Upgrade V8 to 5.1.281.57 DO NOT MERGE
FPIIM-449
Change-Id: Id981b686b4d587ac31697662eb98bb34be42ad90
(cherry picked from commit 3b9bc31999c9787eb726ecdbfd5796bfdec32a18)
diff --git a/src/runtime/runtime-object.cc b/src/runtime/runtime-object.cc
index 45a4992..5bdb085 100644
--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@@ -125,6 +125,82 @@
return JSReceiver::DeleteProperty(&it, language_mode);
}
+// ES6 19.1.3.2
+RUNTIME_FUNCTION(Runtime_ObjectHasOwnProperty) {
+ HandleScope scope(isolate);
+ Handle<Object> property = args.at<Object>(1);
+
+ Handle<Name> key;
+ uint32_t index;
+ bool key_is_array_index = property->ToArrayIndex(&index);
+
+ if (!key_is_array_index) {
+ ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, key,
+ Object::ToName(isolate, property));
+ key_is_array_index = key->AsArrayIndex(&index);
+ }
+
+ Handle<Object> object = args.at<Object>(0);
+
+ if (object->IsJSObject()) {
+ Handle<JSObject> js_obj = Handle<JSObject>::cast(object);
+ // Fast case: either the key is a real named property or it is not
+ // an array index and there are no interceptors or hidden
+ // prototypes.
+ // TODO(jkummerow): Make JSReceiver::HasOwnProperty fast enough to
+ // handle all cases directly (without this custom fast path).
+ {
+ LookupIterator::Configuration c = LookupIterator::OWN_SKIP_INTERCEPTOR;
+ LookupIterator it =
+ key_is_array_index ? LookupIterator(isolate, js_obj, index, js_obj, c)
+ : LookupIterator(js_obj, key, js_obj, c);
+ Maybe<bool> maybe = JSReceiver::HasProperty(&it);
+ if (maybe.IsNothing()) return isolate->heap()->exception();
+ DCHECK(!isolate->has_pending_exception());
+ if (maybe.FromJust()) return isolate->heap()->true_value();
+ }
+
+ Map* map = js_obj->map();
+ if (!map->has_hidden_prototype() &&
+ (key_is_array_index ? !map->has_indexed_interceptor()
+ : !map->has_named_interceptor())) {
+ return isolate->heap()->false_value();
+ }
+
+ // Slow case.
+ LookupIterator::Configuration c = LookupIterator::HIDDEN;
+ LookupIterator it = key_is_array_index
+ ? LookupIterator(isolate, js_obj, index, js_obj, c)
+ : LookupIterator(js_obj, key, js_obj, c);
+
+ Maybe<bool> maybe = JSReceiver::HasProperty(&it);
+ if (maybe.IsNothing()) return isolate->heap()->exception();
+ DCHECK(!isolate->has_pending_exception());
+ return isolate->heap()->ToBoolean(maybe.FromJust());
+
+ } else if (object->IsJSProxy()) {
+ if (key.is_null()) {
+ DCHECK(key_is_array_index);
+ key = isolate->factory()->Uint32ToString(index);
+ }
+
+ Maybe<bool> result =
+ JSReceiver::HasOwnProperty(Handle<JSProxy>::cast(object), key);
+ if (!result.IsJust()) return isolate->heap()->exception();
+ return isolate->heap()->ToBoolean(result.FromJust());
+
+ } else if (object->IsString()) {
+ return isolate->heap()->ToBoolean(
+ key_is_array_index
+ ? index < static_cast<uint32_t>(String::cast(*object)->length())
+ : key->Equals(isolate->heap()->length_string()));
+ } else if (object->IsNull() || object->IsUndefined()) {
+ THROW_NEW_ERROR_RETURN_FAILURE(
+ isolate, NewTypeError(MessageTemplate::kUndefinedOrNullToObject));
+ }
+
+ return isolate->heap()->false_value();
+}
MaybeHandle<Object> Runtime::SetObjectProperty(Isolate* isolate,
Handle<Object> object,
@@ -205,7 +281,7 @@
Factory* factory = isolate->factory();
// Get attributes.
- LookupIterator it = LookupIterator::PropertyOrElement(isolate, obj, name,
+ LookupIterator it = LookupIterator::PropertyOrElement(isolate, obj, name, obj,
LookupIterator::HIDDEN);
Maybe<PropertyAttributes> maybe = JSObject::GetPropertyAttributes(&it);
@@ -293,7 +369,7 @@
Handle<Name> name(scope_info->ContextSlotName(slot), isolate);
Handle<JSGlobalObject> global_object(script_context->global_object(),
isolate);
- LookupIterator it(global_object, name, LookupIterator::HIDDEN);
+ LookupIterator it(global_object, name, global_object, LookupIterator::HIDDEN);
// Switch to fast mode only if there is a data property and it's not on
// a hidden prototype.
