Correct handling of arrays with callbacks in the prototype chain.

src/objects.h

Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index 6a94edd93fc88c47d4a1a1b474072d1731dd8561..9701477a4c312f117a35afc6e2be690010fb6a2d 100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -2102,8 +2102,13 @@ class JSObject: public JSReceiver {
   inline bool HasExternalDoubleElements();
   bool HasFastArgumentsElements();
   bool HasDictionaryArgumentsElements();
+  inline bool HasNonStrictArgumentsElementsMap();
   inline SeededNumberDictionary* element_dictionary();  // Gets slow elements.
 
+  // Gets elements from the appropriate location if a normal object or a
+  // non-strict arguments object.
+  inline FixedArrayBase* GetElements();

[danno, 2013/10/30 12:17:45]

Why is elements() not sufficient here?

+
   inline bool ShouldTrackAllocationInfo();
 
   inline void set_map_and_elements(
@@ -2497,6 +2502,14 @@ class JSObject: public JSReceiver {
 
   MUST_USE_RESULT MaybeObject* NormalizeElements();
 
+  // Convert the elements backing store as a SeededNumberDictionary dictionary.
+  // Precondition: the elements aren't already a dictionary.
+  // Does not set the new elements in the object.
+  static Handle<SeededNumberDictionary> CreateNormalizedElements(
+      Handle<JSObject> object);
+
+  MUST_USE_RESULT MaybeObject* CreateNormalizedElements();
+
   // Transform slow named properties to fast variants.
   static void TransformToFastProperties(Handle<JSObject> object,
                                         int unused_property_fields);
@@ -5298,6 +5311,9 @@ class Code: public HeapObject {
   DECLARE_VERIFIER(Code)
 
   void ClearInlineCaches();
+  void ClearInlineCaches(Kind* kind);

[danno, 2013/10/30 12:17:45]

Shouldn't this one be private?

[mvstanton, 2013/10/30 18:22:28]

Done.

+  void ClearInlineCaches(Kind kind);
+
   void ClearTypeFeedbackCells(Heap* heap);
 
   BailoutId TranslatePcOffsetToAstId(uint32_t pc_offset);
@@ -5630,6 +5646,15 @@ class Map: public HeapObject {
   class IsUnstable:                 public BitField<bool, 29,  1> {};
   class IsMigrationTarget:          public BitField<bool, 30,  1> {};
 
+  // Bit field 4.
+  inline uint32_t bit_field4();
+  inline void set_bit_field4(uint32_t bits);
+
+  class HasElementCallbacks:        public BitField<int,   0,  1> {};
+
+  inline void set_has_element_callbacks(bool value);
+  inline bool has_element_callbacks();
+
   // Tells whether the object in the prototype property will be used
   // for instances created from this function.  If the prototype
   // property is set to a value that is not a JSObject, the prototype
@@ -5764,7 +5789,6 @@ class Map: public HeapObject {
       Map* transitioned_map);
   inline void SetTransition(int transition_index, Map* target);
   inline Map* GetTransition(int transition_index);
-
   static Handle<TransitionArray> AddTransition(Handle<Map> map,
                                                Handle<Name> key,
                                                Handle<Map> target,
@@ -5773,6 +5797,11 @@ class Map: public HeapObject {
   MUST_USE_RESULT inline MaybeObject* AddTransition(Name* key,
                                                     Map* target,
                                                     SimpleTransitionFlag flag);
+  inline bool HasElementCallbacksTransition();
+  inline Map* element_callbacks_map();
+  MUST_USE_RESULT inline MaybeObject* set_element_callbacks_map(
+      Map* callbacks_map);
+
   DECL_ACCESSORS(transitions, TransitionArray)
   inline void ClearTransitions(Heap* heap,
                                WriteBarrierMode mode = UPDATE_WRITE_BARRIER);
@@ -5786,6 +5815,8 @@ class Map: public HeapObject {
 
   int NumberOfFields();
 
+  bool MayHaveIndexedCallbacksInPrototypeChain();
+
   bool InstancesNeedRewriting(Map* target,
                               int target_number_of_fields,
                               int target_inobject,
@@ -6003,6 +6034,10 @@ class Map: public HeapObject {
 
   MUST_USE_RESULT MaybeObject* CopyAsElementsKind(ElementsKind kind,
                                                   TransitionFlag flag);
+  MUST_USE_RESULT MaybeObject* CopyAsElementCallbacksTransition(
+      bool with_dictionary_elements);
+  static Handle<Map> CopyAsElementCallbacksTransition(
+      Handle<Map> map, bool with_dictionary_elements);
 
   static Handle<Map> CopyForObserved(Handle<Map> map);
 
@@ -6180,7 +6215,8 @@ class Map: public HeapObject {
   static const int kCodeCacheOffset = kDescriptorsOffset + kPointerSize;
   static const int kDependentCodeOffset = kCodeCacheOffset + kPointerSize;
   static const int kBitField3Offset = kDependentCodeOffset + kPointerSize;
-  static const int kSize = kBitField3Offset + kPointerSize;
+  static const int kBitField4Offset = kBitField3Offset + kPointerSize;
+  static const int kSize = kBitField4Offset + kPointerSize;
 
   // Layout of pointer fields. Heap iteration code relies on them
   // being continuously allocated.