elements.cc 184 KB
Newer Older
1
// Copyright 2012 the V8 project authors. All rights reserved.
2 3
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
4

5
#include "src/elements.h"
6

7 8
#include "src/arguments.h"
#include "src/conversions.h"
9
#include "src/frames.h"
10
#include "src/heap/factory.h"
11
#include "src/heap/heap-write-barrier-inl.h"
12
#include "src/isolate-inl.h"
13
#include "src/keys.h"
14
#include "src/message-template.h"
15
#include "src/objects-inl.h"
16
#include "src/objects/arguments-inl.h"
17
#include "src/objects/hash-table-inl.h"
18
#include "src/objects/js-array-buffer-inl.h"
19
#include "src/objects/js-array-inl.h"
20
#include "src/objects/slots-atomic-inl.h"
21
#include "src/objects/slots.h"
22
#include "src/utils.h"
23 24 25 26 27 28 29 30

// Each concrete ElementsAccessor can handle exactly one ElementsKind,
// several abstract ElementsAccessor classes are used to allow sharing
// common code.
//
// Inheritance hierarchy:
// - ElementsAccessorBase                        (abstract)
//   - FastElementsAccessor                      (abstract)
31 32 33 34 35
//     - FastSmiOrObjectElementsAccessor
//       - FastPackedSmiElementsAccessor
//       - FastHoleySmiElementsAccessor
//       - FastPackedObjectElementsAccessor
//       - FastHoleyObjectElementsAccessor
36
//     - FastDoubleElementsAccessor
37 38
//       - FastPackedDoubleElementsAccessor
//       - FastHoleyDoubleElementsAccessor
39 40 41 42 43 44 45 46 47 48
//   - TypedElementsAccessor: template, with instantiations:
//     - FixedUint8ElementsAccessor
//     - FixedInt8ElementsAccessor
//     - FixedUint16ElementsAccessor
//     - FixedInt16ElementsAccessor
//     - FixedUint32ElementsAccessor
//     - FixedInt32ElementsAccessor
//     - FixedFloat32ElementsAccessor
//     - FixedFloat64ElementsAccessor
//     - FixedUint8ClampedElementsAccessor
49 50
//     - FixedBigUint64ElementsAccessor
//     - FixedBigInt64ElementsAccessor
51
//   - DictionaryElementsAccessor
52
//   - SloppyArgumentsElementsAccessor
53 54
//     - FastSloppyArgumentsElementsAccessor
//     - SlowSloppyArgumentsElementsAccessor
55 56 57
//   - StringWrapperElementsAccessor
//     - FastStringWrapperElementsAccessor
//     - SlowStringWrapperElementsAccessor
58

59 60 61 62
namespace v8 {
namespace internal {


63 64 65
namespace {


66 67
static const int kPackedSizeNotKnown = -1;

cbruni's avatar
cbruni committed
68 69
enum Where { AT_START, AT_END };

70

71 72 73 74 75
// First argument in list is the accessor class, the second argument is the
// accessor ElementsKind, and the third is the backing store class.  Use the
// fast element handler for smi-only arrays.  The implementation is currently
// identical.  Note that the order must match that of the ElementsKind enum for
// the |accessor_array[]| below to work.
76
#define ELEMENTS_LIST(V)                                                      \
77 78 79 80 81
  V(FastPackedSmiElementsAccessor, PACKED_SMI_ELEMENTS, FixedArray)           \
  V(FastHoleySmiElementsAccessor, HOLEY_SMI_ELEMENTS, FixedArray)             \
  V(FastPackedObjectElementsAccessor, PACKED_ELEMENTS, FixedArray)            \
  V(FastHoleyObjectElementsAccessor, HOLEY_ELEMENTS, FixedArray)              \
  V(FastPackedDoubleElementsAccessor, PACKED_DOUBLE_ELEMENTS,                 \
82
    FixedDoubleArray)                                                         \
83
  V(FastHoleyDoubleElementsAccessor, HOLEY_DOUBLE_ELEMENTS, FixedDoubleArray) \
84
  V(DictionaryElementsAccessor, DICTIONARY_ELEMENTS, NumberDictionary)        \
85 86 87 88
  V(FastSloppyArgumentsElementsAccessor, FAST_SLOPPY_ARGUMENTS_ELEMENTS,      \
    FixedArray)                                                               \
  V(SlowSloppyArgumentsElementsAccessor, SLOW_SLOPPY_ARGUMENTS_ELEMENTS,      \
    FixedArray)                                                               \
89 90 91 92
  V(FastStringWrapperElementsAccessor, FAST_STRING_WRAPPER_ELEMENTS,          \
    FixedArray)                                                               \
  V(SlowStringWrapperElementsAccessor, SLOW_STRING_WRAPPER_ELEMENTS,          \
    FixedArray)                                                               \
93 94 95 96 97 98 99 100 101
  V(FixedUint8ElementsAccessor, UINT8_ELEMENTS, FixedUint8Array)              \
  V(FixedInt8ElementsAccessor, INT8_ELEMENTS, FixedInt8Array)                 \
  V(FixedUint16ElementsAccessor, UINT16_ELEMENTS, FixedUint16Array)           \
  V(FixedInt16ElementsAccessor, INT16_ELEMENTS, FixedInt16Array)              \
  V(FixedUint32ElementsAccessor, UINT32_ELEMENTS, FixedUint32Array)           \
  V(FixedInt32ElementsAccessor, INT32_ELEMENTS, FixedInt32Array)              \
  V(FixedFloat32ElementsAccessor, FLOAT32_ELEMENTS, FixedFloat32Array)        \
  V(FixedFloat64ElementsAccessor, FLOAT64_ELEMENTS, FixedFloat64Array)        \
  V(FixedUint8ClampedElementsAccessor, UINT8_CLAMPED_ELEMENTS,                \
102 103 104
    FixedUint8ClampedArray)                                                   \
  V(FixedBigUint64ElementsAccessor, BIGUINT64_ELEMENTS, FixedBigUint64Array)  \
  V(FixedBigInt64ElementsAccessor, BIGINT64_ELEMENTS, FixedBigInt64Array)
105 106 107 108 109 110

template<ElementsKind Kind> class ElementsKindTraits {
 public:
  typedef FixedArrayBase BackingStore;
};

111 112 113 114 115 116 117 118
#define ELEMENTS_TRAITS(Class, KindParam, Store)    \
  template <>                                       \
  class ElementsKindTraits<KindParam> {             \
   public: /* NOLINT */                             \
    static constexpr ElementsKind Kind = KindParam; \
    typedef Store BackingStore;                     \
  };                                                \
  constexpr ElementsKind ElementsKindTraits<KindParam>::Kind;
119 120 121
ELEMENTS_LIST(ELEMENTS_TRAITS)
#undef ELEMENTS_TRAITS

122
V8_WARN_UNUSED_RESULT
123
MaybeHandle<Object> ThrowArrayLengthRangeError(Isolate* isolate) {
124
  THROW_NEW_ERROR(isolate, NewRangeError(MessageTemplate::kInvalidArrayLength),
125
                  Object);
126 127
}

128 129 130 131 132
WriteBarrierMode GetWriteBarrierMode(ElementsKind kind) {
  if (IsSmiElementsKind(kind)) return SKIP_WRITE_BARRIER;
  if (IsDoubleElementsKind(kind)) return SKIP_WRITE_BARRIER;
  return UPDATE_WRITE_BARRIER;
}
133

134
void CopyObjectToObjectElements(Isolate* isolate, FixedArrayBase from_base,
135
                                ElementsKind from_kind, uint32_t from_start,
136
                                FixedArrayBase to_base, ElementsKind to_kind,
137
                                uint32_t to_start, int raw_copy_size) {
138 139
  ReadOnlyRoots roots(isolate);
  DCHECK(to_base->map() != roots.fixed_cow_array_map());
140
  DisallowHeapAllocation no_allocation;
141 142
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
143
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
144
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
145 146
    copy_size = Min(from_base->length() - from_start,
                    to_base->length() - to_start);
147
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
148
      int start = to_start + copy_size;
149
      int length = to_base->length() - start;
150
      if (length > 0) {
151 152
        MemsetTagged(FixedArray::cast(to_base)->RawFieldOfElementAt(start),
                     roots.the_hole_value(), length);
153 154
      }
    }
155
  }
156
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
157
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
158
  if (copy_size == 0) return;
159 160
  FixedArray from = FixedArray::cast(from_base);
  FixedArray to = FixedArray::cast(to_base);
161 162
  DCHECK(IsSmiOrObjectElementsKind(from_kind));
  DCHECK(IsSmiOrObjectElementsKind(to_kind));
163 164

  WriteBarrierMode write_barrier_mode =
165
      (IsObjectElementsKind(from_kind) && IsObjectElementsKind(to_kind))
166 167 168
          ? UPDATE_WRITE_BARRIER
          : SKIP_WRITE_BARRIER;
  for (int i = 0; i < copy_size; i++) {
169
    Object value = from->get(from_start + i);
170
    to->set(to_start + i, value, write_barrier_mode);
171 172 173
  }
}

174
static void CopyDictionaryToObjectElements(
175 176
    Isolate* isolate, FixedArrayBase from_base, uint32_t from_start,
    FixedArrayBase to_base, ElementsKind to_kind, uint32_t to_start,
177
    int raw_copy_size) {
178
  DisallowHeapAllocation no_allocation;
179
  NumberDictionary from = NumberDictionary::cast(from_base);
180 181
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
182
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
183 184 185
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
    copy_size = from->max_number_key() + 1 - from_start;
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
186
      int start = to_start + copy_size;
187
      int length = to_base->length() - start;
188
      if (length > 0) {
189 190
        MemsetTagged(FixedArray::cast(to_base)->RawFieldOfElementAt(start),
                     ReadOnlyRoots(isolate).the_hole_value(), length);
191 192 193
      }
    }
  }
194
  DCHECK(to_base != from_base);
195
  DCHECK(IsSmiOrObjectElementsKind(to_kind));
196
  if (copy_size == 0) return;
197
  FixedArray to = FixedArray::cast(to_base);
198 199 200 201
  uint32_t to_length = to->length();
  if (to_start + copy_size > to_length) {
    copy_size = to_length - to_start;
  }
202
  WriteBarrierMode write_barrier_mode = GetWriteBarrierMode(to_kind);
203
  for (int i = 0; i < copy_size; i++) {
204
    int entry = from->FindEntry(isolate, i + from_start);
205
    if (entry != NumberDictionary::kNotFound) {
206
      Object value = from->ValueAt(entry);
207
      DCHECK(!value->IsTheHole(isolate));
208
      to->set(i + to_start, value, write_barrier_mode);
209
    } else {
210
      to->set_the_hole(isolate, i + to_start);
211 212
    }
  }
213 214
}

215 216 217
// NOTE: this method violates the handlified function signature convention:
// raw pointer parameters in the function that allocates.
// See ElementsAccessorBase::CopyElements() for details.
218
static void CopyDoubleToObjectElements(Isolate* isolate,
219
                                       FixedArrayBase from_base,
220
                                       uint32_t from_start,
221
                                       FixedArrayBase to_base,
222
                                       uint32_t to_start, int raw_copy_size) {
223 224
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
225
    DisallowHeapAllocation no_allocation;
226
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
227
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
228 229
    copy_size = Min(from_base->length() - from_start,
                    to_base->length() - to_start);
230
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
231 232 233 234
      // Also initialize the area that will be copied over since HeapNumber
      // allocation below can cause an incremental marking step, requiring all
      // existing heap objects to be propertly initialized.
      int start = to_start;
235
      int length = to_base->length() - start;
236
      if (length > 0) {
237 238
        MemsetTagged(FixedArray::cast(to_base)->RawFieldOfElementAt(start),
                     ReadOnlyRoots(isolate).the_hole_value(), length);
239 240
      }
    }
241
  }
242

243
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
244
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
245
  if (copy_size == 0) return;
246 247 248 249 250

  // From here on, the code below could actually allocate. Therefore the raw
  // values are wrapped into handles.
  Handle<FixedDoubleArray> from(FixedDoubleArray::cast(from_base), isolate);
  Handle<FixedArray> to(FixedArray::cast(to_base), isolate);
251

252 253 254
  // Use an outer loop to not waste too much time on creating HandleScopes.
  // On the other hand we might overflow a single handle scope depending on
  // the copy_size.
255 256
  int offset = 0;
  while (offset < copy_size) {
257
    HandleScope scope(isolate);
258 259
    offset += 100;
    for (int i = offset - 100; i < offset && i < copy_size; ++i) {
260 261
      Handle<Object> value =
          FixedDoubleArray::get(*from, i + from_start, isolate);
262
      to->set(i + to_start, *value, UPDATE_WRITE_BARRIER);
263 264 265 266
    }
  }
}