@@ -328,7 +404,7 @@
Handle<Name> name(scope_info->ContextSlotName(slot), isolate);
Handle<JSGlobalObject> global_object(script_context->global_object(),
isolate);
- LookupIterator it(global_object, name, LookupIterator::HIDDEN);
+ LookupIterator it(global_object, name, global_object, LookupIterator::HIDDEN);
// Switch to fast mode only if there is a data property and it's not on
// a hidden prototype.
@@ -413,7 +489,7 @@
#ifdef DEBUG
uint32_t index = 0;
DCHECK(!name->ToArrayIndex(&index));
- LookupIterator it(object, name, LookupIterator::OWN_SKIP_INTERCEPTOR);
+ LookupIterator it(object, name, object, LookupIterator::OWN_SKIP_INTERCEPTOR);
Maybe<PropertyAttributes> maybe = JSReceiver::GetPropertyAttributes(&it);
if (!maybe.IsJust()) return isolate->heap()->exception();
RUNTIME_ASSERT(!it.IsFound());
@@ -441,7 +517,7 @@
CHECK(key->ToArrayIndex(&index));
#ifdef DEBUG
- LookupIterator it(isolate, object, index,
+ LookupIterator it(isolate, object, index, object,
LookupIterator::OWN_SKIP_INTERCEPTOR);
Maybe<PropertyAttributes> maybe = JSReceiver::GetPropertyAttributes(&it);
if (!maybe.IsJust()) return isolate->heap()->exception();
@@ -532,85 +608,6 @@
}
-static Object* HasOwnPropertyImplementation(Isolate* isolate,
- Handle<JSObject> object,
- Handle<Name> key) {
- Maybe<bool> maybe = JSReceiver::HasOwnProperty(object, key);
- if (!maybe.IsJust()) return isolate->heap()->exception();
- if (maybe.FromJust()) return isolate->heap()->true_value();
- // Handle hidden prototypes. If there's a hidden prototype above this thing
- // then we have to check it for properties, because they are supposed to
- // look like they are on this object.
- if (object->map()->has_hidden_prototype()) {
- PrototypeIterator iter(isolate, object);
- DCHECK(!iter.IsAtEnd());
-
- // TODO(verwaest): The recursion is not necessary for keys that are array
- // indices. Removing this.
- // Casting to JSObject is fine because JSProxies are never used as
- // hidden prototypes.
- return HasOwnPropertyImplementation(
- isolate, PrototypeIterator::GetCurrent<JSObject>(iter), key);
- }
- RETURN_FAILURE_IF_SCHEDULED_EXCEPTION(isolate);
- return isolate->heap()->false_value();
-}
-
-
-RUNTIME_FUNCTION(Runtime_HasOwnProperty) {
- HandleScope scope(isolate);
- DCHECK(args.length() == 2);
- CONVERT_ARG_HANDLE_CHECKED(Object, object, 0)
- CONVERT_ARG_HANDLE_CHECKED(Name, key, 1);
-
- uint32_t index;
- const bool key_is_array_index = key->AsArrayIndex(&index);
-
- // Only JS objects can have properties.
- if (object->IsJSObject()) {
- Handle<JSObject> js_obj = Handle<JSObject>::cast(object);
- // Fast case: either the key is a real named property or it is not
- // an array index and there are no interceptors or hidden
- // prototypes.
- // TODO(jkummerow): Make JSReceiver::HasOwnProperty fast enough to
- // handle all cases directly (without this custom fast path).
- Maybe<bool> maybe = Nothing<bool>();
- if (key_is_array_index) {
- LookupIterator it(js_obj->GetIsolate(), js_obj, index,
- LookupIterator::HIDDEN);
- maybe = JSReceiver::HasProperty(&it);
- } else {
- maybe = JSObject::HasRealNamedProperty(js_obj, key);
- }
- if (!maybe.IsJust()) return isolate->heap()->exception();
- DCHECK(!isolate->has_pending_exception());
- if (maybe.FromJust()) {
- return isolate->heap()->true_value();
- }
- Map* map = js_obj->map();
- if (!key_is_array_index && !map->has_named_interceptor() &&
- !map->has_hidden_prototype()) {
- return isolate->heap()->false_value();
- }
- // Slow case.
- return HasOwnPropertyImplementation(isolate, Handle<JSObject>(js_obj),
- Handle<Name>(key));
- } else if (object->IsString() && key_is_array_index) {
- // Well, there is one exception: Handle [] on strings.
