| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/builtins/builtins.h" | 5 #include "src/builtins/builtins.h" |
| 6 #include "src/builtins/builtins-utils.h" | 6 #include "src/builtins/builtins-utils.h" |
| 7 | 7 |
| 8 #include "src/code-factory.h" | 8 #include "src/code-factory.h" |
| 9 #include "src/contexts.h" | 9 #include "src/contexts.h" |
| 10 #include "src/elements.h" | 10 #include "src/elements.h" |
| (...skipping 439 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 450 // during iteration. | 450 // during iteration. |
| 451 // This shouldn't happen in anything but pathological cases. | 451 // This shouldn't happen in anything but pathological cases. |
| 452 SetDictionaryMode(); | 452 SetDictionaryMode(); |
| 453 // Fall-through to dictionary mode. | 453 // Fall-through to dictionary mode. |
| 454 } | 454 } |
| 455 DCHECK(!fast_elements()); | 455 DCHECK(!fast_elements()); |
| 456 Handle<SeededNumberDictionary> dict( | 456 Handle<SeededNumberDictionary> dict( |
| 457 SeededNumberDictionary::cast(*storage_)); | 457 SeededNumberDictionary::cast(*storage_)); |
| 458 // The object holding this backing store has just been allocated, so | 458 // The object holding this backing store has just been allocated, so |
| 459 // it cannot yet be used as a prototype. | 459 // it cannot yet be used as a prototype. |
| 460 Handle<SeededNumberDictionary> result = | 460 Handle<JSObject> not_a_prototype_holder; |
| 461 SeededNumberDictionary::AtNumberPut(dict, index, elm, false); | 461 Handle<SeededNumberDictionary> result = SeededNumberDictionary::AtNumberPut( |
| 462 dict, index, elm, not_a_prototype_holder); |
| 462 if (!result.is_identical_to(dict)) { | 463 if (!result.is_identical_to(dict)) { |
| 463 // Dictionary needed to grow. | 464 // Dictionary needed to grow. |
| 464 clear_storage(); | 465 clear_storage(); |
| 465 set_storage(*result); | 466 set_storage(*result); |
| 466 } | 467 } |
| 467 return true; | 468 return true; |
| 468 } | 469 } |
| 469 | 470 |
| 470 void increase_index_offset(uint32_t delta) { | 471 void increase_index_offset(uint32_t delta) { |
| 471 if (JSObject::kMaxElementCount - index_offset_ < delta) { | 472 if (JSObject::kMaxElementCount - index_offset_ < delta) { |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 518 Handle<FixedArray> current_storage = storage_fixed_array(); | 519 Handle<FixedArray> current_storage = storage_fixed_array(); |
| 519 Handle<SeededNumberDictionary> slow_storage( | 520 Handle<SeededNumberDictionary> slow_storage( |
| 520 SeededNumberDictionary::New(isolate_, current_storage->length())); | 521 SeededNumberDictionary::New(isolate_, current_storage->length())); |
| 521 uint32_t current_length = static_cast<uint32_t>(current_storage->length()); | 522 uint32_t current_length = static_cast<uint32_t>(current_storage->length()); |
| 522 FOR_WITH_HANDLE_SCOPE( | 523 FOR_WITH_HANDLE_SCOPE( |
| 523 isolate_, uint32_t, i = 0, i, i < current_length, i++, { | 524 isolate_, uint32_t, i = 0, i, i < current_length, i++, { |
| 524 Handle<Object> element(current_storage->get(i), isolate_); | 525 Handle<Object> element(current_storage->get(i), isolate_); |
| 525 if (!element->IsTheHole(isolate_)) { | 526 if (!element->IsTheHole(isolate_)) { |
| 526 // The object holding this backing store has just been allocated, so | 527 // The object holding this backing store has just been allocated, so |
| 527 // it cannot yet be used as a prototype. | 528 // it cannot yet be used as a prototype. |
| 529 Handle<JSObject> not_a_prototype_holder; |
| 528 Handle<SeededNumberDictionary> new_storage = | 530 Handle<SeededNumberDictionary> new_storage = |
| 529 SeededNumberDictionary::AtNumberPut(slow_storage, i, element, | 531 SeededNumberDictionary::AtNumberPut(slow_storage, i, element, |
| 530 false); | 532 not_a_prototype_holder); |
| 531 if (!new_storage.is_identical_to(slow_storage)) { | 533 if (!new_storage.is_identical_to(slow_storage)) { |
| 532 slow_storage = loop_scope.CloseAndEscape(new_storage); | 534 slow_storage = loop_scope.CloseAndEscape(new_storage); |
| 533 } | 535 } |
| 534 } | 536 } |
| 535 }); | 537 }); |
| 536 clear_storage(); | 538 clear_storage(); |
| 537 set_storage(*slow_storage); | 539 set_storage(*slow_storage); |
| 538 set_fast_elements(false); | 540 set_fast_elements(false); |
| 539 } | 541 } |
| 540 | 542 |
| (...skipping 2071 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2612 Runtime::kThrowIncompatibleMethodReceiver, context, | 2614 Runtime::kThrowIncompatibleMethodReceiver, context, |
| 2613 assembler.HeapConstant(assembler.factory()->NewStringFromAsciiChecked( | 2615 assembler.HeapConstant(assembler.factory()->NewStringFromAsciiChecked( |
| 2614 "Array Iterator.prototype.next", TENURED)), | 2616 "Array Iterator.prototype.next", TENURED)), |
| 2615 iterator); | 2617 iterator); |
| 2616 assembler.Return(result); | 2618 assembler.Return(result); |
| 2617 } | 2619 } |
| 2618 } | 2620 } |
| 2619 | 2621 |
| 2620 } // namespace internal | 2622 } // namespace internal |
| 2621 } // namespace v8 | 2623 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2534613002:
[ic] Use validity cells to protect keyed element stores against object's prototype chain modificati… (Closed)