267
static void CopyDoubleToDoubleElements(FixedArrayBase from_base,
268
                                       uint32_t from_start,
269
                                       FixedArrayBase to_base,
270
                                       uint32_t to_start, int raw_copy_size) {
271
  DisallowHeapAllocation no_allocation;
272 273
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
274
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
275
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
276 277
    copy_size = Min(from_base->length() - from_start,
                    to_base->length() - to_start);
278
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
279
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
280
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
281 282
      }
    }
283
  }
284
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
285
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
286
  if (copy_size == 0) return;
287 288
  FixedDoubleArray from = FixedDoubleArray::cast(from_base);
  FixedDoubleArray to = FixedDoubleArray::cast(to_base);
289 290 291 292
  Address to_address = to->address() + FixedDoubleArray::kHeaderSize;
  Address from_address = from->address() + FixedDoubleArray::kHeaderSize;
  to_address += kDoubleSize * to_start;
  from_address += kDoubleSize * from_start;
293
  int words_per_double = (kDoubleSize / kSystemPointerSize);
294
  CopyWords(to_address, from_address,
295
            static_cast<size_t>(words_per_double * copy_size));
296 297
}

298 299 300
static void CopySmiToDoubleElements(FixedArrayBase from_base,
                                    uint32_t from_start, FixedArrayBase to_base,
                                    uint32_t to_start, int raw_copy_size) {
301
  DisallowHeapAllocation no_allocation;
302 303
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
304
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
305
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
306
    copy_size = from_base->length() - from_start;
307
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
308
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
309
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
310 311 312
      }
    }
  }
313
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
314
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
315
  if (copy_size == 0) return;
316
  FixedArray from = FixedArray::cast(from_base);
317
  FixedDoubleArray to = FixedDoubleArray::cast(to_base);
318
  Object the_hole = from->GetReadOnlyRoots().the_hole_value();
319 320
  for (uint32_t from_end = from_start + static_cast<uint32_t>(copy_size);
       from_start < from_end; from_start++, to_start++) {
321
    Object hole_or_smi = from->get(from_start);
322
    if (hole_or_smi == the_hole) {
323 324
      to->set_the_hole(to_start);
    } else {
jgruber's avatar
jgruber committed
325
      to->set(to_start, Smi::ToInt(hole_or_smi));
326 327 328 329
    }
  }
}

330
static void CopyPackedSmiToDoubleElements(FixedArrayBase from_base,
331
                                          uint32_t from_start,
332
                                          FixedArrayBase to_base,
333
                                          uint32_t to_start, int packed_size,
334
                                          int raw_copy_size) {
335
  DisallowHeapAllocation no_allocation;
336 337 338
  int copy_size = raw_copy_size;
  uint32_t to_end;
  if (raw_copy_size < 0) {
339
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
340
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
341
    copy_size = packed_size - from_start;
342
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
343
      to_end = to_base->length();
344
      for (uint32_t i = to_start + copy_size; i < to_end; ++i) {
345
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
346
      }
347 348 349 350 351 352
    } else {
      to_end = to_start + static_cast<uint32_t>(copy_size);
    }
  } else {
    to_end = to_start + static_cast<uint32_t>(copy_size);
  }
353 354 355
  DCHECK(static_cast<int>(to_end) <= to_base->length());
  DCHECK(packed_size >= 0 && packed_size <= copy_size);
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
356
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
357
  if (copy_size == 0) return;
358
  FixedArray from = FixedArray::cast(from_base);
359
  FixedDoubleArray to = FixedDoubleArray::cast(to_base);
360 361
  for (uint32_t from_end = from_start + static_cast<uint32_t>(packed_size);
       from_start < from_end; from_start++, to_start++) {
362
    Object smi = from->get(from_start);
363
    DCHECK(!smi->IsTheHole());
jgruber's avatar
jgruber committed
364
    to->set(to_start, Smi::ToInt(smi));
365 366 367
  }
}

368
static void CopyObjectToDoubleElements(FixedArrayBase from_base,
369
                                       uint32_t from_start,
370
                                       FixedArrayBase to_base,
371
                                       uint32_t to_start, int raw_copy_size) {
372
  DisallowHeapAllocation no_allocation;
373 374
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
375
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
376
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
377
    copy_size = from_base->length() - from_start;
378
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
379
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
380
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
381 382 383
      }
    }
  }
384
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
385
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
386
  if (copy_size == 0) return;
387
  FixedArray from = FixedArray::cast(from_base);
388
  FixedDoubleArray to = FixedDoubleArray::cast(to_base);
389
  Object the_hole = from->GetReadOnlyRoots().the_hole_value();
390 391
  for (uint32_t from_end = from_start + copy_size;
       from_start < from_end; from_start++, to_start++) {
392
    Object hole_or_object = from->get(from_start);
393
    if (hole_or_object == the_hole) {
394
      to->set_the_hole(to_start);
395
    } else {
396
      to->set(to_start, hole_or_object->Number());
397 398 399 400
    }
  }
}

401
static void CopyDictionaryToDoubleElements(
402 403
    Isolate* isolate, FixedArrayBase from_base, uint32_t from_start,
    FixedArrayBase to_base, uint32_t to_start, int raw_copy_size) {
404
  DisallowHeapAllocation no_allocation;
405
  NumberDictionary from = NumberDictionary::cast(from_base);
406 407
  int copy_size = raw_copy_size;
  if (copy_size < 0) {
408
    DCHECK(copy_size == ElementsAccessor::kCopyToEnd ||
409 410 411
           copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
    copy_size = from->max_number_key() + 1 - from_start;
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
412
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
413
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
414 415 416 417
      }
    }
  }
  if (copy_size == 0) return;
418
  FixedDoubleArray to = FixedDoubleArray::cast(to_base);
419 420 421 422
  uint32_t to_length = to->length();
  if (to_start + copy_size > to_length) {
    copy_size = to_length - to_start;
  }
423
  for (int i = 0; i < copy_size; i++) {
424
    int entry = from->FindEntry(isolate, i + from_start);
425
    if (entry != NumberDictionary::kNotFound) {
426 427 428 429 430 431 432
      to->set(i + to_start, from->ValueAt(entry)->Number());
    } else {
      to->set_the_hole(i + to_start);
    }
  }
}

433 434
static void TraceTopFrame(Isolate* isolate) {
  StackFrameIterator it(isolate);
435 436 437 438 439 440
  if (it.done()) {
    PrintF("unknown location (no JavaScript frames present)");
    return;
  }
  StackFrame* raw_frame = it.frame();
  if (raw_frame->is_internal()) {
441
    Code current_code_object =
442 443 444
        isolate->heap()->GcSafeFindCodeForInnerPointer(raw_frame->pc());
    if (current_code_object->builtin_index() ==
        Builtins::kFunctionPrototypeApply) {
445 446 447 448 449
      PrintF("apply from ");
      it.Advance();
      raw_frame = it.frame();
    }
  }
450
  JavaScriptFrame::PrintTop(isolate, stdout, false, true);
451 452
}

453
static void SortIndices(
454
    Isolate* isolate, Handle<FixedArray> indices, uint32_t sort_size,
455
    WriteBarrierMode write_barrier_mode = UPDATE_WRITE_BARRIER) {
456
  // Use AtomicSlot wrapper to ensure that std::sort uses atomic load and
457
  // store operations that are safe for concurrent marking.
458
  AtomicSlot start(indices->GetFirstElementAddress());
459
  std::sort(start, start + sort_size,
460 461 462
            [isolate](Tagged_t elementA, Tagged_t elementB) {
              // TODO(ishell): revisit the code below
              STATIC_ASSERT(kTaggedSize == kSystemPointerSize);
463 464
              Object a(elementA);
              Object b(elementB);
465 466 467 468 469 470 471 472
              if (a->IsSmi() || !a->IsUndefined(isolate)) {
                if (!b->IsSmi() && b->IsUndefined(isolate)) {
                  return true;
                }
                return a->Number() < b->Number();
              }
              return !b->IsSmi() && b->IsUndefined(isolate);
            });
473
  if (write_barrier_mode != SKIP_WRITE_BARRIER) {
474
    FIXED_ARRAY_ELEMENTS_WRITE_BARRIER(isolate->heap(), *indices, 0, sort_size);
475 476
  }
}
477

478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498
static Maybe<bool> IncludesValueSlowPath(Isolate* isolate,
                                         Handle<JSObject> receiver,
                                         Handle<Object> value,
                                         uint32_t start_from, uint32_t length) {
  bool search_for_hole = value->IsUndefined(isolate);
  for (uint32_t k = start_from; k < length; ++k) {
    LookupIterator it(isolate, receiver, k);
    if (!it.IsFound()) {
      if (search_for_hole) return Just(true);
      continue;
    }
    Handle<Object> element_k;
    ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, element_k,
                                     Object::GetProperty(&it), Nothing<bool>());

    if (value->SameValueZero(*element_k)) return Just(true);
  }

  return Just(false);
}

499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518
static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
                                           Handle<JSObject> receiver,
                                           Handle<Object> value,
                                           uint32_t start_from,
                                           uint32_t length) {
  for (uint32_t k = start_from; k < length; ++k) {
    LookupIterator it(isolate, receiver, k);
    if (!it.IsFound()) {
      continue;
    }
    Handle<Object> element_k;
    ASSIGN_RETURN_ON_EXCEPTION_VALUE(
        isolate, element_k, Object::GetProperty(&it), Nothing<int64_t>());

    if (value->StrictEquals(*element_k)) return Just<int64_t>(k);
  }

  return Just<int64_t>(-1);
}

519 520 521 522 523 524 525 526
// The InternalElementsAccessor is a helper class to expose otherwise protected
// methods to its subclasses. Namely, we don't want to publicly expose methods
// that take an entry (instead of an index) as an argument.
class InternalElementsAccessor : public ElementsAccessor {
 public:
  explicit InternalElementsAccessor(const char* name)
      : ElementsAccessor(name) {}

527
  uint32_t GetEntryForIndex(Isolate* isolate, JSObject holder,
528
                            FixedArrayBase backing_store,
529
                            uint32_t index) override = 0;
530

531
  PropertyDetails GetDetails(JSObject holder, uint32_t entry) override = 0;
532 533
};

534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550
// Base class for element handler implementations. Contains the
// the common logic for objects with different ElementsKinds.
// Subclasses must specialize method for which the element
// implementation differs from the base class implementation.
//
// This class is intended to be used in the following way:
//
//   class SomeElementsAccessor :
//       public ElementsAccessorBase<SomeElementsAccessor,
//                                   BackingStoreClass> {
//     ...
//   }
//
// This is an example of the Curiously Recurring Template Pattern (see
// http://en.wikipedia.org/wiki/Curiously_recurring_template_pattern).  We use
// CRTP to guarantee aggressive compile time optimizations (i.e.  inlining and
// specialization of SomeElementsAccessor methods).
551
template <typename Subclass, typename ElementsTraitsParam>
552
class ElementsAccessorBase : public InternalElementsAccessor {
553
 public:
554
  explicit ElementsAccessorBase(const char* name)
555
      : InternalElementsAccessor(name) {}
556 557 558 559

  typedef ElementsTraitsParam ElementsTraits;
  typedef typename ElementsTraitsParam::BackingStore BackingStore;

560
  static ElementsKind kind() { return ElementsTraits::Kind; }
561

562
  static void ValidateContents(JSObject holder, int length) {}
563

564
  static void ValidateImpl(JSObject holder) {
565
    FixedArrayBase fixed_array_base = holder->elements();
566 567
    if (!fixed_array_base->IsHeapObject()) return;
    // Arrays that have been shifted in place can't be verified.
568
    if (fixed_array_base->IsFiller()) return;
569 570
    int length = 0;
    if (holder->IsJSArray()) {
571
      Object length_obj = JSArray::cast(holder)->length();
572
      if (length_obj->IsSmi()) {
jgruber's avatar
jgruber committed
573
        length = Smi::ToInt(length_obj);
574 575 576 577
      }
    } else {
      length = fixed_array_base->length();
    }
578
    Subclass::ValidateContents(holder, length);
579 580
  }

581
  void Validate(JSObject holder) final {
582
    DisallowHeapAllocation no_gc;
583
    Subclass::ValidateImpl(holder);
584 585
  }

586
  static bool IsPackedImpl(JSObject holder, FixedArrayBase backing_store,
587 588
                           uint32_t start, uint32_t end) {
    DisallowHeapAllocation no_gc;
589
    if (IsFastPackedElementsKind(kind())) return true;
590
    Isolate* isolate = holder->GetIsolate();
591
    for (uint32_t i = start; i < end; i++) {
592 593
      if (!Subclass::HasElementImpl(isolate, holder, i, backing_store,
                                    ALL_PROPERTIES)) {
594 595 596 597 598 599
        return false;
      }
    }
    return true;
  }

600
  static void TryTransitionResultArrayToPacked(Handle<JSArray> array) {
601
    if (!IsHoleyElementsKind(kind())) return;
602 603
    Handle<FixedArrayBase> backing_store(array->elements(),
                                         array->GetIsolate());
jgruber's avatar
jgruber committed
604
    int length = Smi::ToInt(array->length());
605 606
    if (!Subclass::IsPackedImpl(*array, *backing_store, 0, length)) return;

