code-factory.h"
13 #include "src/code-stub-assembler.h"
14 #include "src/dateparser-inl.h" 14 #include "src/dateparser-inl.h"
15 #include "src/elements.h"
16 #include "src/frames-inl.h" 15 #include "src/frames-inl.h"
17 #include "src/gdb-jit.h" 16 #include "src/gdb-jit.h"
18 #include "src/globals.h" 17 #include "src/globals.h"
19 #include "src/ic/handler-compiler.h" 18 #include "src/ic/handler-compiler.h"
20 #include "src/ic/ic.h" 19 #include "src/ic/ic.h"
21 #include "src/isolate-inl.h" 20 #include "src/isolate-inl.h"
22 #include "src/json-parser.h" 21 #include "src/json-parser.h"
23 #include "src/json-stringifier.h" 22 #include "src/json-stringifier.h"
24 #include "src/messages.h" 23 #include "src/messages.h"
25 #include "src/property-descriptor.h" 24 #include "src/property-descriptor.h"
26 #include "src/prototype.h" 25 #include "src/prototype.h"
27 #include "src/string-builder.h" 26 #include "src/string-builder.h"
28 #include "src/uri.h" 27 #include "src/uri.h"
29 #include "src/vm-state-inl.h" 28 #include "src/vm-state-inl.h"
30 29
31 namespace v8 { 30 namespace v8 {
32 namespace internal { 31 namespace internal {
33 32
34 namespace { 33 // Forward declarations for C++ builtins.
35 34 #define FORWARD_DECLARE(Name) \
36 // Arguments object passed to C++ builtins. 35 Object* Builtin_##Name(int argc, Object** args, Isolate* isolate);
37 class BuiltinArguments : public Arguments { 36 BUILTIN_LIST_C(FORWARD_DECLARE)
38 public: 37 #undef FORWARD_DECLARE
39 BuiltinArguments(int length, Object** arguments)
40 : Arguments(length, arguments) {
41 // Check we have at least the receiver.
42 DCHECK_LE(1, this->length());
43 }
44
45 Object*& operator[](int index) {
46 DCHECK_LT(index, length());
47 return Arguments::operator[](index);
48 }
49
50 template <class S>
51 Handle<S> at(int index) {
52 DCHECK_LT(index, length());
53 return Arguments::at<S>(index);
54 }
55
56 Handle<Object> atOrUndefined(Isolate* isolate, int index) {
57 if (index >= length()) {
58 return isolate->factory()->undefined_value();
59 }
60 return at<Object>(index);
61 }
62
63 Handle<Object> receiver() { return Arguments::at<Object>(0); }
64
65 static const int kNewTargetOffset = 0;
66 static const int kTargetOffset = 1;
67 static const int kArgcOffset = 2;
68 static const int kNumExtraArgs = 3;
69 static const int kNumExtraArgsWithReceiver = 4;
70
71 template <class S>
72 Handle<S> target() {
73 return Arguments::at<S>(Arguments::length() - 1 - kTargetOffset);
74 }
75 Handle<HeapObject> new_target() {
76 return Arguments::at<HeapObject>(Arguments::length() - 1 -
77 kNewTargetOffset);
78 }
79
80 // Gets the total number of arguments including the receiver (but
81 // excluding extra arguments).
82 int length() const { return Arguments::length() - kNumExtraArgs; }
83 };
84
85 // ----------------------------------------------------------------------------
86 // Support macro for defining builtins in C++.
87 // ----------------------------------------------------------------------------
88 //
89 // A builtin function is defined by writing:
90 //
91 // BUILTIN(name) {
92 // ...
93 // }
94 //
95 // In the body of the builtin function the arguments can be accessed
96 // through the BuiltinArguments object args.
97 // TODO(cbruni): add global flag to check whether any tracing events have been
98 // enabled.
99 #define BUILTIN(name) \
100 MUST_USE_RESULT static Object* Builtin_Impl_##name(BuiltinArguments args, \
101 Isolate* isolate); \
102 \
103 V8_NOINLINE static Object* Builtin_Impl_Stats_##name( \
104 int args_length, Object** args_object, Isolate* isolate) { \
105 BuiltinArguments args(args_length, args_object); \
106 RuntimeCallTimerScope timer(isolate, &RuntimeCallStats::Builtin_##name); \
107 TRACE_EVENT0(TRACE_DISABLED_BY_DEFAULT("v8.runtime"), \
108 "V8.Builtin_" #name); \
109 return Builtin_Impl_##name(args, isolate); \
110 } \
111 \
112 MUST_USE_RESULT Object* Builtin_##name( \
113 int args_length, Object** args_object, Isolate* isolate) { \
114 DCHECK(isolate->context() == nullptr || isolate->context()->IsContext()); \
115 if (FLAG_runtime_call_stats) { \
116 return Builtin_Impl_Stats_##name(args_length, args_object, isolate); \
117 } \
118 BuiltinArguments args(args_length, args_object); \
119 return Builtin_Impl_##name(args, isolate); \
120 } \
121 \
122 MUST_USE_RESULT static Object* Builtin_Impl_##name(BuiltinArguments args, \
123 Isolate* isolate)
124
125 // ----------------------------------------------------------------------------
126
127 #define CHECK_RECEIVER(Type, name, method) \
128 if (!args.receiver()->Is##Type()) { \
129 THROW_NEW_ERROR_RETURN_FAILURE( \
130 isolate, \
131 NewTypeError(MessageTemplate::kIncompatibleMethodReceiver, \
132 isolate->factory()->NewStringFromAsciiChecked(method), \
133 args.receiver())); \
134 } \
135 Handle<Type> name = Handle<Type>::cast(args.receiver())
136
137 // Throws a TypeError for {method} if the receiver is not coercible to Object,
138 // or converts the receiver to a String otherwise and assigns it to a new var
139 // with the given {name}.
140 #define TO_THIS_STRING(name, method) \
141 if (args.receiver()->IsNull(isolate) || \
142 args.receiver()->IsUndefined(isolate)) { \
143 THROW_NEW_ERROR_RETURN_FAILURE( \
144 isolate, \
145 NewTypeError(MessageTemplate::kCalledOnNullOrUndefined, \
146 isolate->factory()->NewStringFromAsciiChecked(method))); \
147 } \
148 Handle<String> name; \
149 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( \
150 isolate, name, Object::ToString(isolate, args.receiver()))
151
152 inline bool ClampedToInteger(Isolate* isolate, Object* object, int* out) {
153 // This is an extended version of ECMA-262 7.1.11 handling signed values
154 // Try to convert object to a number and clamp values to [kMinInt, kMaxInt]
155 if (object->IsSmi()) {
156 *out = Smi::cast(object)->value();
157 return true;
158 } else if (object->IsHeapNumber()) {
159 double value = HeapNumber::cast(object)->value();
160 if (std::isnan(value)) {
161 *out = 0;
162 } else if (value > kMaxInt) {
163 *out = kMaxInt;
164 } else if (value < kMinInt) {
165 *out = kMinInt;
166 } else {
167 *out = static_cast<int>(value);
168 }
169 return true;
170 } else if (object->IsUndefined(isolate) || object->IsNull(isolate)) {
171 *out = 0;
172 return true;
173 } else if (object->IsBoolean()) {
174 *out = object->IsTrue(isolate);
175 return true;
176 }
177 return false;
178 }
179
180 inline bool GetSloppyArgumentsLength(Isolate* isolate, Handle<JSObject> object,
181 int* out) {
182 Context* context = *isolate->native_context();
183 Map* map = object->map();
184 if (map != context->sloppy_arguments_map() &&
185 map != context->strict_arguments_map() &&
186 map != context->fast_aliased_arguments_map()) {
187 return false;
188 }
189 DCHECK(object->HasFastElements() || object->HasFastArgumentsElements());
190 Object* len_obj = object->InObjectPropertyAt(JSArgumentsObject::kLengthIndex);
191 if (!len_obj->IsSmi()) return false;
192 *out = Max(0, Smi::cast(len_obj)->value());
193 return *out <= object->elements()->length();
194 }
195
196 inline bool PrototypeHasNoElements(Isolate* isolate, JSObject* object) {
197 DisallowHeapAllocation no_gc;
198 HeapObject* prototype = HeapObject::cast(object->map()->prototype());
199 HeapObject* null = isolate->heap()->null_value();
200 HeapObject* empty = isolate->heap()->empty_fixed_array();
201 while (prototype != null) {
202 Map* map = prototype->map();
203 if (map->instance_type() <= LAST_CUSTOM_ELEMENTS_RECEIVER) return false;
204 if (JSObject::cast(prototype)->elements() != empty) return false;
205 prototype = HeapObject::cast(map->prototype());
206 }
207 return true;
208 }
209
210 inline bool IsJSArrayFastElementMovingAllowed(Isolate* isolate,
211 JSArray* receiver) {
212 return PrototypeHasNoElements(isolate, receiver);
213 }
214
215 inline bool HasSimpleElements(JSObject* current) {
216 return current->map()->instance_type() > LAST_CUSTOM_ELEMENTS_RECEIVER &&
217 !current->GetElementsAccessor()->HasAccessors(current);
218 }
219
220 inline bool HasOnlySimpleReceiverElements(Isolate* isolate,
221 JSObject* receiver) {
222 // Check that we have no accessors on the receiver's elements.
223 if (!HasSimpleElements(receiver)) return false;
224 return PrototypeHasNoElements(isolate, receiver);
225 }
226
227 inline bool HasOnlySimpleElements(Isolate* isolate, JSReceiver* receiver) {
228 DisallowHeapAllocation no_gc;
229 PrototypeIterator iter(isolate, receiver, kStartAtReceiver);
230 for (; !iter.IsAtEnd(); iter.Advance()) {
231 if (iter.GetCurrent()->IsJSProxy()) return false;
232 JSObject* current = iter.GetCurrent<JSObject>();
233 if (!HasSimpleElements(current)) return false;
234 }
235 return true;
236 }
237
238 // Returns |false| if not applicable.
