Chromium Code Reviews Chromium Code Reviews
Issue 2445333002:
Ensure slow properties for simple {__proto__:null} literals. (Closed)
| Index: src/runtime/runtime-literals.cc |
| diff --git a/src/runtime/runtime-literals.cc b/src/runtime/runtime-literals.cc |
| index 7beadf5e0bb1e099beb685f82ed40955c28d89db..cd7c52c1337d1e4191a1cb8c6aeb10e1f92fa50b 100644 |
| --- a/src/runtime/runtime-literals.cc |
| +++ b/src/runtime/runtime-literals.cc |
| @@ -14,16 +14,6 @@ |
| namespace v8 { |
| namespace internal { |
| -static Handle<Map> ComputeObjectLiteralMap( |
| - Handle<Context> context, |
| - Handle<BoilerplateDescription> boilerplate_description, |
| - bool* is_result_from_cache) { |
| - int number_of_properties = boilerplate_description->backing_store_size(); |
| - Isolate* isolate = context->GetIsolate(); |
| - return isolate->factory()->ObjectLiteralMapFromCache( |
| - context, number_of_properties, is_result_from_cache); |
| -} |
| - |
| MUST_USE_RESULT static MaybeHandle<Object> CreateLiteralBoilerplate( |
| Isolate* isolate, Handle<FeedbackVector> vector, |
| Handle<BoilerplateDescription> boilerplate_description); |
| @@ -31,33 +21,37 @@ MUST_USE_RESULT static MaybeHandle<Object> CreateLiteralBoilerplate( |
| MUST_USE_RESULT static MaybeHandle<Object> CreateObjectLiteralBoilerplate( |
| Isolate* isolate, Handle<FeedbackVector> vector, |
| Handle<BoilerplateDescription> boilerplate_description, |
| - bool should_have_fast_elements) { |
| + bool use_fast_elements, bool has_null_prototype) { |
| Handle<Context> context = isolate->native_context(); |
| // In case we have function literals, we want the object to be in |
| // slow properties mode for now. We don't go in the map cache because |
| // maps with constant functions can't be shared if the functions are |
| // not the same (which is the common case). |
| + int number_of_properties = boilerplate_description->backing_store_size(); |
| bool is_result_from_cache = false; |
| - Handle<Map> map = ComputeObjectLiteralMap(context, boilerplate_description, |
| - &is_result_from_cache); |
| + Handle<Map> map = isolate->factory()->ObjectLiteralMapFromCache( |
| + context, number_of_properties, has_null_prototype, &is_result_from_cache); |
| PretenureFlag pretenure_flag = |
| isolate->heap()->InNewSpace(*vector) ? NOT_TENURED : TENURED; |
| - Handle<JSObject> boilerplate = |
| - isolate->factory()->NewJSObjectFromMap(map, pretenure_flag); |
| + Handle<JSObject> boilerplate; |
| + if (map->is_dictionary_map()) { |
| + boilerplate = isolate->factory()->NewSlowJSObjectFromMap( |
| + map, number_of_properties, pretenure_flag); |
| + } else { |
| + boilerplate = isolate->factory()->NewJSObjectFromMap(map, pretenure_flag); |
| + } |
| // Normalize the elements of the boilerplate to save space if needed. |
| - if (!should_have_fast_elements) JSObject::NormalizeElements(boilerplate); |
| + if (!use_fast_elements) JSObject::NormalizeElements(boilerplate); |
| // Add the constant properties to the boilerplate. |
| int length = boilerplate_description->size(); |
| bool should_transform = |
| !is_result_from_cache && boilerplate->HasFastProperties(); |
|
Toon Verwaest
2017/03/14 13:27:47
This code is a little weird. I think we can even C
Camillo Bruni
2017/03/17 16:40:55
added separate initial slow map for this case.
|
| - bool should_normalize = should_transform; |
| - if (should_normalize) { |
| - // TODO(verwaest): We might not want to ever normalize here. |
|
Toon Verwaest
2017/03/14 13:27:48
Why are you removing this?
Camillo Bruni
2017/03/17 16:40:55
readded.
|
| + if (should_transform) { |
| JSObject::NormalizeProperties(boilerplate, KEEP_INOBJECT_PROPERTIES, length, |
| "Boilerplate"); |
| } |
| @@ -184,12 +178,14 @@ MUST_USE_RESULT static MaybeHandle<Object> CreateLiteralBoilerplate( |
| case CompileTimeValue::OBJECT_LITERAL_FAST_ELEMENTS: { |
| Handle<BoilerplateDescription> props = |
| Handle<BoilerplateDescription>::cast(elements); |
|
Toon Verwaest
2017/03/14 13:27:48
If we make sure that props[0] contains __proto__:n
Camillo Bruni
2017/03/17 16:40:55
ack.
|
| - return CreateObjectLiteralBoilerplate(isolate, vector, props, true); |
| + return CreateObjectLiteralBoilerplate(isolate, vector, props, true, |
| + false); |
| } |
| case CompileTimeValue::OBJECT_LITERAL_SLOW_ELEMENTS: { |
| Handle<BoilerplateDescription> props = |
| Handle<BoilerplateDescription>::cast(elements); |
| - return CreateObjectLiteralBoilerplate(isolate, vector, props, false); |
| + return CreateObjectLiteralBoilerplate(isolate, vector, props, false, |
| + false); |
| } |
| case CompileTimeValue::ARRAY_LITERAL: { |
| Handle<ConstantElementsPair> elems = |
| @@ -233,8 +229,9 @@ RUNTIME_FUNCTION(Runtime_CreateObjectLiteral) { |
| 2); |
| CONVERT_SMI_ARG_CHECKED(flags, 3); |
| Handle<FeedbackVector> vector(closure->feedback_vector(), isolate); |
| - bool should_have_fast_elements = (flags & ObjectLiteral::kFastElements) != 0; |
| + bool use_fast_elements = (flags & ObjectLiteral::kFastElements) != 0; |
| bool enable_mementos = (flags & ObjectLiteral::kDisableMementos) == 0; |
| + bool has_null_prototype = (flags & ObjectLiteral::kHasNullPrototype) != 0; |
| FeedbackSlot literals_slot(FeedbackVector::ToSlot(literals_index)); |
| CHECK(literals_slot.ToInt() < vector->slot_count()); |
| @@ -248,7 +245,7 @@ RUNTIME_FUNCTION(Runtime_CreateObjectLiteral) { |
| ASSIGN_RETURN_FAILURE_ON_EXCEPTION( |
| isolate, raw_boilerplate, |
| CreateObjectLiteralBoilerplate(isolate, vector, boilerplate_description, |
| - should_have_fast_elements)); |
| + use_fast_elements, has_null_prototype)); |
| boilerplate = Handle<JSObject>::cast(raw_boilerplate); |
| AllocationSiteCreationContext creation_context(isolate); |
