Ensure slow properties for simple {__proto__:null} literals.

src/runtime/runtime-literals.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/runtime/runtime-utils.h"
 
 #include "src/allocation-site-scopes.h"
 #include "src/arguments.h"
 #include "src/ast/ast.h"
 #include "src/ast/compile-time-value.h"
 #include "src/isolate-inl.h"
 #include "src/runtime/runtime.h"
 
 namespace v8 {
 namespace internal {
 
-static Handle<Map> ComputeObjectLiteralMap(
-    Handle<Context> context,
-    Handle<BoilerplateDescription> boilerplate_description,
-    bool* is_result_from_cache) {
-  int number_of_properties = boilerplate_description->backing_store_size();
-  Isolate* isolate = context->GetIsolate();
-  return isolate->factory()->ObjectLiteralMapFromCache(
-      context, number_of_properties, is_result_from_cache);
-}
-
 MUST_USE_RESULT static MaybeHandle<Object> CreateLiteralBoilerplate(
     Isolate* isolate, Handle<FeedbackVector> vector,
     Handle<BoilerplateDescription> boilerplate_description);
 
 MUST_USE_RESULT static MaybeHandle<Object> CreateObjectLiteralBoilerplate(
     Isolate* isolate, Handle<FeedbackVector> vector,
     Handle<BoilerplateDescription> boilerplate_description,
-    bool should_have_fast_elements) {
+    bool use_fast_elements, bool has_null_prototype) {
   Handle<Context> context = isolate->native_context();
 
   // In case we have function literals, we want the object to be in
   // slow properties mode for now. We don't go in the map cache because
   // maps with constant functions can't be shared if the functions are
   // not the same (which is the common case).
+  int number_of_properties = boilerplate_description->backing_store_size();
   bool is_result_from_cache = false;
-  Handle<Map> map = ComputeObjectLiteralMap(context, boilerplate_description,
-                                            &is_result_from_cache);
+  Handle<Map> map = isolate->factory()->ObjectLiteralMapFromCache(
+      context, number_of_properties, has_null_prototype, &is_result_from_cache);
 
   PretenureFlag pretenure_flag =
       isolate->heap()->InNewSpace(*vector) ? NOT_TENURED : TENURED;
 
-  Handle<JSObject> boilerplate =
-      isolate->factory()->NewJSObjectFromMap(map, pretenure_flag);
+  Handle<JSObject> boilerplate;
+  if (map->is_dictionary_map()) {
+    boilerplate = isolate->factory()->NewSlowJSObjectFromMap(
+        map, number_of_properties, pretenure_flag);
+  } else {
+    boilerplate = isolate->factory()->NewJSObjectFromMap(map, pretenure_flag);
+  }
 
   // Normalize the elements of the boilerplate to save space if needed.
-  if (!should_have_fast_elements) JSObject::NormalizeElements(boilerplate);
+  if (!use_fast_elements) JSObject::NormalizeElements(boilerplate);
 
   // Add the constant properties to the boilerplate.
   int length = boilerplate_description->size();
   bool should_transform =
       !is_result_from_cache && boilerplate->HasFastProperties();

[Toon Verwaest, 2017/03/14 13:27:47]

This code is a little weird. I think we can even
CHECK(boilerplate->HasFastProperties()); at this point. And
!is_result_from_cache is based on 128 max tracking limit in
ComputeObjectLiteralMap. Why don't we just return a default
normalized-object-map instead and avoid this check?

[Camillo Bruni, 2017/03/17 16:40:55]

added separate initial slow map for this case.

-  bool should_normalize = should_transform;
-  if (should_normalize) {
-    // TODO(verwaest): We might not want to ever normalize here.

[Toon Verwaest, 2017/03/14 13:27:48]

Why are you removing this?

[Camillo Bruni, 2017/03/17 16:40:55]

readded.

+  if (should_transform) {
     JSObject::NormalizeProperties(boilerplate, KEEP_INOBJECT_PROPERTIES, length,
                                   "Boilerplate");
   }
   // TODO(verwaest): Support tracking representations in the boilerplate.
   for (int index = 0; index < length; index++) {
     Handle<Object> key(boilerplate_description->name(index), isolate);
     Handle<Object> value(boilerplate_description->value(index), isolate);
     if (value->IsBoilerplateDescription()) {
       // The value contains the boilerplate properties of a
       // simple object or array literal.
@@ skipping 17 matching lines @@
       DCHECK(!name->AsArrayIndex(&element_index));
       maybe_result = JSObject::SetOwnPropertyIgnoreAttributes(boilerplate, name,
                                                               value, NONE);
     }
     RETURN_ON_EXCEPTION(isolate, maybe_result, Object);
   }
 
   // Transform to fast properties if necessary. For object literals with
   // containing function literals we defer this operation until after all
   // computed properties have been assigned so that we can generate
   // constant function properties.

[Toon Verwaest, 2017/03/14 13:27:47]

This comment doesn't make sense anymore afaict. We don't account for functions
at all.