607 608 609 610 611 612 613 614 615 616
    ElementsKind packed_kind = GetPackedElementsKind(kind());
    Handle<Map> new_map =
        JSObject::GetElementsTransitionMap(array, packed_kind);
    JSObject::MigrateToMap(array, new_map);
    if (FLAG_trace_elements_transitions) {
      JSObject::PrintElementsTransition(stdout, array, kind(), backing_store,
                                        packed_kind, backing_store);
    }
  }

617 618
  bool HasElement(JSObject holder, uint32_t index, FixedArrayBase backing_store,
                  PropertyFilter filter) final {
619 620
    return Subclass::HasElementImpl(holder->GetIsolate(), holder, index,
                                    backing_store, filter);
621 622
  }

623
  static bool HasElementImpl(Isolate* isolate, JSObject holder, uint32_t index,
624
                             FixedArrayBase backing_store,
625
                             PropertyFilter filter = ALL_PROPERTIES) {
626 627
    return Subclass::GetEntryForIndexImpl(isolate, holder, backing_store, index,
                                          filter) != kMaxUInt32;
628 629
  }

630
  bool HasEntry(JSObject holder, uint32_t entry) final {
631 632 633 634
    return Subclass::HasEntryImpl(holder->GetIsolate(), holder->elements(),
                                  entry);
  }

635
  static bool HasEntryImpl(Isolate* isolate, FixedArrayBase backing_store,
636 637 638 639
                           uint32_t entry) {
    UNIMPLEMENTED();
  }

640
  bool HasAccessors(JSObject holder) final {
641
    return Subclass::HasAccessorsImpl(holder, holder->elements());
642 643
  }

644
  static bool HasAccessorsImpl(JSObject holder, FixedArrayBase backing_store) {
645 646 647
    return false;
  }

648
  Handle<Object> Get(Handle<JSObject> holder, uint32_t entry) final {
649
    return Subclass::GetInternalImpl(holder, entry);
650 651
  }

652 653 654
  static Handle<Object> GetInternalImpl(Handle<JSObject> holder,
                                        uint32_t entry) {
    return Subclass::GetImpl(holder->GetIsolate(), holder->elements(), entry);
655 656
  }

657
  static Handle<Object> GetImpl(Isolate* isolate, FixedArrayBase backing_store,
658
                                uint32_t entry) {
659 660
    uint32_t index = GetIndexForEntryImpl(backing_store, entry);
    return handle(BackingStore::cast(backing_store)->get(index), isolate);
661 662
  }

663
  void Set(Handle<JSObject> holder, uint32_t entry, Object value) final {
664
    Subclass::SetImpl(holder, entry, value);
665 666
  }

667 668 669
  void Reconfigure(Handle<JSObject> object, Handle<FixedArrayBase> store,
                   uint32_t entry, Handle<Object> value,
                   PropertyAttributes attributes) final {
670
    Subclass::ReconfigureImpl(object, store, entry, value, attributes);
671 672 673
  }

  static void ReconfigureImpl(Handle<JSObject> object,
674
                              Handle<FixedArrayBase> store, uint32_t entry,
675 676 677 678 679
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    UNREACHABLE();
  }

680 681
  void Add(Handle<JSObject> object, uint32_t index, Handle<Object> value,
           PropertyAttributes attributes, uint32_t new_capacity) final {
682
    Subclass::AddImpl(object, index, value, attributes, new_capacity);
683 684
  }

685
  static void AddImpl(Handle<JSObject> object, uint32_t index,
686 687 688 689 690
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    UNREACHABLE();
  }

691 692
  uint32_t Push(Handle<JSArray> receiver, Arguments* args,
                uint32_t push_size) final {
693
    return Subclass::PushImpl(receiver, args, push_size);
694 695
  }

696
  static uint32_t PushImpl(Handle<JSArray> receiver, Arguments* args,
697
                           uint32_t push_sized) {
698 699 700
    UNREACHABLE();
  }

701
  uint32_t Unshift(Handle<JSArray> receiver, Arguments* args,
702
                   uint32_t unshift_size) final {
703
    return Subclass::UnshiftImpl(receiver, args, unshift_size);
704 705
  }

706
  static uint32_t UnshiftImpl(Handle<JSArray> receiver, Arguments* args,
707 708 709 710
                              uint32_t unshift_size) {
    UNREACHABLE();
  }

711 712
  Handle<JSObject> Slice(Handle<JSObject> receiver, uint32_t start,
                         uint32_t end) final {
713
    return Subclass::SliceImpl(receiver, start, end);
714 715
  }

716 717
  static Handle<JSObject> SliceImpl(Handle<JSObject> receiver, uint32_t start,
                                    uint32_t end) {
718
    UNREACHABLE();
719 720
  }

721
  Handle<Object> Pop(Handle<JSArray> receiver) final {
722
    return Subclass::PopImpl(receiver);
cbruni's avatar
cbruni committed
723 724
  }

725
  static Handle<Object> PopImpl(Handle<JSArray> receiver) {
cbruni's avatar
cbruni committed
726 727
    UNREACHABLE();
  }
728

729
  Handle<Object> Shift(Handle<JSArray> receiver) final {
730
    return Subclass::ShiftImpl(receiver);
731 732
  }

733
  static Handle<Object> ShiftImpl(Handle<JSArray> receiver) {
734 735 736
    UNREACHABLE();
  }

737
  void SetLength(Handle<JSArray> array, uint32_t length) final {
738
    Subclass::SetLengthImpl(array->GetIsolate(), array, length,
739
                            handle(array->elements(), array->GetIsolate()));
740 741
  }

742 743
  static void SetLengthImpl(Isolate* isolate, Handle<JSArray> array,
                            uint32_t length,
744 745 746 747 748 749 750 751
                            Handle<FixedArrayBase> backing_store) {
    DCHECK(!array->SetLengthWouldNormalize(length));
    DCHECK(IsFastElementsKind(array->GetElementsKind()));
    uint32_t old_length = 0;
    CHECK(array->length()->ToArrayIndex(&old_length));

    if (old_length < length) {
      ElementsKind kind = array->GetElementsKind();
752
      if (!IsHoleyElementsKind(kind)) {
753 754 755 756 757 758 759
        kind = GetHoleyElementsKind(kind);
        JSObject::TransitionElementsKind(array, kind);
      }
    }

    // Check whether the backing store should be shrunk.
    uint32_t capacity = backing_store->length();
760
    old_length = Min(old_length, capacity);
761 762 763
    if (length == 0) {
      array->initialize_elements();
    } else if (length <= capacity) {
764
      if (IsSmiOrObjectElementsKind(kind())) {
765 766 767 768
        JSObject::EnsureWritableFastElements(array);
        if (array->elements() != *backing_store) {
          backing_store = handle(array->elements(), isolate);
        }
769
      }
770
      if (2 * length + JSObject::kMinAddedElementsCapacity <= capacity) {
771
        // If more than half the elements won't be used, trim the array.
772 773 774 775 776 777 778
        // Do not trim from short arrays to prevent frequent trimming on
        // repeated pop operations.
        // Leave some space to allow for subsequent push operations.
        int elements_to_trim = length + 1 == old_length
                                   ? (capacity - length) / 2
                                   : capacity - length;
        isolate->heap()->RightTrimFixedArray(*backing_store, elements_to_trim);
779 780 781 782
        // Fill the non-trimmed elements with holes.
        BackingStore::cast(*backing_store)
            ->FillWithHoles(length,
                            std::min(old_length, capacity - elements_to_trim));
783 784
      } else {
        // Otherwise, fill the unused tail with holes.
785
        BackingStore::cast(*backing_store)->FillWithHoles(length, old_length);
786 787 788 789
      }
    } else {
      // Check whether the backing store should be expanded.
      capacity = Max(length, JSObject::NewElementsCapacity(capacity));
790
      Subclass::GrowCapacityAndConvertImpl(array, capacity);
791 792 793
    }

    array->set_length(Smi::FromInt(length));
794
    JSObject::ValidateElements(*array);
795
  }
796

797
  uint32_t NumberOfElements(JSObject receiver) final {
798 799 800
    return Subclass::NumberOfElementsImpl(receiver, receiver->elements());
  }

801
  static uint32_t NumberOfElementsImpl(JSObject receiver,
802
                                       FixedArrayBase backing_store) {
803 804 805
    UNREACHABLE();
  }

806
  static uint32_t GetMaxIndex(JSObject receiver, FixedArrayBase elements) {
807
    if (receiver->IsJSArray()) {
808
      DCHECK(JSArray::cast(receiver)->length()->IsSmi());
809
      return static_cast<uint32_t>(
jgruber's avatar
jgruber committed
810
          Smi::ToInt(JSArray::cast(receiver)->length()));
811
    }
812
    return Subclass::GetCapacityImpl(receiver, elements);
813 814
  }

815
  static uint32_t GetMaxNumberOfEntries(JSObject receiver,
816
                                        FixedArrayBase elements) {
817 818 819
    return Subclass::GetMaxIndex(receiver, elements);
  }

820 821 822
  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity) {
823
    return ConvertElementsWithCapacity(
824
        object, old_elements, from_kind, capacity, 0, 0,
825 826 827 828 829 830
        ElementsAccessor::kCopyToEndAndInitializeToHole);
  }

  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity, int copy_size) {
831 832 833 834 835 836 837 838
    return ConvertElementsWithCapacity(object, old_elements, from_kind,
                                       capacity, 0, 0, copy_size);
  }

  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity, uint32_t src_index,
      uint32_t dst_index, int copy_size) {
839
    Isolate* isolate = object->GetIsolate();
840
    Handle<FixedArrayBase> new_elements;
841
    if (IsDoubleElementsKind(kind())) {
842
      new_elements = isolate->factory()->NewFixedDoubleArray(capacity);
843
    } else {
844
      new_elements = isolate->factory()->NewUninitializedFixedArray(capacity);
845 846
    }

847
    int packed_size = kPackedSizeNotKnown;
848
    if (IsFastPackedElementsKind(from_kind) && object->IsJSArray()) {
jgruber's avatar
jgruber committed
849
      packed_size = Smi::ToInt(JSArray::cast(*object)->length());
850 851
    }

852
    Subclass::CopyElementsImpl(isolate, *old_elements, src_index, *new_elements,
853
                               from_kind, dst_index, packed_size, copy_size);
854 855

    return new_elements;
856 857
  }

858 859
  static void TransitionElementsKindImpl(Handle<JSObject> object,
                                         Handle<Map> to_map) {
860
    Handle<Map> from_map = handle(object->map(), object->GetIsolate());
861 862
    ElementsKind from_kind = from_map->elements_kind();
    ElementsKind to_kind = to_map->elements_kind();
863
    if (IsHoleyElementsKind(from_kind)) {
864 865 866 867 868 869 870 871
      to_kind = GetHoleyElementsKind(to_kind);
    }
    if (from_kind != to_kind) {
      // This method should never be called for any other case.
      DCHECK(IsFastElementsKind(from_kind));
      DCHECK(IsFastElementsKind(to_kind));
      DCHECK_NE(TERMINAL_FAST_ELEMENTS_KIND, from_kind);

872 873
      Handle<FixedArrayBase> from_elements(object->elements(),
                                           object->GetIsolate());
874 875
      if (object->elements() ==
              object->GetReadOnlyRoots().empty_fixed_array() ||
876
          IsDoubleElementsKind(from_kind) == IsDoubleElementsKind(to_kind)) {
877 878 879 880
        // No change is needed to the elements() buffer, the transition
        // only requires a map change.
        JSObject::MigrateToMap(object, to_map);
      } else {
881 882 883
        DCHECK(
            (IsSmiElementsKind(from_kind) && IsDoubleElementsKind(to_kind)) ||
            (IsDoubleElementsKind(from_kind) && IsObjectElementsKind(to_kind)));
884 885 886 887 888 889
        uint32_t capacity = static_cast<uint32_t>(object->elements()->length());
        Handle<FixedArrayBase> elements = ConvertElementsWithCapacity(
            object, from_elements, from_kind, capacity);
        JSObject::SetMapAndElements(object, to_map, elements);
      }
      if (FLAG_trace_elements_transitions) {
890 891 892
        JSObject::PrintElementsTransition(
            stdout, object, from_kind, from_elements, to_kind,
            handle(object->elements(), object->GetIsolate()));
893 894 895 896
      }
    }
  }