239 MUST_USE_RESULT
240 inline bool EnsureJSArrayWithWritableFastElements(Isolate* isolate,
241 Handle<Object> receiver,
242 BuiltinArguments* args,
243 int first_added_arg) {
244 if (!receiver->IsJSArray()) return false;
245 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
246 ElementsKind origin_kind = array->GetElementsKind();
247 if (IsDictionaryElementsKind(origin_kind)) return false;
248 if (!array->map()->is_extensible()) return false;
249 if (args == nullptr) return true;
250
251 // If there may be elements accessors in the prototype chain, the fast path
252 // cannot be used if there arguments to add to the array.
253 if (!IsJSArrayFastElementMovingAllowed(isolate, *array)) return false;
254
255 // Adding elements to the array prototype would break code that makes sure
256 // it has no elements. Handle that elsewhere.
257 if (isolate->IsAnyInitialArrayPrototype(array)) return false;
258
259 // Need to ensure that the arguments passed in args can be contained in
260 // the array.
261 int args_length = args->length();
262 if (first_added_arg >= args_length) return true;
263
264 if (IsFastObjectElementsKind(origin_kind)) return true;
265 ElementsKind target_kind = origin_kind;
266 {
267 DisallowHeapAllocation no_gc;
268 for (int i = first_added_arg; i < args_length; i++) {
269 Object* arg = (*args)[i];
270 if (arg->IsHeapObject()) {
271 if (arg->IsHeapNumber()) {
272 target_kind = FAST_DOUBLE_ELEMENTS;
273 } else {
274 target_kind = FAST_ELEMENTS;
275 break;
276 }
277 }
278 }
279 }
280 if (target_kind != origin_kind) {
281 // Use a short-lived HandleScope to avoid creating several copies of the
282 // elements handle which would cause issues when left-trimming later-on.
283 HandleScope scope(isolate);
284 JSObject::TransitionElementsKind(array, target_kind);
285 }
286 return true;
287 }
288
289 MUST_USE_RESULT static Object* CallJsIntrinsic(Isolate* isolate,
290 Handle<JSFunction> function,
291 BuiltinArguments args) {
292 HandleScope handleScope(isolate);
293 int argc = args.length() - 1;
294 ScopedVector<Handle<Object>> argv(argc);
295 for (int i = 0; i < argc; ++i) {
296 argv[i] = args.at<Object>(i + 1);
297 }
298 RETURN_RESULT_OR_FAILURE(
299 isolate,
300 Execution::Call(isolate, function, args.receiver(), argc, argv.start()));
301 }
302
303 } // namespace
304 38
305 BUILTIN(Illegal) { 39 BUILTIN(Illegal) {
306 UNREACHABLE(); 40 UNREACHABLE();
307 return isolate->heap()->undefined_value(); // Make compiler happy. 41 return isolate->heap()->undefined_value(); // Make compiler happy.
308 } 42 }
309 43
310 BUILTIN(EmptyFunction) { return isolate->heap()->undefined_value(); } 44 BUILTIN(EmptyFunction) { return isolate->heap()->undefined_value(); }
311 45
312 void Builtins::Generate_ArrayIsArray(CodeStubAssembler* assembler) {
313 typedef compiler::Node Node;
314 typedef CodeStubAssembler::Label Label;
315
316 Node* object = assembler->Parameter(1);
317 Node* context = assembler->Parameter(4);
318
319 Label call_runtime(assembler), return_true(assembler),
320 return_false(assembler);
321
322 assembler->GotoIf(assembler->WordIsSmi(object), &return_false);
323 Node* instance_type = assembler->LoadInstanceType(object);
324
325 assembler->GotoIf(assembler->Word32Equal(
326 instance_type, assembler->Int32Constant(JS_ARRAY_TYPE)),
327 &return_true);
328
329 // TODO(verwaest): Handle proxies in-place.
330 assembler->Branch(assembler->Word32Equal(
331 instance_type, assembler->Int32Constant(JS_PROXY_TYPE)),
332 &call_runtime, &return_false);
333
334 assembler->Bind(&return_true);
335 assembler->Return(assembler->BooleanConstant(true));
336
337 assembler->Bind(&return_false);
338 assembler->Return(assembler->BooleanConstant(false));
339
340 assembler->Bind(&call_runtime);
341 assembler->Return(
342 assembler->CallRuntime(Runtime::kArrayIsArray, context, object));
343 }
344 46
345 void Builtins::Generate_ObjectHasOwnProperty(CodeStubAssembler* assembler) { 47 void Builtins::Generate_ObjectHasOwnProperty(CodeStubAssembler* assembler) {
346 typedef compiler::Node Node; 48 typedef compiler::Node Node;
347 typedef CodeStubAssembler::Label Label; 49 typedef CodeStubAssembler::Label Label;
348 typedef CodeStubAssembler::Variable Variable; 50 typedef CodeStubAssembler::Variable Variable;
349 51
350 Node* object = assembler->Parameter(0); 52 Node* object = assembler->Parameter(0);
351 Node* key = assembler->Parameter(1); 53 Node* key = assembler->Parameter(1);
352 Node* context = assembler->Parameter(4); 54 Node* context = assembler->Parameter(4);
353 55
(...skipping 27 matching lines...) Expand all
381 assembler->Return(assembler->BooleanConstant(true)); 83 assembler->Return(assembler->BooleanConstant(true));
382 84
383 assembler->Bind(&return_false); 85 assembler->Bind(&return_false);
384 assembler->Return(assembler->BooleanConstant(false)); 86 assembler->Return(assembler->BooleanConstant(false));
385 87
386 assembler->Bind(&call_runtime); 88 assembler->Bind(&call_runtime);
387 assembler->Return(assembler->CallRuntime(Runtime::kObjectHasOwnProperty, 89 assembler->Return(assembler->CallRuntime(Runtime::kObjectHasOwnProperty,
388 context, object, key)); 90 context, object, key));
389 } 91 }
390 92
93 namespace {
94
95 MUST_USE_RESULT Maybe<bool> FastAssign(Handle<JSReceiver> to,
96 Handle<Object> next_source) {
97 // Non-empty strings are the only non-JSReceivers that need to be handled
98 // explicitly by Object.assign.
99 if (!next_source->IsJSReceiver()) {
100 return Just(!next_source->IsString() ||
101 String::cast(*next_source)->length() == 0);
102 }
103
104 // If the target is deprecated, the object will be updated on first store. If
105 // the source for that store equals the target, this will invalidate the
106 // cached representation of the source. Preventively upgrade the target.
107 // Do this on each iteration since any property load could cause deprecation.
108 if (to->map()->is_deprecated()) {
109 JSObject::MigrateInstance(Handle<JSObject>::cast(to));
110 }
111
112 Isolate* isolate = to->GetIsolate();
113 Handle<Map> map(JSReceiver::cast(*next_source)->map(), isolate);
114
115 if (!map->IsJSObjectMap()) return Just(false);
116 if (!map->OnlyHasSimpleProperties()) return Just(false);
117
118 Handle<JSObject> from = Handle<JSObject>::cast(next_source);
119 if (from->elements() != isolate->heap()->empty_fixed_array()) {
120 return Just(false);
121 }
122
123 Handle<DescriptorArray> descriptors(map->instance_descriptors(), isolate);
124 int length = map->NumberOfOwnDescriptors();
125
126 bool stable = true;
127
128 for (int i = 0; i < length; i++) {
129 Handle<Name> next_key(descriptors->GetKey(i), isolate);
130 Handle<Object> prop_value;
131 // Directly decode from the descriptor array if |from| did not change shape.
132 if (stable) {
133 PropertyDetails details = descriptors->GetDetails(i);
134 if (!details.IsEnumerable()) continue;
135 if (details.kind() == kData) {
136 if (details.location() == kDescriptor) {
137 prop_value = handle(descriptors->GetValue(i), isolate);
138 } else {
139 Representation representation = details.representation();
140 FieldIndex index = FieldIndex::ForDescriptor(*map, i);
141 prop_value = JSObject::FastPropertyAt(from, representation, index);
142 }
143 } else {
144 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
145 isolate, prop_value, JSReceiver::GetProperty(from, next_key),
146 Nothing<bool>());
147 stable = from->map() == *map;
148 }
149 } else {
150 // If the map did change, do a slower lookup. We are still guaranteed that
151 // the object has a simple shape, and that the key is a name.
152 LookupIterator it(from, next_key, from,
153 LookupIterator::OWN_SKIP_INTERCEPTOR);
154 if (!it.IsFound()) continue;
155 DCHECK(it.state() == LookupIterator::DATA ||
156 it.state() == LookupIterator::ACCESSOR);
157 if (!it.IsEnumerable()) continue;
158 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
159 isolate, prop_value, Object::GetProperty(&it), Nothing<bool>());
160 }
161 LookupIterator it(to, next_key, to);
162 bool call_to_js = it.IsFound() && it.state() != LookupIterator::DATA;
163 Maybe<bool> result = Object::SetProperty(
164 &it, prop_value, STRICT, Object::CERTAINLY_NOT_STORE_FROM_KEYED);
165 if (result.IsNothing()) return result;
166 if (stable && call_to_js) stable = from->map() == *map;
167 }
168
169 return Just(true);
170 }
171
172 } // namespace
173
174 // ES6 19.1.2.1 Object.assign
175 BUILTIN(ObjectAssign) {
176 HandleScope scope(isolate);
177 Handle<Object> target = args.atOrUndefined(isolate, 1);
178
179 // 1. Let to be ? ToObject(target).
