Ensure slow properties for simple {__proto__:null} literals.

src/ast/ast.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ast/ast.h"
 
 #include <cmath>  // For isfinite.
 
 #include "src/ast/compile-time-value.h"
 #include "src/ast/prettyprinter.h"
@@ skipping 477 matching lines @@
           property->SetSlot(spec->AddStoreICSlot(language_mode));
         }
         break;
     }
   }
 
   for (; property_index < properties()->length(); property_index++) {
     ObjectLiteral::Property* property = properties()->at(property_index);
 
     Expression* value = property->value();
-    if (property->kind() != ObjectLiteral::Property::PROTOTYPE) {
+    if (!property->IsPrototype()) {
       if (FunctionLiteral::NeedsHomeObject(value)) {
         property->SetSlot(spec->AddStoreICSlot(language_mode));
       }
     }
     property->SetStoreDataPropertySlot(
         spec->AddStoreDataPropertyInLiteralICSlot());
   }
 }
 
 
 void ObjectLiteral::CalculateEmitStore(Zone* zone) {
   const auto GETTER = ObjectLiteral::Property::GETTER;
   const auto SETTER = ObjectLiteral::Property::SETTER;
 
   ZoneAllocationPolicy allocator(zone);
 
   CustomMatcherZoneHashMap table(
       Literal::Match, ZoneHashMap::kDefaultHashMapCapacity, allocator);
   for (int i = properties()->length() - 1; i >= 0; i--) {
     ObjectLiteral::Property* property = properties()->at(i);
     if (property->is_computed_name()) continue;
-    if (property->kind() == ObjectLiteral::Property::PROTOTYPE) continue;
+    if (property->IsPrototype()) continue;
     Literal* literal = property->key()->AsLiteral();
     DCHECK(!literal->IsNullLiteral());
 
     // If there is an existing entry do not emit a store unless the previous
     // entry was also an accessor.
     uint32_t hash = literal->Hash();
     ZoneHashMap::Entry* entry = table.LookupOrInsert(literal, hash, allocator);
     if (entry->value != NULL) {
       auto previous_kind =
           static_cast<ObjectLiteral::Property*>(entry->value)->kind();
       if (!((property->kind() == GETTER && previous_kind == SETTER) ||
             (property->kind() == SETTER && previous_kind == GETTER))) {
         property->set_emit_store(false);
       }
     }
     entry->value = property;
   }
 }
 
 
 bool ObjectLiteral::IsBoilerplateProperty(ObjectLiteral::Property* property) {
-  return property != NULL &&
-         property->kind() != ObjectLiteral::Property::PROTOTYPE;
+  return property != NULL && !property->IsPrototype();
 }
 
 void ObjectLiteral::InitDepthAndFlags() {
   if (depth_ > 0) return;
-
-  int position = 0;
+  uint32_t position = 0;
   // Accumulate the value in local variables and store it at the end.
   bool is_simple = true;
   int depth_acc = 1;
   uint32_t max_element_index = 0;
   uint32_t elements = 0;
   for (int i = 0; i < properties()->length(); i++) {
     ObjectLiteral::Property* property = properties()->at(i);
     if (!IsBoilerplateProperty(property)) {

[Toon Verwaest, 2017/03/20 14:47:11]

This is actually just property->IsPrototype(). The != NULL check above can't hit
I think; and the test suite seems to agree.

[Camillo Bruni, 2017/04/26 11:54:46]

done.

+      // __proto__:null has no side-effects and is set directly on the
+      // boilerplate.
+      if (property->IsNullPrototype()) {
+        set_has_null_protoype(true);
+        continue;
+      }
+      DCHECK(!has_null_prototype());
       is_simple = false;
       continue;
     }
-
-    if (static_cast<uint32_t>(position) == boilerplate_properties_ * 2) {
+    // Only check for __proto__:null after the first computed property name.
+    if (position > boilerplate_properties_) {

[Toon Verwaest, 2017/03/20 14:47:11]

What about simply doing a loop:

if (position == boilerplate_properties_) {
  // Check if any of the remaining properties is __proto__:null.
  if (!has_null_prototype()) {
    for (; i < properties->length(); i++) {
      if (properties()->at(i)->IsNullPrototype()) {
        set_has_null_prototype(true);
        break;
      }
    }
  }
  break;
}

You could also have another flag "has_seen_prototype" in case the
IsBoilerplateProperty above hits; as an alternative to has_null_prototype().

[Camillo Bruni, 2017/04/26 11:54:46]

Added separate helper method.
I will still iterate over the rest of the literal properties, given that you
might 

+      continue;
+    } else if (position == boilerplate_properties_) {
       DCHECK(property->is_computed_name());
       is_simple = false;
-      break;
+      position++;
+      continue;
     }
     DCHECK(!property->is_computed_name());
 
     MaterializedLiteral* m_literal = property->value()->AsMaterializedLiteral();
     if (m_literal != NULL) {
       m_literal->InitDepthAndFlags();
       if (m_literal->depth() >= depth_acc) depth_acc = m_literal->depth() + 1;
     }
 
     const AstValue* key = property->key()->AsLiteral()->raw_value();
@@ skipping 18 matching lines @@
     // literal with fast elements will be a waste of space.
     uint32_t element_index = 0;
     if (key->IsString() && key->AsString()->AsArrayIndex(&element_index)) {
       max_element_index = Max(element_index, max_element_index);
       elements++;
     } else if (key->ToUint32(&element_index) && element_index != kMaxUInt32) {
       max_element_index = Max(element_index, max_element_index);
       elements++;
     }
 
-    // Increment the position for the key and the value.
-    position += 2;
+    position++;
   }
 
-  bit_field_ = FastElementsField::update(
-      bit_field_,
-      (max_element_index <= 32) || ((2 * elements) >= max_element_index));
+  set_fast_elements((max_element_index <= 32) ||
+                    ((2 * elements) >= max_element_index));
+  set_has_elements(elements > 0);
   bit_field_ = HasElementsField::update(bit_field_, elements > 0);

[Toon Verwaest, 2017/03/20 14:47:11]

Leftover code?

[Camillo Bruni, 2017/04/26 11:54:46]

removed.

 
   set_is_simple(is_simple);
   set_depth(depth_acc);
 }
 
 void ObjectLiteral::BuildConstantProperties(Isolate* isolate) {
   if (!constant_properties_.is_null()) return;
 
   int index_keys = 0;
   bool has_seen_proto = false;
@@ skipping 494 matching lines @@
 #ifdef DEBUG
   return is_jsruntime() ? NameForNativeContextIntrinsicIndex(context_index_)
                         : function_->name;
 #else
   return is_jsruntime() ? "(context function)" : function_->name;
 #endif  // DEBUG
 }
 
 }  // namespace internal
 }  // namespace v8