897
  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
898
                                         uint32_t capacity) {
899
    ElementsKind from_kind = object->GetElementsKind();
900
    if (IsSmiOrObjectElementsKind(from_kind)) {
901 902 903
      // Array optimizations rely on the prototype lookups of Array objects
      // always returning undefined. If there is a store to the initial
      // prototype object, make sure all of these optimizations are invalidated.
904
      object->GetIsolate()->UpdateNoElementsProtectorOnSetLength(object);
905
    }
906 907
    Handle<FixedArrayBase> old_elements(object->elements(),
                                        object->GetIsolate());
908 909
    // This method should only be called if there's a reason to update the
    // elements.
910
    DCHECK(IsDoubleElementsKind(from_kind) != IsDoubleElementsKind(kind()) ||
911 912
           IsDictionaryElementsKind(from_kind) ||
           static_cast<uint32_t>(old_elements->length()) < capacity);
913 914 915 916 917 918 919
    Subclass::BasicGrowCapacityAndConvertImpl(object, old_elements, from_kind,
                                              kind(), capacity);
  }

  static void BasicGrowCapacityAndConvertImpl(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, ElementsKind to_kind, uint32_t capacity) {
920 921 922
    Handle<FixedArrayBase> elements =
        ConvertElementsWithCapacity(object, old_elements, from_kind, capacity);

923
    if (IsHoleyElementsKind(from_kind)) {
924
      to_kind = GetHoleyElementsKind(to_kind);
925
    }
926 927 928 929 930 931 932 933 934 935
    Handle<Map> new_map = JSObject::GetElementsTransitionMap(object, to_kind);
    JSObject::SetMapAndElements(object, new_map, elements);

    // Transition through the allocation site as well if present.
    JSObject::UpdateAllocationSite(object, to_kind);

    if (FLAG_trace_elements_transitions) {
      JSObject::PrintElementsTransition(stdout, object, from_kind, old_elements,
                                        to_kind, elements);
    }
936 937
  }

938 939 940 941
  void TransitionElementsKind(Handle<JSObject> object, Handle<Map> map) final {
    Subclass::TransitionElementsKindImpl(object, map);
  }

942 943
  void GrowCapacityAndConvert(Handle<JSObject> object,
                              uint32_t capacity) final {
944
    Subclass::GrowCapacityAndConvertImpl(object, capacity);
945 946
  }

947 948 949 950 951 952 953
  bool GrowCapacity(Handle<JSObject> object, uint32_t index) final {
    // This function is intended to be called from optimized code. We don't
    // want to trigger lazy deopts there, so refuse to handle cases that would.
    if (object->map()->is_prototype_map() ||
        object->WouldConvertToSlowElements(index)) {
      return false;
    }
954 955
    Handle<FixedArrayBase> old_elements(object->elements(),
                                        object->GetIsolate());
956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971
    uint32_t new_capacity = JSObject::NewElementsCapacity(index + 1);
    DCHECK(static_cast<uint32_t>(old_elements->length()) < new_capacity);
    Handle<FixedArrayBase> elements =
        ConvertElementsWithCapacity(object, old_elements, kind(), new_capacity);

    DCHECK_EQ(object->GetElementsKind(), kind());
    // Transition through the allocation site as well if present.
    if (JSObject::UpdateAllocationSite<AllocationSiteUpdateMode::kCheckOnly>(
            object, kind())) {
      return false;
    }

    object->set_elements(*elements);
    return true;
  }

972
  void Delete(Handle<JSObject> obj, uint32_t entry) final {
973
    Subclass::DeleteImpl(obj, entry);
974
  }
975

976 977
  static void CopyElementsImpl(Isolate* isolate, FixedArrayBase from,
                               uint32_t from_start, FixedArrayBase to,
978 979
                               ElementsKind from_kind, uint32_t to_start,
                               int packed_size, int copy_size) {
980
    UNREACHABLE();
981 982
  }

983
  void CopyElements(JSObject from_holder, uint32_t from_start,
984 985
                    ElementsKind from_kind, Handle<FixedArrayBase> to,
                    uint32_t to_start, int copy_size) final {
986 987 988 989
    int packed_size = kPackedSizeNotKnown;
    bool is_packed = IsFastPackedElementsKind(from_kind) &&
        from_holder->IsJSArray();
    if (is_packed) {
jgruber's avatar
jgruber committed
990
      packed_size = Smi::ToInt(JSArray::cast(from_holder)->length());
991 992
      if (copy_size >= 0 && packed_size > copy_size) {
        packed_size = copy_size;
993 994
      }
    }
995
    FixedArrayBase from = from_holder->elements();
996
    // NOTE: the Subclass::CopyElementsImpl() methods
997 998 999 1000 1001 1002 1003 1004
    // violate the handlified function signature convention:
    // raw pointer parameters in the function that allocates. This is done
    // intentionally to avoid ArrayConcat() builtin performance degradation.
    //
    // Details: The idea is that allocations actually happen only in case of
    // copying from object with fast double elements to object with object
    // elements. In all the other cases there are no allocations performed and
    // handle creation causes noticeable performance degradation of the builtin.
1005 1006
    Subclass::CopyElementsImpl(from_holder->GetIsolate(), from, from_start, *to,
                               from_kind, to_start, packed_size, copy_size);
1007 1008
  }

1009 1010
  void CopyElements(Isolate* isolate, Handle<FixedArrayBase> source,
                    ElementsKind source_kind,
1011
                    Handle<FixedArrayBase> destination, int size) override {
1012 1013
    Subclass::CopyElementsImpl(isolate, *source, 0, *destination, source_kind,
                               0, kPackedSizeNotKnown, size);
1014 1015
  }

1016 1017
  void CopyTypedArrayElementsSlice(JSTypedArray source,
                                   JSTypedArray destination, size_t start,
1018
                                   size_t end) override {
1019 1020 1021
    Subclass::CopyTypedArrayElementsSliceImpl(source, destination, start, end);
  }

1022 1023
  static void CopyTypedArrayElementsSliceImpl(JSTypedArray source,
                                              JSTypedArray destination,
1024 1025 1026 1027
                                              size_t start, size_t end) {
    UNREACHABLE();
  }

1028 1029
  Object CopyElements(Handle<Object> source, Handle<JSObject> destination,
                      size_t length, uint32_t offset) final {
1030 1031
    return Subclass::CopyElementsHandleImpl(source, destination, length,
                                            offset);
1032 1033
  }

1034 1035 1036
  static Object CopyElementsHandleImpl(Handle<Object> source,
                                       Handle<JSObject> destination,
                                       size_t length, uint32_t offset) {
1037 1038 1039
    UNREACHABLE();
  }

1040
  Handle<NumberDictionary> Normalize(Handle<JSObject> object) final {
1041 1042
    return Subclass::NormalizeImpl(
        object, handle(object->elements(), object->GetIsolate()));
1043 1044
  }

1045
  static Handle<NumberDictionary> NormalizeImpl(
1046 1047 1048 1049
      Handle<JSObject> object, Handle<FixedArrayBase> elements) {
    UNREACHABLE();
  }

1050 1051 1052
  Maybe<bool> CollectValuesOrEntries(Isolate* isolate, Handle<JSObject> object,
                                     Handle<FixedArray> values_or_entries,
                                     bool get_entries, int* nof_items,
1053
                                     PropertyFilter filter) override {
1054
    return Subclass::CollectValuesOrEntriesImpl(
1055 1056 1057 1058 1059 1060 1061
        isolate, object, values_or_entries, get_entries, nof_items, filter);
  }

  static Maybe<bool> CollectValuesOrEntriesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
      PropertyFilter filter) {
1062
    DCHECK_EQ(*nof_items, 0);
1063 1064
    KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly,
                               ALL_PROPERTIES);
1065
    Subclass::CollectElementIndicesImpl(
1066
        object, handle(object->elements(), isolate), &accumulator);
1067 1068
    Handle<FixedArray> keys = accumulator.GetKeys();

1069 1070
    int count = 0;
    int i = 0;
1071
    ElementsKind original_elements_kind = object->GetElementsKind();
1072 1073

    for (; i < keys->length(); ++i) {
1074 1075 1076 1077
      Handle<Object> key(keys->get(i), isolate);
      uint32_t index;
      if (!key->ToUint32(&index)) continue;

1078
      DCHECK_EQ(object->GetElementsKind(), original_elements_kind);
1079
      uint32_t entry = Subclass::GetEntryForIndexImpl(
1080
          isolate, *object, object->elements(), index, filter);
1081
      if (entry == kMaxUInt32) continue;
1082
      PropertyDetails details = Subclass::GetDetailsImpl(*object, entry);
1083

1084
      Handle<Object> value;
1085
      if (details.kind() == kData) {
1086
        value = Subclass::GetImpl(isolate, object->elements(), entry);
1087
      } else {
1088
        // This might modify the elements and/or change the elements kind.
1089 1090 1091 1092
        LookupIterator it(isolate, object, index, LookupIterator::OWN);
        ASSIGN_RETURN_ON_EXCEPTION_VALUE(
            isolate, value, Object::GetProperty(&it), Nothing<bool>());
      }
1093 1094
      if (get_entries) value = MakeEntryPair(isolate, index, value);
      values_or_entries->set(count++, *value);
1095
      if (object->GetElementsKind() != original_elements_kind) break;
1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112
    }

    // Slow path caused by changes in elements kind during iteration.
    for (; i < keys->length(); i++) {
      Handle<Object> key(keys->get(i), isolate);
      uint32_t index;
      if (!key->ToUint32(&index)) continue;

      if (filter & ONLY_ENUMERABLE) {
        InternalElementsAccessor* accessor =
            reinterpret_cast<InternalElementsAccessor*>(
                object->GetElementsAccessor());
        uint32_t entry = accessor->GetEntryForIndex(isolate, *object,
                                                    object->elements(), index);
        if (entry == kMaxUInt32) continue;
        PropertyDetails details = accessor->GetDetails(*object, entry);
        if (!details.IsEnumerable()) continue;
1113
      }
1114 1115 1116 1117 1118 1119 1120

      Handle<Object> value;
      LookupIterator it(isolate, object, index, LookupIterator::OWN);
      ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it),
                                       Nothing<bool>());

      if (get_entries) value = MakeEntryPair(isolate, index, value);
1121 1122 1123 1124 1125 1126 1127
      values_or_entries->set(count++, *value);
    }

    *nof_items = count;
    return Just(true);
  }

1128 1129
  void CollectElementIndices(Handle<JSObject> object,
                             Handle<FixedArrayBase> backing_store,
1130 1131 1132
                             KeyAccumulator* keys) final {
    if (keys->filter() & ONLY_ALL_CAN_READ) return;
    Subclass::CollectElementIndicesImpl(object, backing_store, keys);
1133 1134
  }

1135 1136
  static void CollectElementIndicesImpl(Handle<JSObject> object,
                                        Handle<FixedArrayBase> backing_store,
1137
                                        KeyAccumulator* keys) {
1138
    DCHECK_NE(DICTIONARY_ELEMENTS, kind());
1139
    // Non-dictionary elements can't have all-can-read accessors.
1140
    uint32_t length = Subclass::GetMaxIndex(*object, *backing_store);
1141
    PropertyFilter filter = keys->filter();
1142 1143
    Isolate* isolate = keys->isolate();
    Factory* factory = isolate->factory();
1144
    for (uint32_t i = 0; i < length; i++) {
1145 1146
      if (Subclass::HasElementImpl(isolate, *object, i, *backing_store,
                                   filter)) {
1147
        keys->AddKey(factory->NewNumberFromUint(i));
1148 1149 1150 1151
      }
    }
  }

1152 1153 1154
  static Handle<FixedArray> DirectCollectElementIndicesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArrayBase> backing_store, GetKeysConversion convert,
1155 1156
      PropertyFilter filter, Handle<FixedArray> list, uint32_t* nof_indices,
      uint32_t insertion_index = 0) {
1157
    uint32_t length = Subclass::GetMaxIndex(*object, *backing_store);
1158 1159
    uint32_t const kMaxStringTableEntries =
        isolate->heap()->MaxNumberToStringCacheSize();
1160
    for (uint32_t i = 0; i < length; i++) {
1161 1162
      if (Subclass::HasElementImpl(isolate, *object, i, *backing_store,
                                   filter)) {
1163
        if (convert == GetKeysConversion::kConvertToString) {
1164 1165 1166
          bool use_cache = i < kMaxStringTableEntries;
          Handle<String> index_string =
              isolate->factory()->Uint32ToString(i, use_cache);
1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177
          list->set(insertion_index, *index_string);
        } else {
          list->set(insertion_index, Smi::FromInt(i), SKIP_WRITE_BARRIER);
        }
        insertion_index++;
      }
    }
    *nof_indices = insertion_index;
    return list;
  }

1178 1179 1180 1181
  MaybeHandle<FixedArray> PrependElementIndices(
      Handle<JSObject> object, Handle<FixedArrayBase> backing_store,
      Handle<FixedArray> keys, GetKeysConversion convert,
      PropertyFilter filter) final {
1182 1183
    return Subclass::PrependElementIndicesImpl(object, backing_store, keys,
                                               convert, filter);
1184 1185
  }

1186
  static MaybeHandle<FixedArray> PrependElementIndicesImpl(
1187 1188 1189 1190 1191 1192
      Handle<JSObject> object, Handle<FixedArrayBase> backing_store,
      Handle<FixedArray> keys, GetKeysConversion convert,
      PropertyFilter filter) {
    Isolate* isolate = object->GetIsolate();
    uint32_t nof_property_keys = keys->length();
    uint32_t initial_list_length =
1193
        Subclass::GetMaxNumberOfEntries(*object, *backing_store);
1194

1195
    initial_list_length += nof_property_keys;
1196 1197 1198 1199 1200
    if (initial_list_length > FixedArray::kMaxLength ||
        initial_list_length < nof_property_keys) {
      return isolate->Throw<FixedArray>(isolate->factory()->NewRangeError(
          MessageTemplate::kInvalidArrayLength));
    }
1201 1202

    // Collect the element indices into a new list.
1203 1204 1205 1206 1207 1208 1209 1210
    MaybeHandle<FixedArray> raw_array =
        isolate->factory()->TryNewFixedArray(initial_list_length);
    Handle<FixedArray> combined_keys;

    // If we have a holey backing store try to precisely estimate the backing
    // store size as a last emergency measure if we cannot allocate the big
    // array.
    if (!raw_array.ToHandle(&combined_keys)) {
1211
      if (IsHoleyOrDictionaryElementsKind(kind())) {
1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222
        // If we overestimate the result list size we might end up in the
        // large-object space which doesn't free memory on shrinking the list.
        // Hence we try to estimate the final size for holey backing stores more
        // precisely here.
        initial_list_length =
            Subclass::NumberOfElementsImpl(*object, *backing_store);
        initial_list_length += nof_property_keys;
      }
      combined_keys = isolate->factory()->NewFixedArray(initial_list_length);
    }

1223
    uint32_t nof_indices = 0;
1224 1225
    bool needs_sorting = IsDictionaryElementsKind(kind()) ||
                         IsSloppyArgumentsElementsKind(kind());
1226
    combined_keys = Subclass::DirectCollectElementIndicesImpl(
1227 1228 1229
        isolate, object, backing_store,
        needs_sorting ? GetKeysConversion::kKeepNumbers : convert, filter,
        combined_keys, &nof_indices);
1230

1231
    if (needs_sorting) {
1232
      SortIndices(isolate, combined_keys, nof_indices);
1233 1234
      // Indices from dictionary elements should only be converted after
      // sorting.
1235
      if (convert == GetKeysConversion::kConvertToString) {
1236 1237
        for (uint32_t i = 0; i < nof_indices; i++) {
          Handle<Object> index_string = isolate->factory()->Uint32ToString(
1238
              combined_keys->get(i)->Number());
1239 1240 1241 1242 1243 1244
          combined_keys->set(i, *index_string);
        }
      }
    }

    // Copy over the passed-in property keys.
1245 1246 1247
    CopyObjectToObjectElements(isolate, *keys, PACKED_ELEMENTS, 0,
                               *combined_keys, PACKED_ELEMENTS, nof_indices,
                               nof_property_keys);
1248

1249 1250
    // For holey elements and arguments we might have to shrink the collected
    // keys since the estimates might be off.
1251 1252
    if (IsHoleyOrDictionaryElementsKind(kind()) ||
        IsSloppyArgumentsElementsKind(kind())) {
1253 1254 1255
      // Shrink combined_keys to the final size.
      int final_size = nof_indices + nof_property_keys;
      DCHECK_LE(final_size, combined_keys->length());
1256
      return FixedArray::ShrinkOrEmpty(isolate, combined_keys, final_size);
1257 1258 1259 1260
    }

    return combined_keys;
  }
1261

1262 1263 1264
  void AddElementsToKeyAccumulator(Handle<JSObject> receiver,
                                   KeyAccumulator* accumulator,
                                   AddKeyConversion convert) final {
1265
    Subclass::AddElementsToKeyAccumulatorImpl(receiver, accumulator, convert);
1266 1267
  }

1268
  static uint32_t GetCapacityImpl(JSObject holder,
1269
                                  FixedArrayBase backing_store) {
1270
    return backing_store->length();
1271 1272
  }

1273
  uint32_t GetCapacity(JSObject holder, FixedArrayBase backing_store) final {
1274
    return Subclass::GetCapacityImpl(holder, backing_store);
1275 1276
  }

1277 1278
  static Object FillImpl(Handle<JSObject> receiver, Handle<Object> obj_value,
                         uint32_t start, uint32_t end) {
1279 1280 1281
    UNREACHABLE();
  }

1282 1283
  Object Fill(Handle<JSObject> receiver, Handle<Object> obj_value,
              uint32_t start, uint32_t end) override {
1284
    return Subclass::FillImpl(receiver, obj_value, start, end);
1285 1286
  }

1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300
  static Maybe<bool> IncludesValueImpl(Isolate* isolate,
                                       Handle<JSObject> receiver,
                                       Handle<Object> value,
                                       uint32_t start_from, uint32_t length) {
    return IncludesValueSlowPath(isolate, receiver, value, start_from, length);
  }

  Maybe<bool> IncludesValue(Isolate* isolate, Handle<JSObject> receiver,
                            Handle<Object> value, uint32_t start_from,
                            uint32_t length) final {
    return Subclass::IncludesValueImpl(isolate, receiver, value, start_from,
                                       length);
  }

1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314
  static Maybe<int64_t> IndexOfValueImpl(Isolate* isolate,
                                         Handle<JSObject> receiver,
                                         Handle<Object> value,
                                         uint32_t start_from, uint32_t length) {
    return IndexOfValueSlowPath(isolate, receiver, value, start_from, length);
  }

  Maybe<int64_t> IndexOfValue(Isolate* isolate, Handle<JSObject> receiver,
                              Handle<Object> value, uint32_t start_from,
                              uint32_t length) final {
    return Subclass::IndexOfValueImpl(isolate, receiver, value, start_from,
                                      length);
  }

1315
  static Maybe<int64_t> LastIndexOfValueImpl(Handle<JSObject> receiver,
1316 1317 1318 1319 1320
                                             Handle<Object> value,
                                             uint32_t start_from) {
    UNREACHABLE();
  }

1321
  Maybe<int64_t> LastIndexOfValue(Handle<JSObject> receiver,
1322 1323
                                  Handle<Object> value,
                                  uint32_t start_from) final {
1324
    return Subclass::LastIndexOfValueImpl(receiver, value, start_from);
1325 1326
  }

1327
  static void ReverseImpl(JSObject receiver) { UNREACHABLE(); }
1328

1329
  void Reverse(JSObject receiver) final { Subclass::ReverseImpl(receiver); }
1330

1331
  static uint32_t GetIndexForEntryImpl(FixedArrayBase backing_store,
1332 1333
                                       uint32_t entry) {
    return entry;
1334 1335
  }

1336
  static uint32_t GetEntryForIndexImpl(Isolate* isolate, JSObject holder,
1337
                                       FixedArrayBase backing_store,
1338
                                       uint32_t index, PropertyFilter filter) {
1339
    DCHECK(IsFastElementsKind(kind()));
1340
    uint32_t length = Subclass::GetMaxIndex(holder, backing_store);
1341
    if (IsHoleyElementsKind(kind())) {
1342
      return index < length &&
1343 1344
                     !BackingStore::cast(backing_store)
                          ->is_the_hole(isolate, index)
1345 1346 1347 1348 1349
                 ? index
                 : kMaxUInt32;
    } else {
      return index < length ? index : kMaxUInt32;
    }
1350 1351
  }

1352
  uint32_t GetEntryForIndex(Isolate* isolate, JSObject holder,
1353
                            FixedArrayBase backing_store,
1354
                            uint32_t index) final {
1355
    return Subclass::GetEntryForIndexImpl(isolate, holder, backing_store, index,
1356
                                          ALL_PROPERTIES);
1357 1358
  }

1359
  static PropertyDetails GetDetailsImpl(FixedArrayBase backing_store,
1360
                                        uint32_t entry) {
1361
    return PropertyDetails(kData, NONE, PropertyCellType::kNoCell);
1362 1363
  }

1364
  static PropertyDetails GetDetailsImpl(JSObject holder, uint32_t entry) {
1365
    return PropertyDetails(kData, NONE, PropertyCellType::kNoCell);
1366 1367
  }

1368
  PropertyDetails GetDetails(JSObject holder, uint32_t entry) final {
1369
    return Subclass::GetDetailsImpl(holder, entry);
1370 1371
  }

1372 1373 1374 1375
  Handle<FixedArray> CreateListFromArrayLike(Isolate* isolate,
                                             Handle<JSObject> object,
                                             uint32_t length) final {
    return Subclass::CreateListFromArrayLikeImpl(isolate, object, length);
1376 1377
  };

1378 1379 1380
  static Handle<FixedArray> CreateListFromArrayLikeImpl(Isolate* isolate,
                                                        Handle<JSObject> object,
                                                        uint32_t length) {
1381 1382 1383
    UNREACHABLE();
  }

1384 1385 1386 1387 1388
 private:
  DISALLOW_COPY_AND_ASSIGN(ElementsAccessorBase);
};


1389 1390 1391 1392 1393 1394 1395 1396
class DictionaryElementsAccessor
    : public ElementsAccessorBase<DictionaryElementsAccessor,
                                  ElementsKindTraits<DICTIONARY_ELEMENTS> > {
 public:
  explicit DictionaryElementsAccessor(const char* name)
      : ElementsAccessorBase<DictionaryElementsAccessor,
                             ElementsKindTraits<DICTIONARY_ELEMENTS> >(name) {}

1397
  static uint32_t GetMaxIndex(JSObject receiver, FixedArrayBase elements) {
1398 1399 1400 1401
    // We cannot properly estimate this for dictionaries.
    UNREACHABLE();
  }

1402
  static uint32_t GetMaxNumberOfEntries(JSObject receiver,
1403
                                        FixedArrayBase backing_store) {
1404 1405 1406
    return NumberOfElementsImpl(receiver, backing_store);
  }

1407
  static uint32_t NumberOfElementsImpl(JSObject receiver,
1408
                                       FixedArrayBase backing_store) {
1409
    NumberDictionary dict = NumberDictionary::cast(backing_store);
1410
    return dict->NumberOfElements();
1411 1412
  }

1413 1414
  static void SetLengthImpl(Isolate* isolate, Handle<JSArray> array,
                            uint32_t length,
1415
                            Handle<FixedArrayBase> backing_store) {
1416 1417
    Handle<NumberDictionary> dict =
        Handle<NumberDictionary>::cast(backing_store);
1418 1419 1420
    int capacity = dict->Capacity();
    uint32_t old_length = 0;
    CHECK(array->length()->ToArrayLength(&old_length));
1421 1422
    {
      DisallowHeapAllocation no_gc;
1423
      ReadOnlyRoots roots(isolate);
1424 1425 1426 1427 1428
      if (length < old_length) {
        if (dict->requires_slow_elements()) {
          // Find last non-deletable element in range of elements to be
          // deleted and adjust range accordingly.
          for (int entry = 0; entry < capacity; entry++) {
1429
            Object index = dict->KeyAt(entry);
1430
            if (dict->IsKey(roots, index)) {
1431 1432 1433 1434 1435
              uint32_t number = static_cast<uint32_t>(index->Number());
              if (length <= number && number < old_length) {
                PropertyDetails details = dict->DetailsAt(entry);
                if (!details.IsConfigurable()) length = number + 1;
              }
1436 1437 1438 1439
            }
          }
        }

1440 1441 1442 1443 1444 1445 1446
        if (length == 0) {
          // Flush the backing store.
          array->initialize_elements();
        } else {
          // Remove elements that should be deleted.
          int removed_entries = 0;
          for (int entry = 0; entry < capacity; entry++) {
1447
            Object index = dict->KeyAt(entry);
1448
            if (dict->IsKey(roots, index)) {
1449 1450
              uint32_t number = static_cast<uint32_t>(index->Number());
              if (length <= number && number < old_length) {
1451
                dict->ClearEntry(isolate, entry);
1452 1453
                removed_entries++;
              }
1454 1455 1456
            }
          }

1457 1458 1459 1460
          if (removed_entries > 0) {
            // Update the number of elements.
            dict->ElementsRemoved(removed_entries);
          }
1461
        }
1462 1463 1464 1465 1466 1467 1468
      }
    }

    Handle<Object> length_obj = isolate->factory()->NewNumberFromUint(length);
    array->set_length(*length_obj);
  }

1469 1470
  static void CopyElementsImpl(Isolate* isolate, FixedArrayBase from,
                               uint32_t from_start, FixedArrayBase to,
1471 1472
                               ElementsKind from_kind, uint32_t to_start,
                               int packed_size, int copy_size) {
1473 1474 1475
    UNREACHABLE();
  }

1476 1477 1478 1479 1480 1481 1482 1483 1484 1485
  static Handle<JSObject> SliceImpl(Handle<JSObject> receiver, uint32_t start,
                                    uint32_t end) {
    Isolate* isolate = receiver->GetIsolate();
    uint32_t result_length = end < start ? 0u : end - start;

    // Result must also be a dictionary.
    Handle<JSArray> result_array =
        isolate->factory()->NewJSArray(0, HOLEY_ELEMENTS);
    JSObject::NormalizeElements(result_array);
    result_array->set_length(Smi::FromInt(result_length));
1486
    Handle<NumberDictionary> source_dict(
1487
        NumberDictionary::cast(receiver->elements()), isolate);
1488
    int entry_count = source_dict->Capacity();
1489
    ReadOnlyRoots roots(isolate);
1490
    for (int i = 0; i < entry_count; i++) {
1491
      Object key = source_dict->KeyAt(i);
1492
      if (!source_dict->ToKey(roots, i, &key)) continue;
1493 1494 1495
      uint64_t key_value = NumberToInt64(key);
      if (key_value >= start && key_value < end) {
        Handle<NumberDictionary> dest_dict(
1496
            NumberDictionary::cast(result_array->elements()), isolate);
1497 1498 1499 1500 1501
        Handle<Object> value(source_dict->ValueAt(i), isolate);
        PropertyDetails details = source_dict->DetailsAt(i);
        PropertyAttributes attr = details.attributes();
        AddImpl(result_array, static_cast<uint32_t>(key_value) - start, value,
                attr, 0);
1502 1503 1504 1505 1506
      }
    }

    return result_array;
  }
1507

1508
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
1509 1510
    Handle<NumberDictionary> dict(NumberDictionary::cast(obj->elements()),
                                  obj->GetIsolate());
1511
    dict = NumberDictionary::DeleteEntry(obj->GetIsolate(), dict, entry);
1512
    obj->set_elements(*dict);
1513 1514
  }

1515
  static bool HasAccessorsImpl(JSObject holder, FixedArrayBase backing_store) {
1516
    DisallowHeapAllocation no_gc;
1517
    NumberDictionary dict = NumberDictionary::cast(backing_store);
1518 1519
    if (!dict->requires_slow_elements()) return false;
    int capacity = dict->Capacity();
1520
    ReadOnlyRoots roots = holder->GetReadOnlyRoots();
1521
    for (int i = 0; i < capacity; i++) {
1522
      Object key = dict->KeyAt(i);
1523
      if (!dict->IsKey(roots, key)) continue;
1524
      PropertyDetails details = dict->DetailsAt(i);
1525
      if (details.kind() == kAccessor) return true;
1526 1527 1528 1529
    }
    return false;
  }

1530
  static Object GetRaw(FixedArrayBase store, uint32_t entry) {
1531
    NumberDictionary backing_store = NumberDictionary::cast(store);
1532 1533 1534
    return backing_store->ValueAt(entry);
  }

1535
  static Handle<Object> GetImpl(Isolate* isolate, FixedArrayBase backing_store,
1536 1537
                                uint32_t entry) {
    return handle(GetRaw(backing_store, entry), isolate);
1538 1539 1540
  }

  static inline void SetImpl(Handle<JSObject> holder, uint32_t entry,
1541
                             Object value) {
1542 1543 1544
    SetImpl(holder->elements(), entry, value);
  }

1545
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
1546
                             Object value) {
1547
    NumberDictionary::cast(backing_store)->ValueAtPut(entry, value);
1548 1549 1550
  }

  static void ReconfigureImpl(Handle<JSObject> object,
1551
                              Handle<FixedArrayBase> store, uint32_t entry,
1552 1553
                              Handle<Object> value,
                              PropertyAttributes attributes) {
1554
    NumberDictionary dictionary = NumberDictionary::cast(*store);
1555
    if (attributes != NONE) object->RequireSlowElements(dictionary);
1556 1557
    dictionary->ValueAtPut(entry, *value);
    PropertyDetails details = dictionary->DetailsAt(entry);
1558 1559 1560
    details = PropertyDetails(kData, attributes, PropertyCellType::kNoCell,
                              details.dictionary_index());

1561
    dictionary->DetailsAtPut(object->GetIsolate(), entry, details);
1562 1563
  }

1564
  static void AddImpl(Handle<JSObject> object, uint32_t index,
1565 1566
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
1567
    PropertyDetails details(kData, attributes, PropertyCellType::kNoCell);
1568
    Handle<NumberDictionary> dictionary =
1569
        object->HasFastElements() || object->HasFastStringWrapperElements()
1570
            ? JSObject::NormalizeElements(object)
1571 1572
            : handle(NumberDictionary::cast(object->elements()),
                     object->GetIsolate());
1573 1574
    Handle<NumberDictionary> new_dictionary = NumberDictionary::Add(
        object->GetIsolate(), dictionary, index, value, details);
1575
    new_dictionary->UpdateMaxNumberKey(index, object);
1576
    if (attributes != NONE) object->RequireSlowElements(*new_dictionary);
1577 1578 1579 1580
    if (dictionary.is_identical_to(new_dictionary)) return;
    object->set_elements(*new_dictionary);
  }

1581
  static bool HasEntryImpl(Isolate* isolate, FixedArrayBase store,
1582
                           uint32_t entry) {
1583
    DisallowHeapAllocation no_gc;
1584
    NumberDictionary dict = NumberDictionary::cast(store);
1585
    Object index = dict->KeyAt(entry);
1586
    return !index->IsTheHole(isolate);
1587 1588
  }

1589
  static uint32_t GetIndexForEntryImpl(FixedArrayBase store, uint32_t entry) {
1590
    DisallowHeapAllocation no_gc;
1591
    NumberDictionary dict = NumberDictionary::cast(store);
1592
    uint32_t result = 0;
1593
    CHECK(dict->KeyAt(entry)->ToArrayIndex(&result));
1594 1595 1596
    return result;
  }

1597
  static uint32_t GetEntryForIndexImpl(Isolate* isolate, JSObject holder,
1598
                                       FixedArrayBase store, uint32_t index,
1599
                                       PropertyFilter filter) {
1600
    DisallowHeapAllocation no_gc;
1601
    NumberDictionary dictionary = NumberDictionary::cast(store);
1602
    int entry = dictionary->FindEntry(isolate, index);
1603
    if (entry == NumberDictionary::kNotFound) return kMaxUInt32;
1604
    if (filter != ALL_PROPERTIES) {
1605 1606 1607 1608 1609
      PropertyDetails details = dictionary->DetailsAt(entry);
      PropertyAttributes attr = details.attributes();
      if ((attr & filter) != 0) return kMaxUInt32;
    }
    return static_cast<uint32_t>(entry);
1610 1611
  }

1612
  static PropertyDetails GetDetailsImpl(JSObject holder, uint32_t entry) {
1613 1614 1615
    return GetDetailsImpl(holder->elements(), entry);
  }

1616
  static PropertyDetails GetDetailsImpl(FixedArrayBase backing_store,
1617
                                        uint32_t entry) {
1618
    return NumberDictionary::cast(backing_store)->DetailsAt(entry);
1619
  }
1620

1621
  static uint32_t FilterKey(Handle<NumberDictionary> dictionary, int entry,
1622
                            Object raw_key, PropertyFilter filter) {
1623 1624 1625 1626 1627
    DCHECK(raw_key->IsNumber());
    DCHECK_LE(raw_key->Number(), kMaxUInt32);
    PropertyDetails details = dictionary->DetailsAt(entry);
    PropertyAttributes attr = details.attributes();
    if ((attr & filter) != 0) return kMaxUInt32;
1628
    return static_cast<uint32_t>(raw_key->Number());
1629 1630
  }

1631
  static uint32_t GetKeyForEntryImpl(Isolate* isolate,
1632
                                     Handle<NumberDictionary> dictionary,
1633 1634
                                     int entry, PropertyFilter filter) {
    DisallowHeapAllocation no_gc;
1635
    Object raw_key = dictionary->KeyAt(entry);
1636
    if (!dictionary->IsKey(ReadOnlyRoots(isolate), raw_key)) return kMaxUInt32;
1637 1638 1639
    return FilterKey(dictionary, entry, raw_key, filter);
  }

1640 1641
  static void CollectElementIndicesImpl(Handle<JSObject> object,
                                        Handle<FixedArrayBase> backing_store,
1642 1643
                                        KeyAccumulator* keys) {
    if (keys->filter() & SKIP_STRINGS) return;
1644
    Isolate* isolate = keys->isolate();
1645 1646
    Handle<NumberDictionary> dictionary =
        Handle<NumberDictionary>::cast(backing_store);
1647
    int capacity = dictionary->Capacity();
1648 1649
    Handle<FixedArray> elements = isolate->factory()->NewFixedArray(
        GetMaxNumberOfEntries(*object, *backing_store));
1650
    int insertion_index = 0;
1651
    PropertyFilter filter = keys->filter();
1652
    ReadOnlyRoots roots(isolate);
1653
    for (int i = 0; i < capacity; i++) {
1654
      Object raw_key = dictionary->KeyAt(i);
1655
      if (!dictionary->IsKey(roots, raw_key)) continue;
1656 1657
      uint32_t key = FilterKey(dictionary, i, raw_key, filter);
      if (key == kMaxUInt32) {
1658
        keys->AddShadowingKey(raw_key);
1659 1660 1661
        continue;
      }
      elements->set(insertion_index, raw_key);
1662 1663
      insertion_index++;
    }
1664
    SortIndices(isolate, elements, insertion_index);
1665 1666
    for (int i = 0; i < insertion_index; i++) {
      keys->AddKey(elements->get(i));
1667 1668
    }
  }
1669

1670 1671 1672
  static Handle<FixedArray> DirectCollectElementIndicesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArrayBase> backing_store, GetKeysConversion convert,
1673 1674
      PropertyFilter filter, Handle<FixedArray> list, uint32_t* nof_indices,
      uint32_t insertion_index = 0) {
1675 1676
    if (filter & SKIP_STRINGS) return list;
    if (filter & ONLY_ALL_CAN_READ) return list;
1677

1678 1679
    Handle<NumberDictionary> dictionary =
        Handle<NumberDictionary>::cast(backing_store);
1680 1681
    uint32_t capacity = dictionary->Capacity();
    for (uint32_t i = 0; i < capacity; i++) {
1682
      uint32_t key = GetKeyForEntryImpl(isolate, dictionary, i, filter);
1683 1684 1685 1686 1687 1688 1689 1690 1691
      if (key == kMaxUInt32) continue;
      Handle<Object> index = isolate->factory()->NewNumberFromUint(key);
      list->set(insertion_index, *index);
      insertion_index++;
    }
    *nof_indices = insertion_index;
    return list;
  }

1692 1693 1694
  static void AddElementsToKeyAccumulatorImpl(Handle<JSObject> receiver,
                                              KeyAccumulator* accumulator,
                                              AddKeyConversion convert) {
1695
    Isolate* isolate = accumulator->isolate();
1696 1697
    Handle<NumberDictionary> dictionary(
        NumberDictionary::cast(receiver->elements()), isolate);
1698
    int capacity = dictionary->Capacity();
1699
    ReadOnlyRoots roots(isolate);
1700
    for (int i = 0; i < capacity; i++) {
1701
      Object k = dictionary->KeyAt(i);
1702
      if (!dictionary->IsKey(roots, k)) continue;
1703
      Object value = dictionary->ValueAt(i);
1704
      DCHECK(!value->IsTheHole(isolate));
1705 1706 1707 1708 1709
      DCHECK(!value->IsAccessorPair());
      DCHECK(!value->IsAccessorInfo());
      accumulator->AddKey(value, convert);
    }
  }
1710 1711 1712 1713 1714

  static bool IncludesValueFastPath(Isolate* isolate, Handle<JSObject> receiver,
                                    Handle<Object> value, uint32_t start_from,
                                    uint32_t length, Maybe<bool>* result) {
    DisallowHeapAllocation no_gc;
1715
    NumberDictionary dictionary = NumberDictionary::cast(receiver->elements());
1716
    int capacity = dictionary->Capacity();
1717 1718
    Object the_hole = ReadOnlyRoots(isolate).the_hole_value();
    Object undefined = ReadOnlyRoots(isolate).undefined_value();
1719 1720 1721 1722 1723

    // Scan for accessor properties. If accessors are present, then elements
    // must be accessed in order via the slow path.
    bool found = false;
    for (int i = 0; i < capacity; ++i) {
1724
      Object k = dictionary->KeyAt(i);
1725 1726 1727 1728 1729 1730 1731 1732
      if (k == the_hole) continue;
      if (k == undefined) continue;

      uint32_t index;
      if (!k->ToArrayIndex(&index) || index < start_from || index >= length) {
        continue;
      }

1733
      if (dictionary->DetailsAt(i).kind() == kAccessor) {
1734 1735 1736 1737
        // Restart from beginning in slow path, otherwise we may observably
        // access getters out of order
        return false;
      } else if (!found) {
1738
        Object element_k = dictionary->ValueAt(i);
1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760
        if (value->SameValueZero(element_k)) found = true;
      }
    }