180 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, target,
181 Object::ToObject(isolate, target));
182 Handle<JSReceiver> to = Handle<JSReceiver>::cast(target);
183 // 2. If only one argument was passed, return to.
184 if (args.length() == 2) return *to;
185 // 3. Let sources be the List of argument values starting with the
186 // second argument.
187 // 4. For each element nextSource of sources, in ascending index order,
188 for (int i = 2; i < args.length(); ++i) {
189 Handle<Object> next_source = args.at<Object>(i);
190 Maybe<bool> fast_assign = FastAssign(to, next_source);
191 if (fast_assign.IsNothing()) return isolate->heap()->exception();
192 if (fast_assign.FromJust()) continue;
193 // 4a. If nextSource is undefined or null, let keys be an empty List.
194 // 4b. Else,
195 // 4b i. Let from be ToObject(nextSource).
196 // Only non-empty strings and JSReceivers have enumerable properties.
197 Handle<JSReceiver> from =
198 Object::ToObject(isolate, next_source).ToHandleChecked();
199 // 4b ii. Let keys be ? from.[[OwnPropertyKeys]]().
200 Handle<FixedArray> keys;
201 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
202 isolate, keys, KeyAccumulator::GetKeys(
203 from, KeyCollectionMode::kOwnOnly, ALL_PROPERTIES,
204 GetKeysConversion::kKeepNumbers));
205 // 4c. Repeat for each element nextKey of keys in List order,
206 for (int j = 0; j < keys->length(); ++j) {
207 Handle<Object> next_key(keys->get(j), isolate);
208 // 4c i. Let desc be ? from.[[GetOwnProperty]](nextKey).
209 PropertyDescriptor desc;
210 Maybe<bool> found =
211 JSReceiver::GetOwnPropertyDescriptor(isolate, from, next_key, &desc);
212 if (found.IsNothing()) return isolate->heap()->exception();
213 // 4c ii. If desc is not undefined and desc.[[Enumerable]] is true, then
214 if (found.FromJust() && desc.enumerable()) {
215 // 4c ii 1. Let propValue be ? Get(from, nextKey).
216 Handle<Object> prop_value;
217 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
218 isolate, prop_value,
219 Runtime::GetObjectProperty(isolate, from, next_key));
220 // 4c ii 2. Let status be ? Set(to, nextKey, propValue, true).
221 Handle<Object> status;
222 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
223 isolate, status, Runtime::SetObjectProperty(isolate, to, next_key,
224 prop_value, STRICT));
225 }
226 }
227 }
228 // 5. Return to.
229 return *to;
230 }
231
391 namespace { // anonymous namespace for ObjectProtoToString() 232 namespace { // anonymous namespace for ObjectProtoToString()
392 233
393 void IsString(CodeStubAssembler* assembler, compiler::Node* object, 234 void IsString(CodeStubAssembler* assembler, compiler::Node* object,
394 CodeStubAssembler::Label* if_string, 235 CodeStubAssembler::Label* if_string,
395 CodeStubAssembler::Label* if_notstring) { 236 CodeStubAssembler::Label* if_notstring) {
396 typedef compiler::Node Node; 237 typedef compiler::Node Node;
397 typedef CodeStubAssembler::Label Label; 238 typedef CodeStubAssembler::Label Label;
398 239
399 Label if_notsmi(assembler); 240 Label if_notsmi(assembler);
400 assembler->Branch(assembler->WordIsSmi(object), if_notstring, &if_notsmi); 241 assembler->Branch(assembler->WordIsSmi(object), if_notstring, &if_notsmi);
(...skipping 228 matching lines...) Expand 10 before | Expand all | Expand 10 after
629 &return_object, &return_function); 470 &return_object, &return_function);
630 } 471 }
631 472
632 // Default 473 // Default
633 assembler->Bind(&return_object); 474 assembler->Bind(&return_object);
634 assembler->Return(assembler->HeapConstant( 475 assembler->Return(assembler->HeapConstant(
635 assembler->isolate()->factory()->object_to_string())); 476 assembler->isolate()->factory()->object_to_string()));
636 } 477 }
637 } 478 }
638 479
639 namespace {
640
641 Object* DoArrayPush(Isolate* isolate, BuiltinArguments args) {
642 HandleScope scope(isolate);
643 Handle<Object> receiver = args.receiver();
644 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 1)) {
645 return CallJsIntrinsic(isolate, isolate->array_push(), args);
646 }
647 // Fast Elements Path
648 int to_add = args.length() - 1;
649 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
650 int len = Smi::cast(array->length())->value();
651 if (to_add == 0) return Smi::FromInt(len);
652
653 // Currently fixed arrays cannot grow too big, so we should never hit this.
654 DCHECK_LE(to_add, Smi::kMaxValue - Smi::cast(array->length())->value());
655
656 if (JSArray::HasReadOnlyLength(array)) {
657 return CallJsIntrinsic(isolate, isolate->array_push(), args);
658 }
659
660 ElementsAccessor* accessor = array->GetElementsAccessor();
661 int new_length = accessor->Push(array, &args, to_add);
662 return Smi::FromInt(new_length);
663 }
664
665 } // namespace
666
667 BUILTIN(ArrayPush) { return DoArrayPush(isolate, args); }
668
669 // TODO(verwaest): This is a temporary helper until the FastArrayPush stub can
670 // tailcall to the builtin directly.
671 RUNTIME_FUNCTION(Runtime_ArrayPush) {
672 DCHECK_EQ(2, args.length());
673 Arguments* incoming = reinterpret_cast<Arguments*>(args[0]);
674 // Rewrap the arguments as builtins arguments.
675 int argc = incoming->length() + BuiltinArguments::kNumExtraArgsWithReceiver;
676 BuiltinArguments caller_args(argc, incoming->arguments() + 1);
677 return DoArrayPush(isolate, caller_args);
678 }
679
680 BUILTIN(ArrayPop) {
681 HandleScope scope(isolate);
682 Handle<Object> receiver = args.receiver();
683 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, nullptr, 0)) {
684 return CallJsIntrinsic(isolate, isolate->array_pop(), args);
685 }
686
687 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
688
689 uint32_t len = static_cast<uint32_t>(Smi::cast(array->length())->value());
690 if (len == 0) return isolate->heap()->undefined_value();
691
692 if (JSArray::HasReadOnlyLength(array)) {
693 return CallJsIntrinsic(isolate, isolate->array_pop(), args);
694 }
695
696 Handle<Object> result;
697 if (IsJSArrayFastElementMovingAllowed(isolate, JSArray::cast(*receiver))) {
698 // Fast Elements Path
699 result = array->GetElementsAccessor()->Pop(array);
700 } else {
701 // Use Slow Lookup otherwise
702 uint32_t new_length = len - 1;
703 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
704 isolate, result, JSReceiver::GetElement(isolate, array, new_length));
705 JSArray::SetLength(array, new_length);
706 }
707 return *result;
708 }
709
710 BUILTIN(ArrayShift) {
711 HandleScope scope(isolate);
712 Heap* heap = isolate->heap();
713 Handle<Object> receiver = args.receiver();
714 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, nullptr, 0) ||
715 !IsJSArrayFastElementMovingAllowed(isolate, JSArray::cast(*receiver))) {
716 return CallJsIntrinsic(isolate, isolate->array_shift(), args);
717 }
718 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
719
720 int len = Smi::cast(array->length())->value();
721 if (len == 0) return heap->undefined_value();
722
723 if (JSArray::HasReadOnlyLength(array)) {
724 return CallJsIntrinsic(isolate, isolate->array_shift(), args);
725 }
726
727 Handle<Object> first = array->GetElementsAccessor()->Shift(array);
728 return *first;
729 }
730
731 BUILTIN(ArrayUnshift) {
732 HandleScope scope(isolate);
733 Handle<Object> receiver = args.receiver();
734 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 1)) {
735 return CallJsIntrinsic(isolate, isolate->array_unshift(), args);
736 }
737 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
738 int to_add = args.length() - 1;
739 if (to_add == 0) return array->length();
740
741 // Currently fixed arrays cannot grow too big, so we should never hit this.
742 DCHECK_LE(to_add, Smi::kMaxValue - Smi::cast(array->length())->value());
743
744 if (JSArray::HasReadOnlyLength(array)) {
745 return CallJsIntrinsic(isolate, isolate->array_unshift(), args);
746 }
747
748 ElementsAccessor* accessor = array->GetElementsAccessor();
749 int new_length = accessor->Unshift(array, &args, to_add);
750 return Smi::FromInt(new_length);
751 }
752
753 BUILTIN(ArraySlice) {
754 HandleScope scope(isolate);
755 Handle<Object> receiver = args.receiver();
756 int len = -1;
757 int relative_start = 0;
758 int relative_end = 0;
759
760 if (receiver->IsJSArray()) {
761 DisallowHeapAllocation no_gc;
762 JSArray* array = JSArray::cast(*receiver);
763 if (V8_UNLIKELY(!array->HasFastElements() ||
764 !IsJSArrayFastElementMovingAllowed(isolate, array) ||
765 !isolate->IsArraySpeciesLookupChainIntact() ||
766 // If this is a subclass of Array, then call out to JS
767 !array->HasArrayPrototype(isolate))) {
768 AllowHeapAllocation allow_allocation;
769 return CallJsIntrinsic(isolate, isolate->array_slice(), args);
770 }
771 len = Smi::cast(array->length())->value();
772 } else if (receiver->IsJSObject() &&
773 GetSloppyArgumentsLength(isolate, Handle<JSObject>::cast(receiver),
774 &len)) {
775 // Array.prototype.slice.call(arguments, ...) is quite a common idiom
776 // (notably more than 50% of invocations in Web apps).
