Chromium Code Reviews Chromium Code Reviews
Issue 2534613002:
[ic] Use validity cells to protect keyed element stores against object's prototype chain modificati… (Closed)
| Index: src/objects.cc |
| diff --git a/src/objects.cc b/src/objects.cc |
| index 9a903f1ff59ad217d25a74e53589927ea1d12ff7..3a4469e21d7f34b91f668823f32a252996009cc5 100644 |
| --- a/src/objects.cc |
| +++ b/src/objects.cc |
| @@ -6155,7 +6155,9 @@ void JSObject::RequireSlowElements(SeededNumberDictionary* dictionary) { |
| dictionary->set_requires_slow_elements(); |
| // TODO(verwaest): Remove this hack. |
|
Jakob Kummerow
2016/11/28 18:48:05
I think you're addressing this TODO :-)
Igor Sheludko
2016/11/28 22:25:54
Done.
|
| if (map()->is_prototype_map()) { |
| - TypeFeedbackVector::ClearAllKeyedStoreICs(GetIsolate()); |
| + // If this object is a prototype (the callee will check), invalidate any |
| + // prototype chains involving it. |
| + InvalidatePrototypeChains(map()); |
| } |
| } |
| @@ -15611,9 +15613,6 @@ Maybe<bool> JSObject::SetPrototype(Handle<JSObject> object, |
| // SpiderMonkey behaves this way. |
| if (!value->IsJSReceiver() && !value->IsNull(isolate)) return Just(true); |
| - bool dictionary_elements_in_chain = |
| - object->map()->DictionaryElementsInPrototypeChainOnly(); |
| - |
| bool all_extensible = object->map()->is_extensible(); |
| Handle<JSObject> real_receiver = object; |
| if (from_javascript) { |
| @@ -15679,14 +15678,6 @@ Maybe<bool> JSObject::SetPrototype(Handle<JSObject> object, |
| DCHECK(new_map->prototype() == *value); |
| JSObject::MigrateToMap(real_receiver, new_map); |
| - if (from_javascript && !dictionary_elements_in_chain && |
| - new_map->DictionaryElementsInPrototypeChainOnly()) { |
| - // If the prototype chain didn't previously have element callbacks, then |
| - // KeyedStoreICs need to be cleared to ensure any that involve this |
| - // map go generic. |
| - TypeFeedbackVector::ClearAllKeyedStoreICs(isolate); |
| - } |
| - |
| heap->ClearInstanceofCache(); |
| DCHECK(size == object->Size()); |
| return Just(true); |
| @@ -17383,7 +17374,7 @@ Handle<Object> JSObject::PrepareSlowElementsForSort( |
| return bailout; |
| } else { |
| Handle<Object> result = SeededNumberDictionary::AddNumberEntry( |
| - new_dict, pos, value, details, object->map()->is_prototype_map()); |
| + new_dict, pos, value, details, object); |
| DCHECK(result.is_identical_to(new_dict)); |
| USE(result); |
| pos++; |
| @@ -17394,7 +17385,7 @@ Handle<Object> JSObject::PrepareSlowElementsForSort( |
| return bailout; |
| } else { |
| Handle<Object> result = SeededNumberDictionary::AddNumberEntry( |
| - new_dict, key, value, details, object->map()->is_prototype_map()); |
| + new_dict, key, value, details, object); |
| DCHECK(result.is_identical_to(new_dict)); |
| USE(result); |
| } |
| @@ -17411,7 +17402,7 @@ Handle<Object> JSObject::PrepareSlowElementsForSort( |
| HandleScope scope(isolate); |
| Handle<Object> result = SeededNumberDictionary::AddNumberEntry( |
| new_dict, pos, isolate->factory()->undefined_value(), no_details, |
| - object->map()->is_prototype_map()); |
| + object); |
| DCHECK(result.is_identical_to(new_dict)); |
| USE(result); |
| pos++; |
| @@ -18183,8 +18174,8 @@ bool SeededNumberDictionary::HasComplexElements() { |
| return false; |
| } |
| -void SeededNumberDictionary::UpdateMaxNumberKey(uint32_t key, |
| - bool used_as_prototype) { |
| +void SeededNumberDictionary::UpdateMaxNumberKey( |
| + uint32_t key, Handle<JSObject> dictionary_holder) { |
| DisallowHeapAllocation no_allocation; |
| // If the dictionary requires slow elements an element has already |
| // been added at a high index. |
| @@ -18192,9 +18183,8 @@ void SeededNumberDictionary::UpdateMaxNumberKey(uint32_t key, |
| // Check if this index is high enough that we should require slow |
| // elements. |
| if (key > kRequiresSlowElementsLimit) { |
| - if (used_as_prototype) { |
| - // TODO(verwaest): Remove this hack. |
| - TypeFeedbackVector::ClearAllKeyedStoreICs(GetIsolate()); |
| + if (!dictionary_holder.is_null()) { |
| + dictionary_holder->RequireSlowElements(this); |
| } |
| set_requires_slow_elements(); |
| return; |
| @@ -18207,11 +18197,11 @@ void SeededNumberDictionary::UpdateMaxNumberKey(uint32_t key, |
| } |
| } |
| - |
| Handle<SeededNumberDictionary> SeededNumberDictionary::AddNumberEntry( |
| Handle<SeededNumberDictionary> dictionary, uint32_t key, |
| - Handle<Object> value, PropertyDetails details, bool used_as_prototype) { |
| - dictionary->UpdateMaxNumberKey(key, used_as_prototype); |
| + Handle<Object> value, PropertyDetails details, |
| + Handle<JSObject> dictionary_holder) { |
| + dictionary->UpdateMaxNumberKey(key, dictionary_holder); |
| SLOW_DCHECK(dictionary->FindEntry(key) == kNotFound); |
| return Add(dictionary, key, value, details); |
| } |
| @@ -18239,8 +18229,8 @@ Handle<UnseededNumberDictionary> UnseededNumberDictionary::DeleteKey( |
| Handle<SeededNumberDictionary> SeededNumberDictionary::AtNumberPut( |
| Handle<SeededNumberDictionary> dictionary, uint32_t key, |
| - Handle<Object> value, bool used_as_prototype) { |
| - dictionary->UpdateMaxNumberKey(key, used_as_prototype); |
| + Handle<Object> value, Handle<JSObject> dictionary_holder) { |
| + dictionary->UpdateMaxNumberKey(key, dictionary_holder); |
| return AtPut(dictionary, key, value); |
| } |
| @@ -18252,13 +18242,13 @@ Handle<UnseededNumberDictionary> UnseededNumberDictionary::AtNumberPut( |
| return AtPut(dictionary, key, value); |
| } |
| - |
| Handle<SeededNumberDictionary> SeededNumberDictionary::Set( |
| Handle<SeededNumberDictionary> dictionary, uint32_t key, |
| - Handle<Object> value, PropertyDetails details, bool used_as_prototype) { |
| + Handle<Object> value, PropertyDetails details, |
| + Handle<JSObject> dictionary_holder) { |
| int entry = dictionary->FindEntry(key); |
| if (entry == kNotFound) { |
| - return AddNumberEntry(dictionary, key, value, details, used_as_prototype); |
| + return AddNumberEntry(dictionary, key, value, details, dictionary_holder); |
| } |
| // Preserve enumeration index. |
| details = details.set_index(dictionary->DetailsAt(entry).dictionary_index()); |