    *result = Just(found);
    return true;
  }

  static Maybe<bool> IncludesValueImpl(Isolate* isolate,
                                       Handle<JSObject> receiver,
                                       Handle<Object> value,
                                       uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
    bool search_for_hole = value->IsUndefined(isolate);

    if (!search_for_hole) {
      Maybe<bool> result = Nothing<bool>();
      if (DictionaryElementsAccessor::IncludesValueFastPath(
              isolate, receiver, value, start_from, length, &result)) {
        return result;
      }
    }
1761 1762
    ElementsKind original_elements_kind = receiver->GetElementsKind();
    USE(original_elements_kind);
1763 1764
    Handle<NumberDictionary> dictionary(
        NumberDictionary::cast(receiver->elements()), isolate);
1765 1766 1767
    // Iterate through entire range, as accessing elements out of order is
    // observable
    for (uint32_t k = start_from; k < length; ++k) {
1768
      DCHECK_EQ(receiver->GetElementsKind(), original_elements_kind);
1769
      int entry = dictionary->FindEntry(isolate, k);
1770
      if (entry == NumberDictionary::kNotFound) {
1771 1772 1773 1774
        if (search_for_hole) return Just(true);
        continue;
      }

1775
      PropertyDetails details = GetDetailsImpl(*dictionary, entry);
1776 1777
      switch (details.kind()) {
        case kData: {
1778
          Object element_k = dictionary->ValueAt(entry);
1779 1780 1781 1782 1783 1784 1785 1786 1787 1788
          if (value->SameValueZero(element_k)) return Just(true);
          break;
        }
        case kAccessor: {
          LookupIterator it(isolate, receiver, k,
                            LookupIterator::OWN_SKIP_INTERCEPTOR);
          DCHECK(it.IsFound());
          DCHECK_EQ(it.state(), LookupIterator::ACCESSOR);
          Handle<Object> element_k;

1789 1790 1791
          ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, element_k,
                                           Object::GetPropertyWithAccessor(&it),
                                           Nothing<bool>());
1792 1793 1794

          if (value->SameValueZero(*element_k)) return Just(true);

1795
          // Bailout to slow path if elements on prototype changed
1796 1797 1798 1799
          if (!JSObject::PrototypeHasNoElements(isolate, *receiver)) {
            return IncludesValueSlowPath(isolate, receiver, value, k + 1,
                                         length);
          }
1800 1801 1802 1803 1804

          // Continue if elements unchanged
          if (*dictionary == receiver->elements()) continue;

          // Otherwise, bailout or update elements
1805 1806 1807 1808 1809 1810 1811 1812

          // If switched to initial elements, return true if searching for
          // undefined, and false otherwise.
          if (receiver->map()->GetInitialElements() == receiver->elements()) {
            return Just(search_for_hole);
          }

          // If switched to fast elements, continue with the correct accessor.
1813
          if (receiver->GetElementsKind() != DICTIONARY_ELEMENTS) {
1814 1815 1816
            ElementsAccessor* accessor = receiver->GetElementsAccessor();
            return accessor->IncludesValue(isolate, receiver, value, k + 1,
                                           length);
1817
          }
1818 1819
          dictionary =
              handle(NumberDictionary::cast(receiver->elements()), isolate);
1820 1821 1822 1823 1824 1825
          break;
        }
      }
    }
    return Just(false);
  }
1826 1827 1828 1829 1830 1831 1832

  static Maybe<int64_t> IndexOfValueImpl(Isolate* isolate,
                                         Handle<JSObject> receiver,
                                         Handle<Object> value,
                                         uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));

1833 1834
    ElementsKind original_elements_kind = receiver->GetElementsKind();
    USE(original_elements_kind);
1835 1836
    Handle<NumberDictionary> dictionary(
        NumberDictionary::cast(receiver->elements()), isolate);
1837 1838 1839
    // Iterate through entire range, as accessing elements out of order is
    // observable.
    for (uint32_t k = start_from; k < length; ++k) {
1840
      DCHECK_EQ(receiver->GetElementsKind(), original_elements_kind);
1841
      int entry = dictionary->FindEntry(isolate, k);
1842
      if (entry == NumberDictionary::kNotFound) continue;
1843 1844 1845 1846

      PropertyDetails details = GetDetailsImpl(*dictionary, entry);
      switch (details.kind()) {
        case kData: {
1847
          Object element_k = dictionary->ValueAt(entry);
1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859
          if (value->StrictEquals(element_k)) {
            return Just<int64_t>(k);
          }
          break;
        }
        case kAccessor: {
          LookupIterator it(isolate, receiver, k,
                            LookupIterator::OWN_SKIP_INTERCEPTOR);
          DCHECK(it.IsFound());
          DCHECK_EQ(it.state(), LookupIterator::ACCESSOR);
          Handle<Object> element_k;

1860 1861 1862
          ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, element_k,
                                           Object::GetPropertyWithAccessor(&it),
                                           Nothing<int64_t>());
1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880

          if (value->StrictEquals(*element_k)) return Just<int64_t>(k);

          // Bailout to slow path if elements on prototype changed.
          if (!JSObject::PrototypeHasNoElements(isolate, *receiver)) {
            return IndexOfValueSlowPath(isolate, receiver, value, k + 1,
                                        length);
          }

          // Continue if elements unchanged.
          if (*dictionary == receiver->elements()) continue;

          // Otherwise, bailout or update elements.
          if (receiver->GetElementsKind() != DICTIONARY_ELEMENTS) {
            // Otherwise, switch to slow path.
            return IndexOfValueSlowPath(isolate, receiver, value, k + 1,
                                        length);
          }
1881 1882
          dictionary =
              handle(NumberDictionary::cast(receiver->elements()), isolate);
1883 1884 1885 1886 1887 1888
          break;
        }
      }
    }
    return Just<int64_t>(-1);
  }
1889

1890
  static void ValidateContents(JSObject holder, int length) {
1891 1892 1893 1894
    DisallowHeapAllocation no_gc;
#if DEBUG
    DCHECK_EQ(holder->map()->elements_kind(), DICTIONARY_ELEMENTS);
    if (!FLAG_enable_slow_asserts) return;
1895
    ReadOnlyRoots roots = holder->GetReadOnlyRoots();
1896
    NumberDictionary dictionary = NumberDictionary::cast(holder->elements());
1897 1898 1899 1900 1901
    // Validate the requires_slow_elements and max_number_key values.
    int capacity = dictionary->Capacity();
    bool requires_slow_elements = false;
    int max_key = 0;
    for (int i = 0; i < capacity; ++i) {
1902
      Object k;
1903
      if (!dictionary->ToKey(roots, i, &k)) continue;
1904
      DCHECK_LE(0.0, k->Number());
1905
      if (k->Number() > NumberDictionary::kRequiresSlowElementsLimit) {
1906 1907
        requires_slow_elements = true;
      } else {
jgruber's avatar
jgruber committed
1908
        max_key = Max(max_key, Smi::ToInt(k));
1909 1910 1911 1912 1913 1914 1915 1916 1917
      }
    }
    if (requires_slow_elements) {
      DCHECK(dictionary->requires_slow_elements());
    } else if (!dictionary->requires_slow_elements()) {
      DCHECK_LE(max_key, dictionary->max_number_key());
    }
#endif
  }
1918 1919
};

1920

1921
// Super class for all fast element arrays.
1922 1923
template <typename Subclass, typename KindTraits>
class FastElementsAccessor : public ElementsAccessorBase<Subclass, KindTraits> {
1924 1925
 public:
  explicit FastElementsAccessor(const char* name)
1926
      : ElementsAccessorBase<Subclass, KindTraits>(name) {}
1927

1928
  typedef typename KindTraits::BackingStore BackingStore;
1929

1930 1931
  static Handle<NumberDictionary> NormalizeImpl(Handle<JSObject> object,
                                                Handle<FixedArrayBase> store) {
1932
    Isolate* isolate = object->GetIsolate();
1933
    ElementsKind kind = Subclass::kind();
1934 1935 1936

    // Ensure that notifications fire if the array or object prototypes are
    // normalizing.
1937 1938
    if (IsSmiOrObjectElementsKind(kind) ||
        kind == FAST_STRING_WRAPPER_ELEMENTS) {
1939
      isolate->UpdateNoElementsProtectorOnNormalizeElements(object);
1940 1941 1942
    }

    int capacity = object->GetFastElementsUsage();
1943 1944
    Handle<NumberDictionary> dictionary =
        NumberDictionary::New(isolate, capacity);
1945 1946 1947

    PropertyDetails details = PropertyDetails::Empty();
    int j = 0;
1948
    int max_number_key = -1;
1949
    for (int i = 0; j < capacity; i++) {
1950
      if (IsHoleyElementsKind(kind)) {
1951
        if (BackingStore::cast(*store)->is_the_hole(isolate, i)) continue;
1952
      }
1953
      max_number_key = i;
1954
      Handle<Object> value = Subclass::GetImpl(isolate, *store, i);
1955 1956
      dictionary =
          NumberDictionary::Add(isolate, dictionary, i, value, details);
1957 1958
      j++;
    }
1959 1960 1961 1962 1963

    if (max_number_key > 0) {
      dictionary->UpdateMaxNumberKey(static_cast<uint32_t>(max_number_key),
                                     object);
    }
1964 1965 1966
    return dictionary;
  }

1967 1968 1969
  static void DeleteAtEnd(Handle<JSObject> obj,
                          Handle<BackingStore> backing_store, uint32_t entry) {
    uint32_t length = static_cast<uint32_t>(backing_store->length());
1970
    Isolate* isolate = obj->GetIsolate();
1971
    for (; entry > 0; entry--) {
1972
      if (!backing_store->is_the_hole(isolate, entry - 1)) break;
1973 1974
    }
    if (entry == 0) {
1975
      FixedArray empty = ReadOnlyRoots(isolate).empty_fixed_array();
1976 1977 1978
      // Dynamically ask for the elements kind here since we manually redirect
      // the operations for argument backing stores.
      if (obj->GetElementsKind() == FAST_SLOPPY_ARGUMENTS_ELEMENTS) {
1979
        SloppyArgumentsElements::cast(obj->elements())->set_arguments(empty);
1980 1981 1982 1983 1984 1985
      } else {
        obj->set_elements(empty);
      }
      return;
    }

1986
    isolate->heap()->RightTrimFixedArray(*backing_store, length - entry);
1987 1988
  }

1989
  static void DeleteCommon(Handle<JSObject> obj, uint32_t entry,
1990
                           Handle<FixedArrayBase> store) {
1991
    DCHECK(obj->HasSmiOrObjectElements() || obj->HasDoubleElements() ||
1992 1993
           obj->HasFastArgumentsElements() ||
           obj->HasFastStringWrapperElements());
1994
    Handle<BackingStore> backing_store = Handle<BackingStore>::cast(store);
1995 1996 1997 1998 1999 2000
    if (!obj->IsJSArray() &&
        entry == static_cast<uint32_t>(store->length()) - 1) {
      DeleteAtEnd(obj, backing_store, entry);
      return;
    }

2001
    Isolate* isolate = obj->GetIsolate();
2002
    backing_store->set_the_hole(isolate, entry);
2003 2004 2005 2006 2007 2008

    // TODO(verwaest): Move this out of elements.cc.
    // If an old space backing store is larger than a certain size and
    // has too few used values, normalize it.
    const int kMinLengthForSparsenessCheck = 64;
    if (backing_store->length() < kMinLengthForSparsenessCheck) return;
2009
    if (Heap::InNewSpace(*backing_store)) return;
2010 2011 2012 2013 2014
    uint32_t length = 0;
    if (obj->IsJSArray()) {
      JSArray::cast(*obj)->length()->ToArrayLength(&length);
    } else {
      length = static_cast<uint32_t>(store->length());
2015
    }
2016 2017 2018 2019 2020 2021 2022 2023

    // To avoid doing the check on every delete, use a counter-based heuristic.
    const int kLengthFraction = 16;
    // The above constant must be large enough to ensure that we check for
    // normalization frequently enough. At a minimum, it should be large
    // enough to reliably hit the "window" of remaining elements count where
    // normalization would be beneficial.
    STATIC_ASSERT(kLengthFraction >=
2024 2025
                  NumberDictionary::kEntrySize *
                      NumberDictionary::kPreferFastElementsSizeFactor);
2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037
    size_t current_counter = isolate->elements_deletion_counter();
    if (current_counter < length / kLengthFraction) {
      isolate->set_elements_deletion_counter(current_counter + 1);
      return;
    }
    // Reset the counter whenever the full check is performed.
    isolate->set_elements_deletion_counter(0);

    if (!obj->IsJSArray()) {
      uint32_t i;
      for (i = entry + 1; i < length; i++) {
        if (!backing_store->is_the_hole(isolate, i)) break;
2038
      }
2039 2040 2041 2042 2043 2044 2045 2046 2047 2048
      if (i == length) {
        DeleteAtEnd(obj, backing_store, entry);
        return;
      }
    }
    int num_used = 0;
    for (int i = 0; i < backing_store->length(); ++i) {
      if (!backing_store->is_the_hole(isolate, i)) {
        ++num_used;
        // Bail out if a number dictionary wouldn't be able to save much space.
2049 2050 2051
        if (NumberDictionary::kPreferFastElementsSizeFactor *
                NumberDictionary::ComputeCapacity(num_used) *
                NumberDictionary::kEntrySize >
2052 2053
            static_cast<uint32_t>(backing_store->length())) {
          return;
2054
        }
2055 2056
      }
    }
2057
    JSObject::NormalizeElements(obj);
2058 2059
  }