777 // Treat it in C++ as well.
778 DCHECK(JSObject::cast(*receiver)->HasFastElements() ||
779 JSObject::cast(*receiver)->HasFastArgumentsElements());
780 } else {
781 AllowHeapAllocation allow_allocation;
782 return CallJsIntrinsic(isolate, isolate->array_slice(), args);
783 }
784 DCHECK_LE(0, len);
785 int argument_count = args.length() - 1;
786 // Note carefully chosen defaults---if argument is missing,
787 // it's undefined which gets converted to 0 for relative_start
788 // and to len for relative_end.
789 relative_start = 0;
790 relative_end = len;
791 if (argument_count > 0) {
792 DisallowHeapAllocation no_gc;
793 if (!ClampedToInteger(isolate, args[1], &relative_start)) {
794 AllowHeapAllocation allow_allocation;
795 return CallJsIntrinsic(isolate, isolate->array_slice(), args);
796 }
797 if (argument_count > 1) {
798 Object* end_arg = args[2];
799 // slice handles the end_arg specially
800 if (end_arg->IsUndefined(isolate)) {
801 relative_end = len;
802 } else if (!ClampedToInteger(isolate, end_arg, &relative_end)) {
803 AllowHeapAllocation allow_allocation;
804 return CallJsIntrinsic(isolate, isolate->array_slice(), args);
805 }
806 }
807 }
808
809 // ECMAScript 232, 3rd Edition, Section 15.4.4.10, step 6.
810 uint32_t actual_start = (relative_start < 0) ? Max(len + relative_start, 0)
811 : Min(relative_start, len);
812
813 // ECMAScript 232, 3rd Edition, Section 15.4.4.10, step 8.
814 uint32_t actual_end =
815 (relative_end < 0) ? Max(len + relative_end, 0) : Min(relative_end, len);
816
817 Handle<JSObject> object = Handle<JSObject>::cast(receiver);
818 ElementsAccessor* accessor = object->GetElementsAccessor();
819 return *accessor->Slice(object, actual_start, actual_end);
820 }
821
822 BUILTIN(ArraySplice) {
823 HandleScope scope(isolate);
824 Handle<Object> receiver = args.receiver();
825 if (V8_UNLIKELY(
826 !EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 3) ||
827 // If this is a subclass of Array, then call out to JS.
828 !Handle<JSArray>::cast(receiver)->HasArrayPrototype(isolate) ||
829 // If anything with @@species has been messed with, call out to JS.
830 !isolate->IsArraySpeciesLookupChainIntact())) {
831 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
832 }
833 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
834
835 int argument_count = args.length() - 1;
836 int relative_start = 0;
837 if (argument_count > 0) {
838 DisallowHeapAllocation no_gc;
839 if (!ClampedToInteger(isolate, args[1], &relative_start)) {
840 AllowHeapAllocation allow_allocation;
841 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
842 }
843 }
844 int len = Smi::cast(array->length())->value();
845 // clip relative start to [0, len]
846 int actual_start = (relative_start < 0) ? Max(len + relative_start, 0)
847 : Min(relative_start, len);
848
849 int actual_delete_count;
850 if (argument_count == 1) {
851 // SpiderMonkey, TraceMonkey and JSC treat the case where no delete count is
852 // given as a request to delete all the elements from the start.
853 // And it differs from the case of undefined delete count.
854 // This does not follow ECMA-262, but we do the same for compatibility.
855 DCHECK(len - actual_start >= 0);
856 actual_delete_count = len - actual_start;
857 } else {
858 int delete_count = 0;
859 DisallowHeapAllocation no_gc;
860 if (argument_count > 1) {
861 if (!ClampedToInteger(isolate, args[2], &delete_count)) {
862 AllowHeapAllocation allow_allocation;
863 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
864 }
865 }
866 actual_delete_count = Min(Max(delete_count, 0), len - actual_start);
867 }
868
869 int add_count = (argument_count > 1) ? (argument_count - 2) : 0;
870 int new_length = len - actual_delete_count + add_count;
871
872 if (new_length != len && JSArray::HasReadOnlyLength(array)) {
873 AllowHeapAllocation allow_allocation;
874 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
875 }
876 ElementsAccessor* accessor = array->GetElementsAccessor();
877 Handle<JSArray> result_array = accessor->Splice(
878 array, actual_start, actual_delete_count, &args, add_count);
879 return *result_array;
880 }
881
882 // Array Concat -------------------------------------------------------------
883
884 namespace {
885
886 /**
887 * A simple visitor visits every element of Array's.
888 * The backend storage can be a fixed array for fast elements case,
889 * or a dictionary for sparse array. Since Dictionary is a subtype
890 * of FixedArray, the class can be used by both fast and slow cases.
891 * The second parameter of the constructor, fast_elements, specifies
892 * whether the storage is a FixedArray or Dictionary.
893 *
894 * An index limit is used to deal with the situation that a result array
895 * length overflows 32-bit non-negative integer.
896 */
897 class ArrayConcatVisitor {
898 public:
899 ArrayConcatVisitor(Isolate* isolate, Handle<Object> storage,
900 bool fast_elements)
901 : isolate_(isolate),
902 storage_(isolate->global_handles()->Create(*storage)),
903 index_offset_(0u),
904 bit_field_(FastElementsField::encode(fast_elements) |
905 ExceedsLimitField::encode(false) |
906 IsFixedArrayField::encode(storage->IsFixedArray())) {
907 DCHECK(!(this->fast_elements() && !is_fixed_array()));
908 }
909
910 ~ArrayConcatVisitor() { clear_storage(); }
911
912 MUST_USE_RESULT bool visit(uint32_t i, Handle<Object> elm) {
913 uint32_t index = index_offset_ + i;
914
915 if (i >= JSObject::kMaxElementCount - index_offset_) {
916 set_exceeds_array_limit(true);
917 // Exception hasn't been thrown at this point. Return true to
918 // break out, and caller will throw. !visit would imply that
919 // there is already a pending exception.
920 return true;
921 }
922
923 if (!is_fixed_array()) {
924 LookupIterator it(isolate_, storage_, index, LookupIterator::OWN);
925 MAYBE_RETURN(
926 JSReceiver::CreateDataProperty(&it, elm, Object::THROW_ON_ERROR),
927 false);
928 return true;
929 }
930
931 if (fast_elements()) {
932 if (index < static_cast<uint32_t>(storage_fixed_array()->length())) {
933 storage_fixed_array()->set(index, *elm);
934 return true;
935 }
936 // Our initial estimate of length was foiled, possibly by
937 // getters on the arrays increasing the length of later arrays
938 // during iteration.
939 // This shouldn't happen in anything but pathological cases.
940 SetDictionaryMode();
941 // Fall-through to dictionary mode.
942 }
943 DCHECK(!fast_elements());
944 Handle<SeededNumberDictionary> dict(
945 SeededNumberDictionary::cast(*storage_));
946 // The object holding this backing store has just been allocated, so
947 // it cannot yet be used as a prototype.
948 Handle<SeededNumberDictionary> result =
949 SeededNumberDictionary::AtNumberPut(dict, index, elm, false);
950 if (!result.is_identical_to(dict)) {
951 // Dictionary needed to grow.
952 clear_storage();
953 set_storage(*result);
954 }
955 return true;
956 }
957
958 void increase_index_offset(uint32_t delta) {
959 if (JSObject::kMaxElementCount - index_offset_ < delta) {
960 index_offset_ = JSObject::kMaxElementCount;
961 } else {
962 index_offset_ += delta;
963 }
964 // If the initial length estimate was off (see special case in visit()),
965 // but the array blowing the limit didn't contain elements beyond the
966 // provided-for index range, go to dictionary mode now.
967 if (fast_elements() &&
968 index_offset_ >
969 static_cast<uint32_t>(FixedArrayBase::cast(*storage_)->length())) {
970 SetDictionaryMode();
971 }
972 }
973
974 bool exceeds_array_limit() const {
975 return ExceedsLimitField::decode(bit_field_);
976 }
977
978 Handle<JSArray> ToArray() {
979 DCHECK(is_fixed_array());
980 Handle<JSArray> array = isolate_->factory()->NewJSArray(0);
981 Handle<Object> length =
982 isolate_->factory()->NewNumber(static_cast<double>(index_offset_));
983 Handle<Map> map = JSObject::GetElementsTransitionMap(
984 array, fast_elements() ? FAST_HOLEY_ELEMENTS : DICTIONARY_ELEMENTS);
985 array->set_map(*map);
986 array->set_length(*length);
987 array->set_elements(*storage_fixed_array());
988 return array;
989 }
990
991 // Storage is either a FixedArray (if is_fixed_array()) or a JSReciever
992 // (otherwise)
993 Handle<FixedArray> storage_fixed_array() {
994 DCHECK(is_fixed_array());
995 return Handle<FixedArray>::cast(storage_);
996 }
997 Handle<JSReceiver> storage_jsreceiver() {
998 DCHECK(!is_fixed_array());
999 return Handle<JSReceiver>::cast(storage_);
1000 }
1001
1002 private:
1003 // Convert storage to dictionary mode.
1004 void SetDictionaryMode() {
1005 DCHECK(fast_elements() && is_fixed_array());
1006 Handle<FixedArray> current_storage = storage_fixed_array();
1007 Handle<SeededNumberDictionary> slow_storage(
1008 SeededNumberDictionary::New(isolate_, current_storage->length()));
1009 uint32_t current_length = static_cast<uint32_t>(current_storage->length());
1010 FOR_WITH_HANDLE_SCOPE(
1011 isolate_, uint32_t, i = 0, i, i < current_length, i++, {
1012 Handle<Object> element(current_storage->get(i), isolate_);
1013 if (!element->IsTheHole(isolate_)) {
1014 // The object holding this backing store has just been allocated, so
1015 // it cannot yet be used as a prototype.
