| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/builtins/builtins.h" | 5 #include "src/builtins/builtins.h" |
| 6 #include "src/builtins/builtins-utils.h" | 6 #include "src/builtins/builtins-utils.h" |
| 7 | 7 |
| 8 #include "src/code-factory.h" | 8 #include "src/code-factory.h" |
| 9 #include "src/contexts.h" | 9 #include "src/contexts.h" |
| 10 #include "src/elements.h" | 10 #include "src/elements.h" |
| (...skipping 583 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 594 // during iteration. | 594 // during iteration. |
| 595 // This shouldn't happen in anything but pathological cases. | 595 // This shouldn't happen in anything but pathological cases. |
| 596 SetDictionaryMode(); | 596 SetDictionaryMode(); |
| 597 // Fall-through to dictionary mode. | 597 // Fall-through to dictionary mode. |
| 598 } | 598 } |
| 599 DCHECK(!fast_elements()); | 599 DCHECK(!fast_elements()); |
| 600 Handle<SeededNumberDictionary> dict( | 600 Handle<SeededNumberDictionary> dict( |
| 601 SeededNumberDictionary::cast(*storage_)); | 601 SeededNumberDictionary::cast(*storage_)); |
| 602 // The object holding this backing store has just been allocated, so | 602 // The object holding this backing store has just been allocated, so |
| 603 // it cannot yet be used as a prototype. | 603 // it cannot yet be used as a prototype. |
| 604 Handle<SeededNumberDictionary> result = | 604 Handle<JSObject> not_a_prototype_holder; |
| 605 SeededNumberDictionary::AtNumberPut(dict, index, elm, false); | 605 Handle<SeededNumberDictionary> result = SeededNumberDictionary::AtNumberPut( |
| 606 dict, index, elm, not_a_prototype_holder); |
| 606 if (!result.is_identical_to(dict)) { | 607 if (!result.is_identical_to(dict)) { |
| 607 // Dictionary needed to grow. | 608 // Dictionary needed to grow. |
| 608 clear_storage(); | 609 clear_storage(); |
| 609 set_storage(*result); | 610 set_storage(*result); |
| 610 } | 611 } |
| 611 return true; | 612 return true; |
| 612 } | 613 } |
| 613 | 614 |
| 614 void increase_index_offset(uint32_t delta) { | 615 void increase_index_offset(uint32_t delta) { |
| 615 if (JSObject::kMaxElementCount - index_offset_ < delta) { | 616 if (JSObject::kMaxElementCount - index_offset_ < delta) { |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 662 Handle<FixedArray> current_storage = storage_fixed_array(); | 663 Handle<FixedArray> current_storage = storage_fixed_array(); |
| 663 Handle<SeededNumberDictionary> slow_storage( | 664 Handle<SeededNumberDictionary> slow_storage( |
| 664 SeededNumberDictionary::New(isolate_, current_storage->length())); | 665 SeededNumberDictionary::New(isolate_, current_storage->length())); |
| 665 uint32_t current_length = static_cast<uint32_t>(current_storage->length()); | 666 uint32_t current_length = static_cast<uint32_t>(current_storage->length()); |
| 666 FOR_WITH_HANDLE_SCOPE( | 667 FOR_WITH_HANDLE_SCOPE( |
| 667 isolate_, uint32_t, i = 0, i, i < current_length, i++, { | 668 isolate_, uint32_t, i = 0, i, i < current_length, i++, { |
| 668 Handle<Object> element(current_storage->get(i), isolate_); | 669 Handle<Object> element(current_storage->get(i), isolate_); |
| 669 if (!element->IsTheHole(isolate_)) { | 670 if (!element->IsTheHole(isolate_)) { |
| 670 // The object holding this backing store has just been allocated, so | 671 // The object holding this backing store has just been allocated, so |
| 671 // it cannot yet be used as a prototype. | 672 // it cannot yet be used as a prototype. |
| 673 Handle<JSObject> not_a_prototype_holder; |
| 672 Handle<SeededNumberDictionary> new_storage = | 674 Handle<SeededNumberDictionary> new_storage = |
| 673 SeededNumberDictionary::AtNumberPut(slow_storage, i, element, | 675 SeededNumberDictionary::AtNumberPut(slow_storage, i, element, |
| 674 false); | 676 not_a_prototype_holder); |
| 675 if (!new_storage.is_identical_to(slow_storage)) { | 677 if (!new_storage.is_identical_to(slow_storage)) { |
| 676 slow_storage = loop_scope.CloseAndEscape(new_storage); | 678 slow_storage = loop_scope.CloseAndEscape(new_storage); |
| 677 } | 679 } |
| 678 } | 680 } |
| 679 }); | 681 }); |
| 680 clear_storage(); | 682 clear_storage(); |
| 681 set_storage(*slow_storage); | 683 set_storage(*slow_storage); |
| 682 set_fast_elements(false); | 684 set_fast_elements(false); |
| 683 } | 685 } |
| 684 | 686 |
| (...skipping 2072 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2757 Runtime::kThrowIncompatibleMethodReceiver, context, | 2759 Runtime::kThrowIncompatibleMethodReceiver, context, |
| 2758 assembler.HeapConstant(assembler.factory()->NewStringFromAsciiChecked( | 2760 assembler.HeapConstant(assembler.factory()->NewStringFromAsciiChecked( |
| 2759 "Array Iterator.prototype.next", TENURED)), | 2761 "Array Iterator.prototype.next", TENURED)), |
| 2760 iterator); | 2762 iterator); |
| 2761 assembler.Return(result); | 2763 assembler.Return(result); |
| 2762 } | 2764 } |
| 2763 } | 2765 } |
| 2764 | 2766 |
| 2765 } // namespace internal | 2767 } // namespace internal |
| 2766 } // namespace v8 | 2768 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2534613002:
[ic] Use validity cells to protect keyed element stores against object's prototype chain modificati… (Closed)
