Array.prototype.map write error.

src/builtins/builtins-array-gen.cc

 // Copyright 2017 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/builtins/builtins-utils-gen.h"
 #include "src/builtins/builtins.h"
 #include "src/code-stub-assembler.h"
 
 namespace v8 {
 namespace internal {
 
 class ArrayBuiltinCodeStubAssembler : public CodeStubAssembler {
  public:
   explicit ArrayBuiltinCodeStubAssembler(compiler::CodeAssemblerState* state)
       : CodeStubAssembler(state),
         k_(this, MachineRepresentation::kTagged),
         a_(this, MachineRepresentation::kTagged),
+        force_slow_(this, MachineRepresentation::kTagged, SmiConstant(0)),
         to_(this, MachineRepresentation::kTagged, SmiConstant(0)) {}
 
   typedef std::function<Node*(ArrayBuiltinCodeStubAssembler* masm)>
       BuiltinResultGenerator;
 
   typedef std::function<void(ArrayBuiltinCodeStubAssembler* masm)>
       BuiltinResultIndexInitializer;
 
   typedef std::function<Node*(ArrayBuiltinCodeStubAssembler* masm,
                               Node* k_value, Node* k)>
@@ skipping 160 matching lines @@
         // 2. Increase to by 1.
         to_.Bind(NumberInc(to_.value()));
         Goto(&false_continue);
       }
     }
     BIND(&false_continue);
     return a();
   }
 
   Node* MapResultGenerator() {
-    // 5. Let A be ? ArraySpeciesCreate(O, len).
-    return ArraySpeciesCreate(context(), o(), len_);
+    VARIABLE(species_constructor, MachineRepresentation::kTagged);
+    Label slow_path(this), done(this, &species_constructor);
+    GotoIf(DoesntHaveInstanceType(o(), JS_ARRAY_TYPE), &slow_path);
+    Node* o_map = LoadMap(o());
+    Node* const initial_array_prototype = LoadContextElement(
+        LoadNativeContext(context()), Context::INITIAL_ARRAY_PROTOTYPE_INDEX);
+    Node* proto = LoadMapPrototype(o_map);
+    GotoIf(WordNotEqual(proto, initial_array_prototype), &slow_path);
+
+    Node* species_protector = SpeciesProtectorConstant();
+    Node* value = LoadObjectField(species_protector, Cell::kValueOffset);
+    Node* const protector_invalid = SmiConstant(Isolate::kProtectorInvalid);
+    GotoIf(WordEqual(value, protector_invalid), &slow_path);
+
+    Node* const initial_array_constructor = LoadContextElement(
+        LoadNativeContext(context()), Context::ARRAY_FUNCTION_INDEX);
+    species_constructor.Bind(initial_array_constructor);
+    Goto(&done);
+
+    BIND(&slow_path);
+    {
+      // 5. Let A be ? ArraySpeciesCreate(O, len).
+      Node* constructor =
+          CallRuntime(Runtime::kArraySpeciesConstructor, context(), o());
+      species_constructor.Bind(constructor);
+      force_slow_.Bind(SmiConstant(1));

[danno, 2017/04/29 09:27:14]

Would it be a little cleaner to just jump to the slow full-spec continuation
here instead? Perhaps just rename the slow label fully_spec_compliant_ and keep
it as a member on the builtin assembler. Then you can just goto it here, and you
don't have to add the force_slow_ boolean.

+      Goto(&done);
+    }
+    BIND(&done);

[danno, 2017/04/29 09:27:14]

I am a little surprised this works... you change the value of not only the
species constructor variable but also the force_slow_ variable, but that
variable is not included as a merged variable on "done". You will need a phi
node for that, too, right? I think the way it's currently written you "force
slow" in all cases, since it's the last bound value before using it.