1016 Handle<SeededNumberDictionary> new_storage =
1017 SeededNumberDictionary::AtNumberPut(slow_storage, i, element,
1018 false);
1019 if (!new_storage.is_identical_to(slow_storage)) {
1020 slow_storage = loop_scope.CloseAndEscape(new_storage);
1021 }
1022 }
1023 });
1024 clear_storage();
1025 set_storage(*slow_storage);
1026 set_fast_elements(false);
1027 }
1028
1029 inline void clear_storage() { GlobalHandles::Destroy(storage_.location()); }
1030
1031 inline void set_storage(FixedArray* storage) {
1032 DCHECK(is_fixed_array());
1033 storage_ = isolate_->global_handles()->Create(storage);
1034 }
1035
1036 class FastElementsField : public BitField<bool, 0, 1> {};
1037 class ExceedsLimitField : public BitField<bool, 1, 1> {};
1038 class IsFixedArrayField : public BitField<bool, 2, 1> {};
1039
1040 bool fast_elements() const { return FastElementsField::decode(bit_field_); }
1041 void set_fast_elements(bool fast) {
1042 bit_field_ = FastElementsField::update(bit_field_, fast);
1043 }
1044 void set_exceeds_array_limit(bool exceeds) {
1045 bit_field_ = ExceedsLimitField::update(bit_field_, exceeds);
1046 }
1047 bool is_fixed_array() const { return IsFixedArrayField::decode(bit_field_); }
1048
1049 Isolate* isolate_;
1050 Handle<Object> storage_; // Always a global handle.
1051 // Index after last seen index. Always less than or equal to
1052 // JSObject::kMaxElementCount.
1053 uint32_t index_offset_;
1054 uint32_t bit_field_;
1055 };
1056
1057 uint32_t EstimateElementCount(Handle<JSArray> array) {
1058 DisallowHeapAllocation no_gc;
1059 uint32_t length = static_cast<uint32_t>(array->length()->Number());
1060 int element_count = 0;
1061 switch (array->GetElementsKind()) {
1062 case FAST_SMI_ELEMENTS:
1063 case FAST_HOLEY_SMI_ELEMENTS:
1064 case FAST_ELEMENTS:
1065 case FAST_HOLEY_ELEMENTS: {
1066 // Fast elements can't have lengths that are not representable by
1067 // a 32-bit signed integer.
1068 DCHECK(static_cast<int32_t>(FixedArray::kMaxLength) >= 0);
1069 int fast_length = static_cast<int>(length);
1070 Isolate* isolate = array->GetIsolate();
1071 FixedArray* elements = FixedArray::cast(array->elements());
1072 for (int i = 0; i < fast_length; i++) {
1073 if (!elements->get(i)->IsTheHole(isolate)) element_count++;
1074 }
1075 break;
1076 }
1077 case FAST_DOUBLE_ELEMENTS:
1078 case FAST_HOLEY_DOUBLE_ELEMENTS: {
1079 // Fast elements can't have lengths that are not representable by
1080 // a 32-bit signed integer.
1081 DCHECK(static_cast<int32_t>(FixedDoubleArray::kMaxLength) >= 0);
1082 int fast_length = static_cast<int>(length);
1083 if (array->elements()->IsFixedArray()) {
1084 DCHECK(FixedArray::cast(array->elements())->length() == 0);
1085 break;
1086 }
1087 FixedDoubleArray* elements = FixedDoubleArray::cast(array->elements());
1088 for (int i = 0; i < fast_length; i++) {
1089 if (!elements->is_the_hole(i)) element_count++;
1090 }
1091 break;
1092 }
1093 case DICTIONARY_ELEMENTS: {
1094 SeededNumberDictionary* dictionary =
1095 SeededNumberDictionary::cast(array->elements());
1096 Isolate* isolate = dictionary->GetIsolate();
1097 int capacity = dictionary->Capacity();
1098 for (int i = 0; i < capacity; i++) {
1099 Object* key = dictionary->KeyAt(i);
1100 if (dictionary->IsKey(isolate, key)) {
1101 element_count++;
1102 }
1103 }
1104 break;
1105 }
1106 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) case TYPE##_ELEMENTS:
1107
1108 TYPED_ARRAYS(TYPED_ARRAY_CASE)
1109 #undef TYPED_ARRAY_CASE
1110 // External arrays are always dense.
1111 return length;
1112 case NO_ELEMENTS:
1113 return 0;
1114 case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
1115 case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
1116 case FAST_STRING_WRAPPER_ELEMENTS:
1117 case SLOW_STRING_WRAPPER_ELEMENTS:
1118 UNREACHABLE();
1119 return 0;
1120 }
1121 // As an estimate, we assume that the prototype doesn't contain any
1122 // inherited elements.
1123 return element_count;
1124 }
1125
1126 // Used for sorting indices in a List<uint32_t>.
1127 int compareUInt32(const uint32_t* ap, const uint32_t* bp) {
1128 uint32_t a = *ap;
1129 uint32_t b = *bp;
1130 return (a == b) ? 0 : (a < b) ? -1 : 1;
1131 }
1132
1133 void CollectElementIndices(Handle<JSObject> object, uint32_t range,
1134 List<uint32_t>* indices) {
1135 Isolate* isolate = object->GetIsolate();
1136 ElementsKind kind = object->GetElementsKind();
1137 switch (kind) {
1138 case FAST_SMI_ELEMENTS:
1139 case FAST_ELEMENTS:
1140 case FAST_HOLEY_SMI_ELEMENTS:
1141 case FAST_HOLEY_ELEMENTS: {
1142 DisallowHeapAllocation no_gc;
1143 FixedArray* elements = FixedArray::cast(object->elements());
1144 uint32_t length = static_cast<uint32_t>(elements->length());
1145 if (range < length) length = range;
1146 for (uint32_t i = 0; i < length; i++) {
1147 if (!elements->get(i)->IsTheHole(isolate)) {
1148 indices->Add(i);
1149 }
1150 }
1151 break;
1152 }
1153 case FAST_HOLEY_DOUBLE_ELEMENTS:
1154 case FAST_DOUBLE_ELEMENTS: {
1155 if (object->elements()->IsFixedArray()) {
1156 DCHECK(object->elements()->length() == 0);
1157 break;
1158 }
1159 Handle<FixedDoubleArray> elements(
1160 FixedDoubleArray::cast(object->elements()));
1161 uint32_t length = static_cast<uint32_t>(elements->length());
1162 if (range < length) length = range;
1163 for (uint32_t i = 0; i < length; i++) {
1164 if (!elements->is_the_hole(i)) {
1165 indices->Add(i);
1166 }
1167 }
1168 break;
1169 }
1170 case DICTIONARY_ELEMENTS: {
1171 DisallowHeapAllocation no_gc;
1172 SeededNumberDictionary* dict =
1173 SeededNumberDictionary::cast(object->elements());
1174 uint32_t capacity = dict->Capacity();
1175 FOR_WITH_HANDLE_SCOPE(isolate, uint32_t, j = 0, j, j < capacity, j++, {
1176 Object* k = dict->KeyAt(j);
1177 if (!dict->IsKey(isolate, k)) continue;
1178 DCHECK(k->IsNumber());
1179 uint32_t index = static_cast<uint32_t>(k->Number());
1180 if (index < range) {
1181 indices->Add(index);
1182 }
1183 });
1184 break;
1185 }
1186 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) case TYPE##_ELEMENTS:
1187
1188 TYPED_ARRAYS(TYPED_ARRAY_CASE)
1189 #undef TYPED_ARRAY_CASE
1190 {
1191 uint32_t length = static_cast<uint32_t>(
1192 FixedArrayBase::cast(object->elements())->length());
1193 if (range <= length) {
1194 length = range;
1195 // We will add all indices, so we might as well clear it first
1196 // and avoid duplicates.
1197 indices->Clear();
1198 }
1199 for (uint32_t i = 0; i < length; i++) {
1200 indices->Add(i);
1201 }
1202 if (length == range) return; // All indices accounted for already.
1203 break;
1204 }
1205 case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
1206 case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: {
1207 ElementsAccessor* accessor = object->GetElementsAccessor();
1208 for (uint32_t i = 0; i < range; i++) {
1209 if (accessor->HasElement(object, i)) {
1210 indices->Add(i);
1211 }
1212 }
1213 break;
1214 }
1215 case FAST_STRING_WRAPPER_ELEMENTS:
1216 case SLOW_STRING_WRAPPER_ELEMENTS: {
1217 DCHECK(object->IsJSValue());
1218 Handle<JSValue> js_value = Handle<JSValue>::cast(object);
1219 DCHECK(js_value->value()->IsString());
1220 Handle<String> string(String::cast(js_value->value()), isolate);
1221 uint32_t length = static_cast<uint32_t>(string->length());
1222 uint32_t i = 0;
1223 uint32_t limit = Min(length, range);
1224 for (; i < limit; i++) {
1225 indices->Add(i);
1226 }
1227 ElementsAccessor* accessor = object->GetElementsAccessor();
1228 for (; i < range; i++) {
1229 if (accessor->HasElement(object, i)) {
1230 indices->Add(i);
1231 }
1232 }
1233 break;
1234 }
1235 case NO_ELEMENTS:
1236 break;
1237 }
1238
1239 PrototypeIterator iter(isolate, object);
1240 if (!iter.IsAtEnd()) {
1241 // The prototype will usually have no inherited element indices,
1242 // but we have to check.
