| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/builtins/builtins.h" | 5 #include "src/builtins/builtins.h" |
| 6 #include "src/builtins/builtins-utils.h" | 6 #include "src/builtins/builtins-utils.h" |
| 7 | 7 |
| 8 #include "src/code-factory.h" | 8 #include "src/code-factory.h" |
| 9 #include "src/contexts.h" | 9 #include "src/contexts.h" |
| 10 #include "src/elements.h" | 10 #include "src/elements.h" |
| (...skipping 439 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 450 // during iteration. | 450 // during iteration. |
| 451 // This shouldn't happen in anything but pathological cases. | 451 // This shouldn't happen in anything but pathological cases. |
| 452 SetDictionaryMode(); | 452 SetDictionaryMode(); |
| 453 // Fall-through to dictionary mode. | 453 // Fall-through to dictionary mode. |
| 454 } | 454 } |
| 455 DCHECK(!fast_elements()); | 455 DCHECK(!fast_elements()); |
| 456 Handle<SeededNumberDictionary> dict( | 456 Handle<SeededNumberDictionary> dict( |
| 457 SeededNumberDictionary::cast(*storage_)); | 457 SeededNumberDictionary::cast(*storage_)); |
| 458 // The object holding this backing store has just been allocated, so | 458 // The object holding this backing store has just been allocated, so |
| 459 // it cannot yet be used as a prototype. | 459 // it cannot yet be used as a prototype. |
| 460 Handle<JSObject> not_a_prototype_holder; | 460 Handle<SeededNumberDictionary> result = |
| 461 Handle<SeededNumberDictionary> result = SeededNumberDictionary::AtNumberPut( | 461 SeededNumberDictionary::AtNumberPut(dict, index, elm, false); |
| 462 dict, index, elm, not_a_prototype_holder); | |
| 463 if (!result.is_identical_to(dict)) { | 462 if (!result.is_identical_to(dict)) { |
| 464 // Dictionary needed to grow. | 463 // Dictionary needed to grow. |
| 465 clear_storage(); | 464 clear_storage(); |
| 466 set_storage(*result); | 465 set_storage(*result); |
| 467 } | 466 } |
| 468 return true; | 467 return true; |
| 469 } | 468 } |
| 470 | 469 |
| 471 void increase_index_offset(uint32_t delta) { | 470 void increase_index_offset(uint32_t delta) { |
| 472 if (JSObject::kMaxElementCount - index_offset_ < delta) { | 471 if (JSObject::kMaxElementCount - index_offset_ < delta) { |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 519 Handle<FixedArray> current_storage = storage_fixed_array(); | 518 Handle<FixedArray> current_storage = storage_fixed_array(); |
| 520 Handle<SeededNumberDictionary> slow_storage( | 519 Handle<SeededNumberDictionary> slow_storage( |
| 521 SeededNumberDictionary::New(isolate_, current_storage->length())); | 520 SeededNumberDictionary::New(isolate_, current_storage->length())); |
| 522 uint32_t current_length = static_cast<uint32_t>(current_storage->length()); | 521 uint32_t current_length = static_cast<uint32_t>(current_storage->length()); |
| 523 FOR_WITH_HANDLE_SCOPE( | 522 FOR_WITH_HANDLE_SCOPE( |
| 524 isolate_, uint32_t, i = 0, i, i < current_length, i++, { | 523 isolate_, uint32_t, i = 0, i, i < current_length, i++, { |
| 525 Handle<Object> element(current_storage->get(i), isolate_); | 524 Handle<Object> element(current_storage->get(i), isolate_); |
| 526 if (!element->IsTheHole(isolate_)) { | 525 if (!element->IsTheHole(isolate_)) { |
| 527 // The object holding this backing store has just been allocated, so | 526 // The object holding this backing store has just been allocated, so |
| 528 // it cannot yet be used as a prototype. | 527 // it cannot yet be used as a prototype. |
| 529 Handle<JSObject> not_a_prototype_holder; | |
| 530 Handle<SeededNumberDictionary> new_storage = | 528 Handle<SeededNumberDictionary> new_storage = |
| 531 SeededNumberDictionary::AtNumberPut(slow_storage, i, element, | 529 SeededNumberDictionary::AtNumberPut(slow_storage, i, element, |
| 532 not_a_prototype_holder); | 530 false); |
| 533 if (!new_storage.is_identical_to(slow_storage)) { | 531 if (!new_storage.is_identical_to(slow_storage)) { |
| 534 slow_storage = loop_scope.CloseAndEscape(new_storage); | 532 slow_storage = loop_scope.CloseAndEscape(new_storage); |
| 535 } | 533 } |
| 536 } | 534 } |
| 537 }); | 535 }); |
| 538 clear_storage(); | 536 clear_storage(); |
| 539 set_storage(*slow_storage); | 537 set_storage(*slow_storage); |
| 540 set_fast_elements(false); | 538 set_fast_elements(false); |
| 541 } | 539 } |
| 542 | 540 |
| (...skipping 2071 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2614 Runtime::kThrowIncompatibleMethodReceiver, context, | 2612 Runtime::kThrowIncompatibleMethodReceiver, context, |
| 2615 assembler.HeapConstant(assembler.factory()->NewStringFromAsciiChecked( | 2613 assembler.HeapConstant(assembler.factory()->NewStringFromAsciiChecked( |
| 2616 "Array Iterator.prototype.next", TENURED)), | 2614 "Array Iterator.prototype.next", TENURED)), |
| 2617 iterator); | 2615 iterator); |
| 2618 assembler.Return(result); | 2616 assembler.Return(result); |
| 2619 } | 2617 } |
| 2620 } | 2618 } |
| 2621 | 2619 |
| 2622 } // namespace internal | 2620 } // namespace internal |
| 2623 } // namespace v8 | 2621 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2538693002:
Revert of [ic] Use validity cells to protect keyed element stores against object's prototype chain… (Closed)
