src/elements.cc - Issue 2534613002: [ic] Use validity cells to protect keyed element stores against object's prototype chain modificati…

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/elements.cc

Issue 2534613002: [ic] Use validity cells to protect keyed element stores against object's prototype chain modificati… (Closed)

Patch Set: The fix Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/elements.cc

diff --git a/src/elements.cc b/src/elements.cc

index 748b420cda863facede6c0e056da75ad721bd7e8..ffea033c93967fad28e66005bc3d62d7ceddad6f 100644

--- a/src/elements.cc

+++ b/src/elements.cc

@@ -1431,9 +1431,8 @@ class DictionaryElementsAccessor

? JSObject::NormalizeElements(object)

: handle(SeededNumberDictionary::cast(object->elements()));

Handle<SeededNumberDictionary> new_dictionary =

- SeededNumberDictionary::AddNumberEntry(

- dictionary, index, value, details,

- object->map()->is_prototype_map());

+ SeededNumberDictionary::AddNumberEntry(dictionary, index, value,

+ details, object);

if (attributes != NONE) object->RequireSlowElements(*new_dictionary);

if (dictionary.is_identical_to(new_dictionary)) return;

object->set_elements(*new_dictionary);

@@ -1773,15 +1772,14 @@ class FastElementsAccessor : public ElementsAccessorBase<Subclass, KindTraits> {

SeededNumberDictionary::New(isolate, capacity);

PropertyDetails details = PropertyDetails::Empty();

- bool used_as_prototype = object->map()->is_prototype_map();

int j = 0;

for (int i = 0; j < capacity; i++) {

if (IsHoleyElementsKind(kind)) {

if (BackingStore::cast(*store)->is_the_hole(isolate, i)) continue;

}

Handle<Object> value = Subclass::GetImpl(isolate, *store, i);

- dictionary = SeededNumberDictionary::AddNumberEntry(

- dictionary, i, value, details, used_as_prototype);

+ dictionary = SeededNumberDictionary::AddNumberEntry(dictionary, i, value,

+ details, object);

j++;

}

return dictionary;

@@ -3276,9 +3274,8 @@ class SlowSloppyArgumentsElementsAccessor

: JSObject::NormalizeElements(object);

PropertyDetails details(attributes, DATA, 0, PropertyCellType::kNoCell);

Handle<SeededNumberDictionary> new_dictionary =

- SeededNumberDictionary::AddNumberEntry(

- dictionary, index, value, details,

- object->map()->is_prototype_map());

+ SeededNumberDictionary::AddNumberEntry(dictionary, index, value,

+ details, object);

if (attributes != NONE) object->RequireSlowElements(*new_dictionary);

if (*dictionary != *new_dictionary) {

FixedArray::cast(object->elements())->set(1, *new_dictionary);

@@ -3311,7 +3308,7 @@ class SlowSloppyArgumentsElementsAccessor

Handle<SeededNumberDictionary> arguments(

SeededNumberDictionary::cast(parameter_map->get(1)), isolate);

arguments = SeededNumberDictionary::AddNumberEntry(

- arguments, entry, value, details, object->map()->is_prototype_map());

+ arguments, entry, value, details, object);

// If the attributes were NONE, we would have called set rather than

// reconfigure.

DCHECK_NE(NONE, attributes);

« no previous file with comments | « src/compiler/types.cc ('k') | src/factory.h » ('j') | src/ic/accessor-assembler.cc » ('J')