1243 CollectElementIndices(PrototypeIterator::GetCurrent<JSObject>(iter), range,
1244 indices);
1245 }
1246 }
1247
1248 bool IterateElementsSlow(Isolate* isolate, Handle<JSReceiver> receiver,
1249 uint32_t length, ArrayConcatVisitor* visitor) {
1250 FOR_WITH_HANDLE_SCOPE(isolate, uint32_t, i = 0, i, i < length, ++i, {
1251 Maybe<bool> maybe = JSReceiver::HasElement(receiver, i);
1252 if (!maybe.IsJust()) return false;
1253 if (maybe.FromJust()) {
1254 Handle<Object> element_value;
1255 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1256 isolate, element_value, JSReceiver::GetElement(isolate, receiver, i),
1257 false);
1258 if (!visitor->visit(i, element_value)) return false;
1259 }
1260 });
1261 visitor->increase_index_offset(length);
1262 return true;
1263 }
1264
1265 /**
1266 * A helper function that visits "array" elements of a JSReceiver in numerical
1267 * order.
1268 *
1269 * The visitor argument called for each existing element in the array
1270 * with the element index and the element's value.
1271 * Afterwards it increments the base-index of the visitor by the array
1272 * length.
1273 * Returns false if any access threw an exception, otherwise true.
1274 */
1275 bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
1276 ArrayConcatVisitor* visitor) {
1277 uint32_t length = 0;
1278
1279 if (receiver->IsJSArray()) {
1280 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
1281 length = static_cast<uint32_t>(array->length()->Number());
1282 } else {
1283 Handle<Object> val;
1284 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1285 isolate, val, Object::GetLengthFromArrayLike(isolate, receiver), false);
1286 // TODO(caitp): Support larger element indexes (up to 2^53-1).
1287 if (!val->ToUint32(&length)) {
1288 length = 0;
1289 }
1290 // TODO(cbruni): handle other element kind as well
1291 return IterateElementsSlow(isolate, receiver, length, visitor);
1292 }
1293
1294 if (!HasOnlySimpleElements(isolate, *receiver)) {
1295 return IterateElementsSlow(isolate, receiver, length, visitor);
1296 }
1297 Handle<JSObject> array = Handle<JSObject>::cast(receiver);
1298
1299 switch (array->GetElementsKind()) {
1300 case FAST_SMI_ELEMENTS:
1301 case FAST_ELEMENTS:
1302 case FAST_HOLEY_SMI_ELEMENTS:
1303 case FAST_HOLEY_ELEMENTS: {
1304 // Run through the elements FixedArray and use HasElement and GetElement
1305 // to check the prototype for missing elements.
1306 Handle<FixedArray> elements(FixedArray::cast(array->elements()));
1307 int fast_length = static_cast<int>(length);
1308 DCHECK(fast_length <= elements->length());
1309 FOR_WITH_HANDLE_SCOPE(isolate, int, j = 0, j, j < fast_length, j++, {
1310 Handle<Object> element_value(elements->get(j), isolate);
1311 if (!element_value->IsTheHole(isolate)) {
1312 if (!visitor->visit(j, element_value)) return false;
1313 } else {
1314 Maybe<bool> maybe = JSReceiver::HasElement(array, j);
1315 if (!maybe.IsJust()) return false;
1316 if (maybe.FromJust()) {
1317 // Call GetElement on array, not its prototype, or getters won't
1318 // have the correct receiver.
1319 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1320 isolate, element_value,
1321 JSReceiver::GetElement(isolate, array, j), false);
1322 if (!visitor->visit(j, element_value)) return false;
1323 }
1324 }
1325 });
1326 break;
1327 }
1328 case FAST_HOLEY_DOUBLE_ELEMENTS:
1329 case FAST_DOUBLE_ELEMENTS: {
1330 // Empty array is FixedArray but not FixedDoubleArray.
1331 if (length == 0) break;
1332 // Run through the elements FixedArray and use HasElement and GetElement
1333 // to check the prototype for missing elements.
1334 if (array->elements()->IsFixedArray()) {
1335 DCHECK(array->elements()->length() == 0);
1336 break;
1337 }
1338 Handle<FixedDoubleArray> elements(
1339 FixedDoubleArray::cast(array->elements()));
1340 int fast_length = static_cast<int>(length);
1341 DCHECK(fast_length <= elements->length());
1342 FOR_WITH_HANDLE_SCOPE(isolate, int, j = 0, j, j < fast_length, j++, {
1343 if (!elements->is_the_hole(j)) {
1344 double double_value = elements->get_scalar(j);
1345 Handle<Object> element_value =
1346 isolate->factory()->NewNumber(double_value);
1347 if (!visitor->visit(j, element_value)) return false;
1348 } else {
1349 Maybe<bool> maybe = JSReceiver::HasElement(array, j);
1350 if (!maybe.IsJust()) return false;
1351 if (maybe.FromJust()) {
1352 // Call GetElement on array, not its prototype, or getters won't
1353 // have the correct receiver.
1354 Handle<Object> element_value;
1355 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1356 isolate, element_value,
1357 JSReceiver::GetElement(isolate, array, j), false);
1358 if (!visitor->visit(j, element_value)) return false;
1359 }
1360 }
1361 });
1362 break;
1363 }
1364
1365 case DICTIONARY_ELEMENTS: {
1366 Handle<SeededNumberDictionary> dict(array->element_dictionary());
1367 List<uint32_t> indices(dict->Capacity() / 2);
1368 // Collect all indices in the object and the prototypes less
1369 // than length. This might introduce duplicates in the indices list.
1370 CollectElementIndices(array, length, &indices);
1371 indices.Sort(&compareUInt32);
1372 int n = indices.length();
1373 FOR_WITH_HANDLE_SCOPE(isolate, int, j = 0, j, j < n, (void)0, {
1374 uint32_t index = indices[j];
1375 Handle<Object> element;
1376 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1377 isolate, element, JSReceiver::GetElement(isolate, array, index),
1378 false);
1379 if (!visitor->visit(index, element)) return false;
1380 // Skip to next different index (i.e., omit duplicates).
1381 do {
1382 j++;
1383 } while (j < n && indices[j] == index);
1384 });
1385 break;
1386 }
1387 case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
1388 case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: {
1389 FOR_WITH_HANDLE_SCOPE(
1390 isolate, uint32_t, index = 0, index, index < length, index++, {
1391 Handle<Object> element;
1392 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1393 isolate, element, JSReceiver::GetElement(isolate, array, index),
1394 false);
1395 if (!visitor->visit(index, element)) return false;
1396 });
1397 break;
1398 }
1399 case NO_ELEMENTS:
1400 break;
1401 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) case TYPE##_ELEMENTS:
1402 TYPED_ARRAYS(TYPED_ARRAY_CASE)
1403 #undef TYPED_ARRAY_CASE
1404 return IterateElementsSlow(isolate, receiver, length, visitor);
1405 case FAST_STRING_WRAPPER_ELEMENTS:
1406 case SLOW_STRING_WRAPPER_ELEMENTS:
1407 // |array| is guaranteed to be an array or typed array.
1408 UNREACHABLE();
1409 break;
1410 }
1411 visitor->increase_index_offset(length);
1412 return true;
1413 }
1414
1415 static Maybe<bool> IsConcatSpreadable(Isolate* isolate, Handle<Object> obj) {
1416 HandleScope handle_scope(isolate);
1417 if (!obj->IsJSReceiver()) return Just(false);
1418 if (!isolate->IsIsConcatSpreadableLookupChainIntact()) {
1419 // Slow path if @@isConcatSpreadable has been used.
1420 Handle<Symbol> key(isolate->factory()->is_concat_spreadable_symbol());
1421 Handle<Object> value;
1422 MaybeHandle<Object> maybeValue =
1423 i::Runtime::GetObjectProperty(isolate, obj, key);
1424 if (!maybeValue.ToHandle(&value)) return Nothing<bool>();
1425 if (!value->IsUndefined(isolate)) return Just(value->BooleanValue());
1426 }
1427 return Object::IsArray(obj);
1428 }
1429
1430 Object* Slow_ArrayConcat(BuiltinArguments* args, Handle<Object> species,
1431 Isolate* isolate) {
1432 int argument_count = args->length();
1433
1434 bool is_array_species = *species == isolate->context()->array_function();
1435
1436 // Pass 1: estimate the length and number of elements of the result.
1437 // The actual length can be larger if any of the arguments have getters
1438 // that mutate other arguments (but will otherwise be precise).
1439 // The number of elements is precise if there are no inherited elements.
1440
1441 ElementsKind kind = FAST_SMI_ELEMENTS;
1442
1443 uint32_t estimate_result_length = 0;
1444 uint32_t estimate_nof_elements = 0;
1445 FOR_WITH_HANDLE_SCOPE(isolate, int, i = 0, i, i < argument_count, i++, {
1446 Handle<Object> obj((*args)[i], isolate);
1447 uint32_t length_estimate;
1448 uint32_t element_estimate;
1449 if (obj->IsJSArray()) {
1450 Handle<JSArray> array(Handle<JSArray>::cast(obj));
1451 length_estimate = static_cast<uint32_t>(array->length()->Number());
1452 if (length_estimate != 0) {
1453 ElementsKind array_kind =
1454 GetPackedElementsKind(array->GetElementsKind());
1455 kind = GetMoreGeneralElementsKind(kind, array_kind);
1456 }
1457 element_estimate = EstimateElementCount(array);
1458 } else {
1459 if (obj->IsHeapObject()) {
1460 kind = GetMoreGeneralElementsKind(
1461 kind, obj->IsNumber() ? FAST_DOUBLE_ELEMENTS : FAST_ELEMENTS);
1462 }
1463 length_estimate = 1;
1464 element_estimate = 1;
1465 }
1466 // Avoid overflows by capping at kMaxElementCount.
