Upgrade V8 to 5.1.281.57 DO NOT MERGE
FPIIM-449
Change-Id: Id981b686b4d587ac31697662eb98bb34be42ad90
(cherry picked from commit 3b9bc31999c9787eb726ecdbfd5796bfdec32a18)
diff --git a/src/isolate-inl.h b/src/isolate-inl.h
index c27b7a7..da36f76 100644
--- a/src/isolate-inl.h
+++ b/src/isolate-inl.h
@@ -97,6 +97,24 @@
NATIVE_CONTEXT_FIELDS(NATIVE_CONTEXT_FIELD_ACCESSOR)
#undef NATIVE_CONTEXT_FIELD_ACCESSOR
+bool Isolate::IsArraySpeciesLookupChainIntact() {
+ if (!FLAG_harmony_species) return true;
+ // Note: It would be nice to have debug checks to make sure that the
+ // species protector is accurate, but this would be hard to do for most of
+ // what the protector stands for:
+ // - You'd need to traverse the heap to check that no Array instance has
+ // a constructor property
+ // - To check that Array[Symbol.species] == Array, JS code has to execute,
+ // but JS cannot be invoked in callstack overflow situations
+ // All that could be checked reliably is that
+ // Array.prototype.constructor == Array. Given that limitation, no check is
+ // done here. In place, there are mjsunit tests harmony/array-species* which
+ // ensure that behavior is correct in various invalid protector cases.
+
+ PropertyCell* species_cell = heap()->species_protector();
+ return species_cell->value()->IsSmi() &&
+ Smi::cast(species_cell->value())->value() == kArrayProtectorValid;
+}
} // namespace internal
} // namespace v8