+    return ConstructJS(CodeFactory::Construct(isolate()), context(),
+                       species_constructor.value(), len_);
   }
 
   Node* MapProcessor(Node* k_value, Node* k) {
     //  i. Let kValue be ? Get(O, Pk). Performed by the caller of MapProcessor.
     // ii. Let mappedValue be ? Call(callbackfn, T, kValue, k, O).
     Node* mappedValue = CallJS(CodeFactory::Call(isolate()), context(),
                                callbackfn(), this_arg(), k_value, k, o());
 
     Label finished(this);
     Node* kind = nullptr;
     Node* elements = nullptr;
 
     // If a() is a JSArray, we can have a fast path.
     // mode is SMI_PARAMETERS because k has tagged representation.
     ParameterMode mode = SMI_PARAMETERS;
     Label fast(this);
     Label runtime(this);
     Label object_push_pre(this), object_push(this), double_push(this);
+    GotoIf(WordEqual(force_slow(), SmiConstant(1)), &runtime);
     BranchIfFastJSArray(a(), context(), FastJSArrayAccessMode::ANY_ACCESS,
                         &fast, &runtime);
 
     BIND(&fast);
     {
       kind = EnsureArrayPushable(a(), &runtime);
       elements = LoadElements(a());
       GotoIf(IsElementsKindGreaterThan(kind, FAST_HOLEY_SMI_ELEMENTS),
              &object_push_pre);
       TryStoreArrayElement(FAST_SMI_ELEMENTS, mode, &runtime, elements, k,
@@ skipping 35 matching lines @@
   void NullPostLoopAction() {}
 
  protected:
   Node* context() { return context_; }
   Node* receiver() { return receiver_; }
   Node* new_target() { return new_target_; }
   Node* o() { return o_; }
   Node* len() { return len_; }
   Node* callbackfn() { return callbackfn_; }
   Node* this_arg() { return this_arg_; }
+  Node* force_slow() { return force_slow_.value(); }
   Node* k() { return k_.value(); }
   Node* a() { return a_.value(); }
 
   void InitIteratingArrayBuiltinBody(Node* context, Node* receiver,
                                      Node* callbackfn, Node* this_arg,
                                      Node* new_target) {
     context_ = context;
     receiver_ = receiver;
     new_target_ = new_target;
     callbackfn_ = callbackfn;
@@ skipping 94 matching lines @@
                                                  Node* o, Node* initial_k,
                                                  Node* len, Node* to) {
     context_ = context;
     this_arg_ = this_arg;
     callbackfn_ = callbackfn;
     a_.Bind(a);
     k_.Bind(initial_k);
     o_ = o;
     len_ = len;
     to_.Bind(to);
+    force_slow_.Bind(SmiConstant(1));
   }
 
   void GenerateIteratingTypedArrayBuiltinBody(
       const char* name, const BuiltinResultGenerator& generator,
       const CallResultProcessor& processor, const PostLoopAction& action,
       ForEachDirection direction = ForEachDirection::kForward) {
     Node* name_string =
         HeapConstant(isolate()->factory()->NewStringFromAsciiChecked(name));
 
     // ValidateTypedArray: tc39.github.io/ecma262/#sec-validatetypedarray
@@ skipping 306 matching lines @@
 
   Node* callbackfn_ = nullptr;
   Node* o_ = nullptr;
   Node* this_arg_ = nullptr;
   Node* len_ = nullptr;
   Node* context_ = nullptr;
   Node* receiver_ = nullptr;
   Node* new_target_ = nullptr;
   Variable k_;
   Variable a_;
+  Variable force_slow_;
   Variable to_;
 };
 
 TF_BUILTIN(FastArrayPush, CodeStubAssembler) {
   VARIABLE(arg_index, MachineType::PointerRepresentation());
   Label default_label(this, &arg_index);
   Label smi_transition(this);
   Label object_push_pre(this);
   Label object_push(this, &arg_index);
   Label double_push(this, &arg_index);
@@ skipping 1509 matching lines @@
   {
     Node* message = SmiConstant(MessageTemplate::kDetachedOperation);
     CallRuntime(Runtime::kThrowTypeError, context, message,
                 HeapConstant(operation));
     Unreachable();
   }
 }
 
 }  // namespace internal
 }  // namespace v8