1467 if (JSObject::kMaxElementCount - estimate_result_length < length_estimate) {
1468 estimate_result_length = JSObject::kMaxElementCount;
1469 } else {
1470 estimate_result_length += length_estimate;
1471 }
1472 if (JSObject::kMaxElementCount - estimate_nof_elements < element_estimate) {
1473 estimate_nof_elements = JSObject::kMaxElementCount;
1474 } else {
1475 estimate_nof_elements += element_estimate;
1476 }
1477 });
1478
1479 // If estimated number of elements is more than half of length, a
1480 // fixed array (fast case) is more time and space-efficient than a
1481 // dictionary.
1482 bool fast_case =
1483 is_array_species && (estimate_nof_elements * 2) >= estimate_result_length;
1484
1485 if (fast_case && kind == FAST_DOUBLE_ELEMENTS) {
1486 Handle<FixedArrayBase> storage =
1487 isolate->factory()->NewFixedDoubleArray(estimate_result_length);
1488 int j = 0;
1489 bool failure = false;
1490 if (estimate_result_length > 0) {
1491 Handle<FixedDoubleArray> double_storage =
1492 Handle<FixedDoubleArray>::cast(storage);
1493 for (int i = 0; i < argument_count; i++) {
1494 Handle<Object> obj((*args)[i], isolate);
1495 if (obj->IsSmi()) {
1496 double_storage->set(j, Smi::cast(*obj)->value());
1497 j++;
1498 } else if (obj->IsNumber()) {
1499 double_storage->set(j, obj->Number());
1500 j++;
1501 } else {
1502 DisallowHeapAllocation no_gc;
1503 JSArray* array = JSArray::cast(*obj);
1504 uint32_t length = static_cast<uint32_t>(array->length()->Number());
1505 switch (array->GetElementsKind()) {
1506 case FAST_HOLEY_DOUBLE_ELEMENTS:
1507 case FAST_DOUBLE_ELEMENTS: {
1508 // Empty array is FixedArray but not FixedDoubleArray.
1509 if (length == 0) break;
1510 FixedDoubleArray* elements =
1511 FixedDoubleArray::cast(array->elements());
1512 for (uint32_t i = 0; i < length; i++) {
1513 if (elements->is_the_hole(i)) {
1514 // TODO(jkummerow/verwaest): We could be a bit more clever
1515 // here: Check if there are no elements/getters on the
1516 // prototype chain, and if so, allow creation of a holey
1517 // result array.
1518 // Same thing below (holey smi case).
1519 failure = true;
1520 break;
1521 }
1522 double double_value = elements->get_scalar(i);
1523 double_storage->set(j, double_value);
1524 j++;
1525 }
1526 break;
1527 }
1528 case FAST_HOLEY_SMI_ELEMENTS:
1529 case FAST_SMI_ELEMENTS: {
1530 Object* the_hole = isolate->heap()->the_hole_value();
1531 FixedArray* elements(FixedArray::cast(array->elements()));
1532 for (uint32_t i = 0; i < length; i++) {
1533 Object* element = elements->get(i);
1534 if (element == the_hole) {
1535 failure = true;
1536 break;
1537 }
1538 int32_t int_value = Smi::cast(element)->value();
1539 double_storage->set(j, int_value);
1540 j++;
1541 }
1542 break;
1543 }
1544 case FAST_HOLEY_ELEMENTS:
1545 case FAST_ELEMENTS:
1546 case DICTIONARY_ELEMENTS:
1547 case NO_ELEMENTS:
1548 DCHECK_EQ(0u, length);
1549 break;
1550 default:
1551 UNREACHABLE();
1552 }
1553 }
1554 if (failure) break;
1555 }
1556 }
1557 if (!failure) {
1558 return *isolate->factory()->NewJSArrayWithElements(storage, kind, j);
1559 }
1560 // In case of failure, fall through.
1561 }
1562
1563 Handle<Object> storage;
1564 if (fast_case) {
1565 // The backing storage array must have non-existing elements to preserve
1566 // holes across concat operations.
1567 storage =
1568 isolate->factory()->NewFixedArrayWithHoles(estimate_result_length);
1569 } else if (is_array_species) {
1570 // TODO(126): move 25% pre-allocation logic into Dictionary::Allocate
1571 uint32_t at_least_space_for =
1572 estimate_nof_elements + (estimate_nof_elements >> 2);
1573 storage = SeededNumberDictionary::New(isolate, at_least_space_for);
1574 } else {
1575 DCHECK(species->IsConstructor());
1576 Handle<Object> length(Smi::FromInt(0), isolate);
1577 Handle<Object> storage_object;
1578 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1579 isolate, storage_object,
1580 Execution::New(isolate, species, species, 1, &length));
1581 storage = storage_object;
1582 }
1583
1584 ArrayConcatVisitor visitor(isolate, storage, fast_case);
1585
1586 for (int i = 0; i < argument_count; i++) {
1587 Handle<Object> obj((*args)[i], isolate);
1588 Maybe<bool> spreadable = IsConcatSpreadable(isolate, obj);
1589 MAYBE_RETURN(spreadable, isolate->heap()->exception());
1590 if (spreadable.FromJust()) {
1591 Handle<JSReceiver> object = Handle<JSReceiver>::cast(obj);
1592 if (!IterateElements(isolate, object, &visitor)) {
1593 return isolate->heap()->exception();
1594 }
1595 } else {
1596 if (!visitor.visit(0, obj)) return isolate->heap()->exception();
1597 visitor.increase_index_offset(1);
1598 }
1599 }
1600
1601 if (visitor.exceeds_array_limit()) {
1602 THROW_NEW_ERROR_RETURN_FAILURE(
1603 isolate, NewRangeError(MessageTemplate::kInvalidArrayLength));
1604 }
1605
1606 if (is_array_species) {
1607 return *visitor.ToArray();
1608 } else {
1609 return *visitor.storage_jsreceiver();
1610 }
1611 }
1612
1613 bool IsSimpleArray(Isolate* isolate, Handle<JSArray> obj) {
1614 DisallowHeapAllocation no_gc;
1615 Map* map = obj->map();
1616 // If there is only the 'length' property we are fine.
1617 if (map->prototype() ==
1618 isolate->native_context()->initial_array_prototype() &&
1619 map->NumberOfOwnDescriptors() == 1) {
1620 return true;
1621 }
1622 // TODO(cbruni): slower lookup for array subclasses and support slow
1623 // @@IsConcatSpreadable lookup.
1624 return false;
1625 }
1626
1627 MaybeHandle<JSArray> Fast_ArrayConcat(Isolate* isolate,
1628 BuiltinArguments* args) {
1629 if (!isolate->IsIsConcatSpreadableLookupChainIntact()) {
1630 return MaybeHandle<JSArray>();
1631 }
1632 // We shouldn't overflow when adding another len.
1633 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
1634 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
1635 STATIC_ASSERT(FixedDoubleArray::kMaxLength < kHalfOfMaxInt);
1636 USE(kHalfOfMaxInt);
1637
1638 int n_arguments = args->length();
1639 int result_len = 0;
1640 {
1641 DisallowHeapAllocation no_gc;
1642 // Iterate through all the arguments performing checks
1643 // and calculating total length.
1644 for (int i = 0; i < n_arguments; i++) {
1645 Object* arg = (*args)[i];
1646 if (!arg->IsJSArray()) return MaybeHandle<JSArray>();
1647 if (!HasOnlySimpleReceiverElements(isolate, JSObject::cast(arg))) {
1648 return MaybeHandle<JSArray>();
1649 }
1650 // TODO(cbruni): support fast concatenation of DICTIONARY_ELEMENTS.
1651 if (!JSObject::cast(arg)->HasFastElements()) {
1652 return MaybeHandle<JSArray>();
1653 }
1654 Handle<JSArray> array(JSArray::cast(arg), isolate);
1655 if (!IsSimpleArray(isolate, array)) {
1656 return MaybeHandle<JSArray>();
1657 }
1658 // The Array length is guaranted to be <= kHalfOfMaxInt thus we won't
1659 // overflow.
1660 result_len += Smi::cast(array->length())->value();
1661 DCHECK(result_len >= 0);
1662 // Throw an Error if we overflow the FixedArray limits
1663 if (FixedDoubleArray::kMaxLength < result_len ||
1664 FixedArray::kMaxLength < result_len) {
1665 AllowHeapAllocation gc;
1666 THROW_NEW_ERROR(isolate,
1667 NewRangeError(MessageTemplate::kInvalidArrayLength),
1668 JSArray);
1669 }
1670 }
1671 }
1672 return ElementsAccessor::Concat(isolate, args, n_arguments, result_len);
1673 }
1674
1675 } // namespace
1676
1677 // ES6 22.1.3.1 Array.prototype.concat
1678 BUILTIN(ArrayConcat) {
1679 HandleScope scope(isolate);
1680
1681 Handle<Object> receiver = args.receiver();
1682 // TODO(bmeurer): Do we really care about the exact exception message here?
1683 if (receiver->IsNull(isolate) || receiver->IsUndefined(isolate)) {
1684 THROW_NEW_ERROR_RETURN_FAILURE(
1685 isolate, NewTypeError(MessageTemplate::kCalledOnNullOrUndefined,
1686 isolate->factory()->NewStringFromAsciiChecked(
1687 "Array.prototype.concat")));
1688 }
1689 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1690 isolate, receiver, Object::ToObject(isolate, args.receiver()));
1691 args[0] = *receiver;
1692
1693 Handle<JSArray> result_array;
1694
1695 // Avoid a real species read to avoid extra lookups to the array constructor
1696 if (V8_LIKELY(receiver->IsJSArray() &&
1697 Handle<JSArray>::cast(receiver)->HasArrayPrototype(isolate) &&
1698 isolate->IsArraySpeciesLookupChainIntact())) {
1699 if (Fast_ArrayConcat(isolate, &args).ToHandle(&result_array)) {
1700 return *result_array;
1701 }
1702 if (isolate->has_pending_exception()) return isolate->heap()->exception();
1703 }
1704 // Reading @@species happens before anything else with a side effect, so
1705 // we can do it here to determine whether to take the fast path.
