[builtins] implement JSBuiltinReducer for ArrayIteratorNext()

src/builtins/builtins-array.cc

Index: src/builtins/builtins-array.cc
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index 7e8c48668ff11cb36852eff96f67df69f7693ba4..152977022acbac9d3104ee9912f9a6afd3ccf265 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -2286,7 +2286,8 @@ void Builtins::Generate_ArrayIteratorPrototypeNext(
 
   assembler->Bind(&if_isnotfastarray);
   {
-    Label if_istypedarray(assembler), if_isgeneric(assembler);
+    Label if_istypedarray(assembler), if_isgeneric(assembler),
+        invalidate_protector(assembler);

[Benedikt Meurer, 2016/11/08 05:29:48]

The invalidate_protector label is unused.

 
     // If a is undefined, return CreateIterResultObject(undefined, true)
     assembler->GotoIf(
@@ -2301,6 +2302,8 @@ void Builtins::Generate_ArrayIteratorPrototypeNext(
 
     assembler->Bind(&if_isgeneric);
     {
+      Label if_wasfastarray(assembler), if_wasnotfastarray(assembler);

[Benedikt Meurer, 2016/11/08 05:29:48]

The if_wasnotfastarray label is unused.

+
       Node* length = nullptr;
       {
         Variable var_length(assembler, MachineRepresentation::kTagged);
@@ -2314,7 +2317,40 @@ void Builtins::Generate_ArrayIteratorPrototypeNext(
         {
           var_length.Bind(
               assembler->LoadObjectField(array, JSArray::kLengthOffset));
-          assembler->Goto(&done);
+
+          // Invalidate protector cell if needed
+          assembler->Branch(
+              assembler->WordNotEqual(orig_map, assembler->UndefinedConstant()),
+              &if_wasfastarray, &done);
+
+          assembler->Bind(&if_wasfastarray);
+          {
+            Label if_invalid(assembler, Label::kDeferred);
+            // Invalidate array_iterator_protector cell if needed (Not needed
+            // for keys iteration, or if already marked as invalid)
+            assembler->StoreObjectField(
+                iterator, JSArrayIterator::kIteratedObjectMapOffset,
+                assembler->UndefinedConstant());
+            assembler->GotoIf(
+                assembler->Uint32LessThanOrEqual(
+                    instance_type, assembler->Int32Constant(
+                                       JS_GENERIC_ARRAY_KEY_ITERATOR_TYPE)),
+                &done);
+
+            Node* invalid = assembler->SmiConstant(
+                Smi::FromInt(Isolate::kArrayProtectorInvalid));
+            Node* cell =
+                assembler->LoadRoot(Heap::kArrayIteratorProtectorRootIndex);
+            Node* cell_value =
+                assembler->LoadObjectField(cell, PropertyCell::kValueOffset);
+            assembler->Branch(assembler->WordEqual(cell_value, invalid), &done,
+                              &if_invalid);
+
+            assembler->Bind(&if_invalid);
+            assembler->CallRuntime(Runtime::kInvalidateArrayIteratorProtector,
+                                   context);
+            assembler->Goto(&done);
+          }
         }
 
         assembler->Bind(&if_isnotarray);
@@ -2377,6 +2413,8 @@ void Builtins::Generate_ArrayIteratorPrototypeNext(
 
         assembler->Bind(&if_isdetached);
         {
+          // TODO(caitp): If IsDetached(buffer) is true, throw a TypeError, per
+          // https://github.com/tc39/ecma262/issues/713
           var_length.Bind(assembler->SmiConstant(Smi::kZero));
           assembler->Goto(&done);
         }