[Camillo Bruni, 2017/03/17 16:40:55]

removed.

   if (should_transform) {

[Toon Verwaest, 2017/03/14 13:27:48]

I'm not actually sure whether it makes sense to make these objects fast again by
now. If they end up as .prototype they'll be made fast there anyway. Probably
should investigate in another CL though.

[Camillo Bruni, 2017/03/17 16:40:55]

added TODO

     JSObject::MigrateSlowToFast(boilerplate,
                                 boilerplate->map()->unused_property_fields(),
                                 "FastLiteral");
   }
   return boilerplate;
 }
 
 static MaybeHandle<Object> CreateArrayLiteralBoilerplate(
     Isolate* isolate, Handle<FeedbackVector> vector,
     Handle<ConstantElementsPair> elements) {
@@ skipping 66 matching lines @@
   return object;
 }
 
 MUST_USE_RESULT static MaybeHandle<Object> CreateLiteralBoilerplate(
     Isolate* isolate, Handle<FeedbackVector> vector,
     Handle<BoilerplateDescription> array) {
   Handle<HeapObject> elements = CompileTimeValue::GetElements(array);
   switch (CompileTimeValue::GetLiteralType(array)) {
     case CompileTimeValue::OBJECT_LITERAL_FAST_ELEMENTS: {
       Handle<BoilerplateDescription> props =
           Handle<BoilerplateDescription>::cast(elements);

[Toon Verwaest, 2017/03/14 13:27:48]

If we make sure that props[0] contains __proto__:null if it's there, we can also
support nested literals?

[Camillo Bruni, 2017/03/17 16:40:55]

ack.

-      return CreateObjectLiteralBoilerplate(isolate, vector, props, true);
+      return CreateObjectLiteralBoilerplate(isolate, vector, props, true,
+                                            false);
     }
     case CompileTimeValue::OBJECT_LITERAL_SLOW_ELEMENTS: {
       Handle<BoilerplateDescription> props =
           Handle<BoilerplateDescription>::cast(elements);
-      return CreateObjectLiteralBoilerplate(isolate, vector, props, false);
+      return CreateObjectLiteralBoilerplate(isolate, vector, props, false,
+                                            false);
     }
     case CompileTimeValue::ARRAY_LITERAL: {
       Handle<ConstantElementsPair> elems =
           Handle<ConstantElementsPair>::cast(elements);
       return CreateArrayLiteralBoilerplate(isolate, vector, elems);
     }
     default:
       UNREACHABLE();
       return MaybeHandle<Object>();
   }
@@ skipping 23 matching lines @@
 
 RUNTIME_FUNCTION(Runtime_CreateObjectLiteral) {
   HandleScope scope(isolate);
   DCHECK_EQ(4, args.length());
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, closure, 0);
   CONVERT_SMI_ARG_CHECKED(literals_index, 1);
   CONVERT_ARG_HANDLE_CHECKED(BoilerplateDescription, boilerplate_description,
                              2);
   CONVERT_SMI_ARG_CHECKED(flags, 3);
   Handle<FeedbackVector> vector(closure->feedback_vector(), isolate);
-  bool should_have_fast_elements = (flags & ObjectLiteral::kFastElements) != 0;
+  bool use_fast_elements = (flags & ObjectLiteral::kFastElements) != 0;
   bool enable_mementos = (flags & ObjectLiteral::kDisableMementos) == 0;
+  bool has_null_prototype = (flags & ObjectLiteral::kHasNullPrototype) != 0;
 
   FeedbackSlot literals_slot(FeedbackVector::ToSlot(literals_index));
   CHECK(literals_slot.ToInt() < vector->slot_count());
 
   // Check if boilerplate exists. If not, create it first.
   Handle<Object> literal_site(vector->Get(literals_slot), isolate);
   Handle<AllocationSite> site;
   Handle<JSObject> boilerplate;
   if (literal_site->IsUndefined(isolate)) {
     Handle<Object> raw_boilerplate;
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
         isolate, raw_boilerplate,
         CreateObjectLiteralBoilerplate(isolate, vector, boilerplate_description,
-                                       should_have_fast_elements));
+                                       use_fast_elements, has_null_prototype));
     boilerplate = Handle<JSObject>::cast(raw_boilerplate);
 
     AllocationSiteCreationContext creation_context(isolate);
     site = creation_context.EnterNewScope();
     RETURN_FAILURE_ON_EXCEPTION(
         isolate, JSObject::DeepWalk(boilerplate, &creation_context));
     creation_context.ExitScope(site, boilerplate);
 
     // Update the functions literal and return the boilerplate.
     vector->Set(literals_slot, *site);
@@ skipping 89 matching lines @@
 
   Handle<FeedbackVector> vector(closure->feedback_vector(), isolate);
   FeedbackSlot literals_slot(FeedbackVector::ToSlot(literals_index));
   RETURN_RESULT_OR_FAILURE(
       isolate, CreateArrayLiteralImpl(isolate, vector, literals_slot, elements,
                                       ArrayLiteral::kShallowElements));
 }
 
 }  // namespace internal
 }  // namespace v8