1706 Handle<Object> species;
1707 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1708 isolate, species, Object::ArraySpeciesConstructor(isolate, receiver));
1709 if (*species == *isolate->array_function()) {
1710 if (Fast_ArrayConcat(isolate, &args).ToHandle(&result_array)) {
1711 return *result_array;
1712 }
1713 if (isolate->has_pending_exception()) return isolate->heap()->exception();
1714 }
1715 return Slow_ArrayConcat(&args, species, isolate);
1716 }
1717
1718 namespace {
1719
1720 MUST_USE_RESULT Maybe<bool> FastAssign(Handle<JSReceiver> to,
1721 Handle<Object> next_source) {
1722 // Non-empty strings are the only non-JSReceivers that need to be handled
1723 // explicitly by Object.assign.
1724 if (!next_source->IsJSReceiver()) {
1725 return Just(!next_source->IsString() ||
1726 String::cast(*next_source)->length() == 0);
1727 }
1728
1729 // If the target is deprecated, the object will be updated on first store. If
1730 // the source for that store equals the target, this will invalidate the
1731 // cached representation of the source. Preventively upgrade the target.
1732 // Do this on each iteration since any property load could cause deprecation.
1733 if (to->map()->is_deprecated()) {
1734 JSObject::MigrateInstance(Handle<JSObject>::cast(to));
1735 }
1736
1737 Isolate* isolate = to->GetIsolate();
1738 Handle<Map> map(JSReceiver::cast(*next_source)->map(), isolate);
1739
1740 if (!map->IsJSObjectMap()) return Just(false);
1741 if (!map->OnlyHasSimpleProperties()) return Just(false);
1742
1743 Handle<JSObject> from = Handle<JSObject>::cast(next_source);
1744 if (from->elements() != isolate->heap()->empty_fixed_array()) {
1745 return Just(false);
1746 }
1747
1748 Handle<DescriptorArray> descriptors(map->instance_descriptors(), isolate);
1749 int length = map->NumberOfOwnDescriptors();
1750
1751 bool stable = true;
1752
1753 for (int i = 0; i < length; i++) {
1754 Handle<Name> next_key(descriptors->GetKey(i), isolate);
1755 Handle<Object> prop_value;
1756 // Directly decode from the descriptor array if |from| did not change shape.
1757 if (stable) {
1758 PropertyDetails details = descriptors->GetDetails(i);
1759 if (!details.IsEnumerable()) continue;
1760 if (details.kind() == kData) {
1761 if (details.location() == kDescriptor) {
1762 prop_value = handle(descriptors->GetValue(i), isolate);
1763 } else {
1764 Representation representation = details.representation();
1765 FieldIndex index = FieldIndex::ForDescriptor(*map, i);
1766 prop_value = JSObject::FastPropertyAt(from, representation, index);
1767 }
1768 } else {
1769 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1770 isolate, prop_value, JSReceiver::GetProperty(from, next_key),
1771 Nothing<bool>());
1772 stable = from->map() == *map;
1773 }
1774 } else {
1775 // If the map did change, do a slower lookup. We are still guaranteed that
1776 // the object has a simple shape, and that the key is a name.
1777 LookupIterator it(from, next_key, from,
1778 LookupIterator::OWN_SKIP_INTERCEPTOR);
1779 if (!it.IsFound()) continue;
1780 DCHECK(it.state() == LookupIterator::DATA ||
1781 it.state() == LookupIterator::ACCESSOR);
1782 if (!it.IsEnumerable()) continue;
1783 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1784 isolate, prop_value, Object::GetProperty(&it), Nothing<bool>());
1785 }
1786 LookupIterator it(to, next_key, to);
1787 bool call_to_js = it.IsFound() && it.state() != LookupIterator::DATA;
1788 Maybe<bool> result = Object::SetProperty(
1789 &it, prop_value, STRICT, Object::CERTAINLY_NOT_STORE_FROM_KEYED);
1790 if (result.IsNothing()) return result;
1791 if (stable && call_to_js) stable = from->map() == *map;
1792 }
1793
1794 return Just(true);
1795 }
1796
1797 } // namespace
1798
1799 // ES6 19.1.2.1 Object.assign
1800 BUILTIN(ObjectAssign) {
1801 HandleScope scope(isolate);
1802 Handle<Object> target = args.atOrUndefined(isolate, 1);
1803
1804 // 1. Let to be ? ToObject(target).
1805 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, target,
1806 Object::ToObject(isolate, target));
1807 Handle<JSReceiver> to = Handle<JSReceiver>::cast(target);
1808 // 2. If only one argument was passed, return to.
1809 if (args.length() == 2) return *to;
1810 // 3. Let sources be the List of argument values starting with the
1811 // second argument.
1812 // 4. For each element nextSource of sources, in ascending index order,
1813 for (int i = 2; i < args.length(); ++i) {
1814 Handle<Object> next_source = args.at<Object>(i);
1815 Maybe<bool> fast_assign = FastAssign(to, next_source);
1816 if (fast_assign.IsNothing()) return isolate->heap()->exception();
1817 if (fast_assign.FromJust()) continue;
1818 // 4a. If nextSource is undefined or null, let keys be an empty List.
1819 // 4b. Else,
1820 // 4b i. Let from be ToObject(nextSource).
1821 // Only non-empty strings and JSReceivers have enumerable properties.
1822 Handle<JSReceiver> from =
1823 Object::ToObject(isolate, next_source).ToHandleChecked();
1824 // 4b ii. Let keys be ? from.[[OwnPropertyKeys]]().
1825 Handle<FixedArray> keys;
1826 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1827 isolate, keys, KeyAccumulator::GetKeys(
1828 from, KeyCollectionMode::kOwnOnly, ALL_PROPERTIES,
1829 GetKeysConversion::kKeepNumbers));
1830 // 4c. Repeat for each element nextKey of keys in List order,
1831 for (int j = 0; j < keys->length(); ++j) {
1832 Handle<Object> next_key(keys->get(j), isolate);
1833 // 4c i. Let desc be ? from.[[GetOwnProperty]](nextKey).
1834 PropertyDescriptor desc;
1835 Maybe<bool> found =
1836 JSReceiver::GetOwnPropertyDescriptor(isolate, from, next_key, &desc);
1837 if (found.IsNothing()) return isolate->heap()->exception();
1838 // 4c ii. If desc is not undefined and desc.[[Enumerable]] is true, then
1839 if (found.FromJust() && desc.enumerable()) {
1840 // 4c ii 1. Let propValue be ? Get(from, nextKey).
1841 Handle<Object> prop_value;
1842 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1843 isolate, prop_value,
1844 Runtime::GetObjectProperty(isolate, from, next_key));
1845 // 4c ii 2. Let status be ? Set(to, nextKey, propValue, true).
1846 Handle<Object> status;
1847 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1848 isolate, status, Runtime::SetObjectProperty(isolate, to, next_key,
1849 prop_value, STRICT));
1850 }
1851 }
1852 }
1853 // 5. Return to.
1854 return *to;
1855 }
1856
1857 // ES6 section 19.1.2.2 Object.create ( O [ , Properties ] ) 480 // ES6 section 19.1.2.2 Object.create ( O [ , Properties ] )
1858 // TODO(verwaest): Support the common cases with precached map directly in 481 // TODO(verwaest): Support the common cases with precached map directly in
1859 // an Object.create stub. 482 // an Object.create stub.
1860 BUILTIN(ObjectCreate) { 483 BUILTIN(ObjectCreate) {
1861 HandleScope scope(isolate); 484 HandleScope scope(isolate);
1862 Handle<Object> prototype = args.atOrUndefined(isolate, 1); 485 Handle<Object> prototype = args.atOrUndefined(isolate, 1);
1863 if (!prototype->IsNull(isolate) && !prototype->IsJSReceiver()) { 486 if (!prototype->IsNull(isolate) && !prototype->IsJSReceiver()) {
1864 THROW_NEW_ERROR_RETURN_FAILURE( 487 THROW_NEW_ERROR_RETURN_FAILURE(
1865 isolate, NewTypeError(MessageTemplate::kProtoObjectOrNull, prototype)); 488 isolate, NewTypeError(MessageTemplate::kProtoObjectOrNull, prototype));
1866 } 489 }
(...skipping 5317 matching lines...) Expand 10 before | Expand all | Expand 10 after
7184 #define DEFINE_BUILTIN_ACCESSOR(Name, ...) \ 5807 #define DEFINE_BUILTIN_ACCESSOR(Name, ...) \
7185 Handle<Code> Builtins::Name() { \ 5808 Handle<Code> Builtins::Name() { \
7186 Code** code_address = reinterpret_cast<Code**>(builtin_address(k##Name)); \ 5809 Code** code_address = reinterpret_cast<Code**>(builtin_address(k##Name)); \
7187 return Handle<Code>(code_address); \ 5810 return Handle<Code>(code_address); \
7188 } 5811 }
7189 BUILTIN_LIST_ALL(DEFINE_BUILTIN_ACCESSOR) 5812 BUILTIN_LIST_ALL(DEFINE_BUILTIN_ACCESSOR)
7190 #undef DEFINE_BUILTIN_ACCESSOR 5813 #undef DEFINE_BUILTIN_ACCESSOR
7191 5814
7192 } // namespace internal 5815 } // namespace internal
7193 } // namespace v8 5816 } // namespace v8
OLDNEW
« no previous file with comments | « BUILD.gn ('k') | src/builtins/builtins-array.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698