- Handle<String> string = Handle<String>::cast(object);
- if (index < static_cast<uint32_t>(string->length())) {
- return isolate->heap()->true_value();
- }
- } else if (object->IsJSProxy()) {
- Maybe<bool> result =
- JSReceiver::HasOwnProperty(Handle<JSProxy>::cast(object), key);
- if (!result.IsJust()) return isolate->heap()->exception();
- return isolate->heap()->ToBoolean(result.FromJust());
- }
- return isolate->heap()->false_value();
-}
-
-
// ES6 section 12.9.3, operator in.
RUNTIME_FUNCTION(Runtime_HasProperty) {
HandleScope scope(isolate);
@@ -840,8 +837,8 @@
CONVERT_ARG_HANDLE_CHECKED(Object, value, 2);
CONVERT_PROPERTY_ATTRIBUTES_CHECKED(attrs, 3);
- LookupIterator it = LookupIterator::PropertyOrElement(isolate, object, name,
- LookupIterator::OWN);
+ LookupIterator it = LookupIterator::PropertyOrElement(
+ isolate, object, name, object, LookupIterator::OWN);
if (it.state() == LookupIterator::ACCESS_CHECK && !it.HasAccess()) {
return isolate->heap()->undefined_value();
}
@@ -869,8 +866,8 @@
isolate->factory()->empty_string());
}
- LookupIterator it = LookupIterator::PropertyOrElement(isolate, object, name,
- LookupIterator::OWN);
+ LookupIterator it = LookupIterator::PropertyOrElement(
+ isolate, object, name, object, LookupIterator::OWN);
// Cannot fail since this should only be called when
// creating an object literal.
CHECK(JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, attrs,
@@ -915,15 +912,6 @@
}
-RUNTIME_FUNCTION(Runtime_IsStrong) {
- SealHandleScope shs(isolate);
- DCHECK(args.length() == 1);
- CONVERT_ARG_CHECKED(Object, obj, 0);
- return isolate->heap()->ToBoolean(obj->IsJSReceiver() &&
- JSReceiver::cast(obj)->map()->is_strong());
-}
-
-
RUNTIME_FUNCTION(Runtime_ClassOf) {
SealHandleScope shs(isolate);
DCHECK(args.length() == 1);
@@ -1118,6 +1106,9 @@
RUNTIME_FUNCTION(Runtime_InstanceOf) {
+ // TODO(4447): Remove this function when ES6 instanceof ships for good.
+ DCHECK(!FLAG_harmony_instanceof);
+
// ECMA-262, section 11.8.6, page 54.
HandleScope shs(isolate);
DCHECK_EQ(2, args.length());
@@ -1146,7 +1137,50 @@
Handle<Object> prototype;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, prototype,
- Object::GetProperty(callable, isolate->factory()->prototype_string()));
+ JSReceiver::GetProperty(Handle<JSReceiver>::cast(callable),
+ isolate->factory()->prototype_string()));
+ if (!prototype->IsJSReceiver()) {
+ THROW_NEW_ERROR_RETURN_FAILURE(
+ isolate,
+ NewTypeError(MessageTemplate::kInstanceofNonobjectProto, prototype));
+ }
+ // Return whether or not {prototype} is in the prototype chain of {object}.
+ Handle<JSReceiver> receiver = Handle<JSReceiver>::cast(object);
+ Maybe<bool> result =
+ JSReceiver::HasInPrototypeChain(isolate, receiver, prototype);
+ MAYBE_RETURN(result, isolate->heap()->exception());
+ return isolate->heap()->ToBoolean(result.FromJust());
+}
+
+RUNTIME_FUNCTION(Runtime_OrdinaryHasInstance) {
+ // ES6 section 19.2.3.6 Function.prototype[@@hasInstance](V)
+ HandleScope shs(isolate);
+ DCHECK_EQ(2, args.length());
+ DCHECK(args.length() == 2);
+ CONVERT_ARG_HANDLE_CHECKED(Object, object, 0);
+ CONVERT_ARG_HANDLE_CHECKED(Object, callable, 1);
+ // {callable} must have a [[Call]] internal method.
+ if (!callable->IsCallable()) {
+ return isolate->heap()->false_value();
+ }
+ // If {object} is not a receiver, return false.
+ if (!object->IsJSReceiver()) {
+ return isolate->heap()->false_value();
+ }
+ // Check if {callable} is bound, if so, get [[BoundTargetFunction]] from it
+ // and use that instead of {callable}.
+ while (callable->IsJSBoundFunction()) {
+ callable =
+ handle(Handle<JSBoundFunction>::cast(callable)->bound_target_function(),
+ isolate);
+ }
+ DCHECK(callable->IsCallable());
+ // Get the "prototype" of {callable}; raise an error if it's not a receiver.
+ Handle<Object> prototype;
+ ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+ isolate, prototype,
+ JSReceiver::GetProperty(Handle<JSReceiver>::cast(callable),
+ isolate->factory()->prototype_string()));
if (!prototype->IsJSReceiver()) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate,