Merge V8 5.2.361.47 DO NOT MERGE
https://chromium.googlesource.com/v8/v8/+/5.2.361.47
FPIIM-449
Change-Id: Ibec421b85a9b88cb3a432ada642e469fe7e78346
(cherry picked from commit bcf72ee8e3b26f1d0726869c7ddb3921c68b09a8)
diff --git a/src/lookup.cc b/src/lookup.cc
index 3df8752..bdb9f0a 100644
--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -158,47 +158,42 @@
DCHECK(IsFound() || !holder_->HasFastProperties());
}
-bool LookupIterator::HolderIsInContextIndex(uint32_t index) const {
- DisallowHeapAllocation no_gc;
-
- Object* context = heap()->native_contexts_list();
- while (!context->IsUndefined()) {
- Context* current_context = Context::cast(context);
- if (current_context->get(index) == *holder_) {
- return true;
- }
- context = current_context->get(Context::NEXT_CONTEXT_LINK);
- }
- return false;
-}
-
void LookupIterator::InternalUpdateProtector() {
if (isolate_->bootstrapper()->IsActive()) return;
- if (!isolate_->IsArraySpeciesLookupChainIntact()) return;
if (*name_ == heap()->constructor_string()) {
+ if (!isolate_->IsArraySpeciesLookupChainIntact()) return;
// Setting the constructor property could change an instance's @@species
if (holder_->IsJSArray()) {
isolate_->CountUsage(
v8::Isolate::UseCounterFeature::kArrayInstanceConstructorModified);
isolate_->InvalidateArraySpeciesProtector();
} else if (holder_->map()->is_prototype_map()) {
+ DisallowHeapAllocation no_gc;
// Setting the constructor of Array.prototype of any realm also needs
// to invalidate the species protector
- if (HolderIsInContextIndex(Context::INITIAL_ARRAY_PROTOTYPE_INDEX)) {
+ if (isolate_->IsInAnyContext(*holder_,
+ Context::INITIAL_ARRAY_PROTOTYPE_INDEX)) {
isolate_->CountUsage(v8::Isolate::UseCounterFeature::
kArrayPrototypeConstructorModified);
isolate_->InvalidateArraySpeciesProtector();
}
}
} else if (*name_ == heap()->species_symbol()) {
+ if (!isolate_->IsArraySpeciesLookupChainIntact()) return;
// Setting the Symbol.species property of any Array constructor invalidates
// the species protector
- if (HolderIsInContextIndex(Context::ARRAY_FUNCTION_INDEX)) {
+ if (isolate_->IsInAnyContext(*holder_, Context::ARRAY_FUNCTION_INDEX)) {
isolate_->CountUsage(
v8::Isolate::UseCounterFeature::kArraySpeciesModified);
isolate_->InvalidateArraySpeciesProtector();
}
+ } else if (*name_ == heap()->is_concat_spreadable_symbol()) {
+ if (!isolate_->IsIsConcatSpreadableLookupChainIntact()) return;
+ isolate_->InvalidateIsConcatSpreadableProtector();
+ } else if (*name_ == heap()->has_instance_symbol()) {
+ if (!isolate_->IsHasInstanceLookupChainIntact()) return;
+ isolate_->InvalidateHasInstanceProtector();
}
}
@@ -352,9 +347,14 @@
ElementsAccessor* accessor = object->GetElementsAccessor();
accessor->Delete(object, number_);
} else {
- PropertyNormalizationMode mode = holder->map()->is_prototype_map()
- ? KEEP_INOBJECT_PROPERTIES
- : CLEAR_INOBJECT_PROPERTIES;
+ bool is_prototype_map = holder->map()->is_prototype_map();
+ RuntimeCallTimerScope stats_scope(
+ isolate_, is_prototype_map
+ ? &RuntimeCallStats::PrototypeObject_DeleteProperty
+ : &RuntimeCallStats::Object_DeleteProperty);
+
+ PropertyNormalizationMode mode =
+ is_prototype_map ? KEEP_INOBJECT_PROPERTIES : CLEAR_INOBJECT_PROPERTIES;
if (holder->HasFastProperties()) {
JSObject::NormalizeProperties(Handle<JSObject>::cast(holder), mode, 0,
@@ -370,11 +370,10 @@
state_ = NOT_FOUND;
}
-
void LookupIterator::TransitionToAccessorProperty(
- AccessorComponent component, Handle<Object> accessor,
+ Handle<Object> getter, Handle<Object> setter,
PropertyAttributes attributes) {
- DCHECK(!accessor->IsNull());
+ DCHECK(!getter->IsNull() || !setter->IsNull());
// Can only be called when the receiver is a JSObject. JSProxy has to be
// handled via a trap. Adding properties to primitive values is not
// observable.
@@ -393,7 +392,7 @@
IsFound() ? static_cast<int>(number_) : DescriptorArray::kNotFound;
Handle<Map> new_map = Map::TransitionToAccessorProperty(
- old_map, name_, descriptor, component, accessor, attributes);
+ isolate_, old_map, name_, descriptor, getter, setter, attributes);
bool simple_transition = new_map->GetBackPointer() == receiver->map();
JSObject::MigrateToMap(receiver, new_map);
@@ -413,15 +412,18 @@
if (state() == ACCESSOR && GetAccessors()->IsAccessorPair()) {
pair = Handle<AccessorPair>::cast(GetAccessors());
// If the component and attributes are identical, nothing has to be done.
- if (pair->get(component) == *accessor) {
- if (property_details().attributes() == attributes) return;
+ if (pair->Equals(*getter, *setter)) {
+ if (property_details().attributes() == attributes) {
+ if (!IsElement()) JSObject::ReoptimizeIfPrototype(receiver);
+ return;
+ }
} else {
pair = AccessorPair::Copy(pair);
- pair->set(component, *accessor);
+ pair->SetComponents(*getter, *setter);
}
} else {
pair = factory()->NewAccessorPair();
- pair->set(component, *accessor);
+ pair->SetComponents(*getter, *setter);
}
TransitionToAccessorPair(pair, attributes);
@@ -638,17 +640,7 @@
JSReceiver* LookupIterator::NextHolder(Map* map) {
DisallowHeapAllocation no_gc;
if (map->prototype() == heap()->null_value()) return NULL;
-
- DCHECK(!map->IsJSGlobalProxyMap() || map->has_hidden_prototype());
-
- if (!check_prototype_chain() &&
- !(check_hidden() && map->has_hidden_prototype()) &&
- // Always lookup behind the JSGlobalProxy into the JSGlobalObject, even
- // when not checking other hidden prototypes.
- !map->IsJSGlobalProxyMap()) {
- return NULL;
- }
-
+ if (!check_prototype_chain() && !map->has_hidden_prototype()) return NULL;
return JSReceiver::cast(map->prototype());
}