2060
  static void ReconfigureImpl(Handle<JSObject> object,
2061
                              Handle<FixedArrayBase> store, uint32_t entry,
2062 2063
                              Handle<Object> value,
                              PropertyAttributes attributes) {
2064
    Handle<NumberDictionary> dictionary = JSObject::NormalizeElements(object);
2065
    entry = dictionary->FindEntry(object->GetIsolate(), entry);
2066 2067
    DictionaryElementsAccessor::ReconfigureImpl(object, dictionary, entry,
                                                value, attributes);
2068 2069
  }

2070
  static void AddImpl(Handle<JSObject> object, uint32_t index,
2071 2072 2073 2074
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    DCHECK_EQ(NONE, attributes);
    ElementsKind from_kind = object->GetElementsKind();
2075
    ElementsKind to_kind = Subclass::kind();
2076
    if (IsDictionaryElementsKind(from_kind) ||
2077
        IsDoubleElementsKind(from_kind) != IsDoubleElementsKind(to_kind) ||
2078 2079 2080
        Subclass::GetCapacityImpl(*object, object->elements()) !=
            new_capacity) {
      Subclass::GrowCapacityAndConvertImpl(object, new_capacity);
2081
    } else {
2082
      if (IsFastElementsKind(from_kind) && from_kind != to_kind) {
2083 2084
        JSObject::TransitionElementsKind(object, to_kind);
      }
2085 2086
      if (IsSmiOrObjectElementsKind(from_kind)) {
        DCHECK(IsSmiOrObjectElementsKind(to_kind));
2087 2088 2089
        JSObject::EnsureWritableFastElements(object);
      }
    }
2090
    Subclass::SetImpl(object, index, *value);
2091 2092
  }

2093
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
2094 2095 2096 2097
    ElementsKind kind = KindTraits::Kind;
    if (IsFastPackedElementsKind(kind)) {
      JSObject::TransitionElementsKind(obj, GetHoleyElementsKind(kind));
    }
2098
    if (IsSmiOrObjectElementsKind(KindTraits::Kind)) {
2099 2100
      JSObject::EnsureWritableFastElements(obj);
    }
2101
    DeleteCommon(obj, entry, handle(obj->elements(), obj->GetIsolate()));
2102 2103
  }

2104
  static bool HasEntryImpl(Isolate* isolate, FixedArrayBase backing_store,
2105 2106 2107 2108
                           uint32_t entry) {
    return !BackingStore::cast(backing_store)->is_the_hole(isolate, entry);
  }

2109
  static uint32_t NumberOfElementsImpl(JSObject receiver,
2110
                                       FixedArrayBase backing_store) {
2111 2112 2113 2114 2115 2116 2117 2118
    uint32_t max_index = Subclass::GetMaxIndex(receiver, backing_store);
    if (IsFastPackedElementsKind(Subclass::kind())) return max_index;
    Isolate* isolate = receiver->GetIsolate();
    uint32_t count = 0;
    for (uint32_t i = 0; i < max_index; i++) {
      if (Subclass::HasEntryImpl(isolate, backing_store, i)) count++;
    }
    return count;
2119 2120
  }

2121 2122 2123
  static void AddElementsToKeyAccumulatorImpl(Handle<JSObject> receiver,
                                              KeyAccumulator* accumulator,
                                              AddKeyConversion convert) {
2124 2125
    Isolate* isolate = accumulator->isolate();
    Handle<FixedArrayBase> elements(receiver->elements(), isolate);
2126
    uint32_t length = Subclass::GetMaxNumberOfEntries(*receiver, *elements);
2127 2128
    for (uint32_t i = 0; i < length; i++) {
      if (IsFastPackedElementsKind(KindTraits::Kind) ||
2129
          HasEntryImpl(isolate, *elements, i)) {
2130
        accumulator->AddKey(Subclass::GetImpl(isolate, *elements, i), convert);
2131 2132 2133 2134
      }
    }
  }

2135
  static void ValidateContents(JSObject holder, int length) {
2136
#if DEBUG
2137
    Isolate* isolate = holder->GetIsolate();
2138
    Heap* heap = isolate->heap();
2139
    FixedArrayBase elements = holder->elements();
2140
    Map map = elements->map();
2141
    if (IsSmiOrObjectElementsKind(KindTraits::Kind)) {
2142
      DCHECK_NE(map, ReadOnlyRoots(heap).fixed_double_array_map());
2143
    } else if (IsDoubleElementsKind(KindTraits::Kind)) {
2144 2145
      DCHECK_NE(map, ReadOnlyRoots(heap).fixed_cow_array_map());
      if (map == ReadOnlyRoots(heap).fixed_array_map()) DCHECK_EQ(0, length);
2146 2147 2148
    } else {
      UNREACHABLE();
    }
2149
    if (length == 0) return;  // nothing to do!
2150
#if ENABLE_SLOW_DCHECKS
2151
    DisallowHeapAllocation no_gc;
2152
    BackingStore backing_store = BackingStore::cast(elements);
2153
    if (IsSmiElementsKind(KindTraits::Kind)) {
2154
      HandleScope scope(isolate);
2155
      for (int i = 0; i < length; i++) {
2156
        DCHECK(BackingStore::get(backing_store, i, isolate)->IsSmi() ||
2157
               (IsHoleyElementsKind(KindTraits::Kind) &&
2158
                backing_store->is_the_hole(isolate, i)));
2159
      }
2160 2161
    } else if (KindTraits::Kind == PACKED_ELEMENTS ||
               KindTraits::Kind == PACKED_DOUBLE_ELEMENTS) {
2162
      for (int i = 0; i < length; i++) {
2163
        DCHECK(!backing_store->is_the_hole(isolate, i));
2164 2165
      }
    } else {
2166
      DCHECK(IsHoleyElementsKind(KindTraits::Kind));
2167
    }
2168
#endif
2169 2170
#endif
  }
2171

2172
  static Handle<Object> PopImpl(Handle<JSArray> receiver) {
2173
    return Subclass::RemoveElement(receiver, AT_END);
2174 2175
  }

2176
  static Handle<Object> ShiftImpl(Handle<JSArray> receiver) {
2177
    return Subclass::RemoveElement(receiver, AT_START);
cbruni's avatar
cbruni committed
2178 2179
  }

2180
  static uint32_t PushImpl(Handle<JSArray> receiver,
2181
                           Arguments* args, uint32_t push_size) {
2182 2183
    Handle<FixedArrayBase> backing_store(receiver->elements(),
                                         receiver->GetIsolate());
2184 2185
    return Subclass::AddArguments(receiver, backing_store, args, push_size,
                                  AT_END);
2186
  }
2187

2188 2189
  static uint32_t UnshiftImpl(Handle<JSArray> receiver,
                              Arguments* args, uint32_t unshift_size) {
2190 2191
    Handle<FixedArrayBase> backing_store(receiver->elements(),
                                         receiver->GetIsolate());
2192 2193
    return Subclass::AddArguments(receiver, backing_store, args, unshift_size,
                                  AT_START);
2194 2195
  }

2196 2197
  static Handle<JSObject> SliceImpl(Handle<JSObject> receiver, uint32_t start,
                                    uint32_t end) {
2198
    Isolate* isolate = receiver->GetIsolate();
2199 2200
    Handle<FixedArrayBase> backing_store(receiver->elements(), isolate);
    int result_len = end < start ? 0u : end - start;
2201 2202 2203
    Handle<JSArray> result_array = isolate->factory()->NewJSArray(
        KindTraits::Kind, result_len, result_len);
    DisallowHeapAllocation no_gc;
2204 2205 2206
    Subclass::CopyElementsImpl(isolate, *backing_store, start,
                               result_array->elements(), KindTraits::Kind, 0,
                               kPackedSizeNotKnown, result_len);
2207
    Subclass::TryTransitionResultArrayToPacked(result_array);
2208 2209 2210
    return result_array;
  }

2211 2212 2213 2214 2215 2216
  static void MoveElements(Isolate* isolate, Handle<JSArray> receiver,
                           Handle<FixedArrayBase> backing_store, int dst_index,
                           int src_index, int len, int hole_start,
                           int hole_end) {
    Heap* heap = isolate->heap();
    Handle<BackingStore> dst_elms = Handle<BackingStore>::cast(backing_store);
2217 2218
    if (len > JSArray::kMaxCopyElements && dst_index == 0 &&
        heap->CanMoveObjectStart(*dst_elms)) {
2219 2220
      // Update all the copies of this backing_store handle.
      *dst_elms.location() =
2221 2222
          BackingStore::cast(heap->LeftTrimFixedArray(*dst_elms, src_index))
              ->ptr();
2223 2224 2225 2226 2227 2228
      receiver->set_elements(*dst_elms);
      // Adjust the hole offset as the array has been shrunk.
      hole_end -= src_index;
      DCHECK_LE(hole_start, backing_store->length());
      DCHECK_LE(hole_end, backing_store->length());
    } else if (len != 0) {
2229 2230
      WriteBarrierMode mode = GetWriteBarrierMode(KindTraits::Kind);
      dst_elms->MoveElements(heap, dst_index, src_index, len, mode);
2231 2232 2233 2234 2235 2236
    }
    if (hole_start != hole_end) {
      dst_elms->FillWithHoles(hole_start, hole_end);
    }
  }

2237 2238
  static Object FillImpl(Handle<JSObject> receiver, Handle<Object> obj_value,
                         uint32_t start, uint32_t end) {
2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262
    // Ensure indexes are within array bounds
    DCHECK_LE(0, start);
    DCHECK_LE(start, end);

    // Make sure COW arrays are copied.
    if (IsSmiOrObjectElementsKind(Subclass::kind())) {
      JSObject::EnsureWritableFastElements(receiver);
    }

    // Make sure we have enough space.
    uint32_t capacity =
        Subclass::GetCapacityImpl(*receiver, receiver->elements());
    if (end > capacity) {
      Subclass::GrowCapacityAndConvertImpl(receiver, end);
      CHECK_EQ(Subclass::kind(), receiver->GetElementsKind());
    }
    DCHECK_LE(end, Subclass::GetCapacityImpl(*receiver, receiver->elements()));

    for (uint32_t index = start; index < end; ++index) {
      Subclass::SetImpl(receiver, index, *obj_value);
    }
    return *receiver;
  }

2263 2264 2265 2266 2267 2268
  static Maybe<bool> IncludesValueImpl(Isolate* isolate,
                                       Handle<JSObject> receiver,
                                       Handle<Object> search_value,
                                       uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
    DisallowHeapAllocation no_gc;
2269
    FixedArrayBase elements_base = receiver->elements();
2270 2271 2272
    Object the_hole = ReadOnlyRoots(isolate).the_hole_value();
    Object undefined = ReadOnlyRoots(isolate).undefined_value();
    Object value = *search_value;
2273

2274 2275
    if (start_from >= length) return Just(false);

2276
    // Elements beyond the capacity of the backing store treated as undefined.
2277 2278 2279 2280 2281
    uint32_t elements_length = static_cast<uint32_t>(elements_base->length());
    if (value == undefined && elements_length < length) return Just(true);
    if (elements_length == 0) {
      DCHECK_NE(value, undefined);
      return Just(false);
2282 2283
    }

2284
    length = std::min(elements_length, length);
2285 2286 2287

    if (!value->IsNumber()) {
      if (value == undefined) {
2288 2289 2290 2291
        // Search for `undefined` or The Hole. Even in the case of
        // PACKED_DOUBLE_ELEMENTS or PACKED_SMI_ELEMENTS, we might encounter The
        // Hole here, since the {length} used here can be larger than
        // JSArray::length.
2292
        if (IsSmiOrObjectElementsKind(Subclass::kind())) {
2293 2294 2295
          auto elements = FixedArray::cast(receiver->elements());

          for (uint32_t k = start_from; k < length; ++k) {
2296
            Object element_k = elements->get(k);
2297

2298
            if (element_k == the_hole || element_k == undefined) {
2299 2300 2301 2302 2303
              return Just(true);
            }
          }
          return Just(false);
        } else {
2304 2305 2306
          // Search for The Hole in HOLEY_DOUBLE_ELEMENTS or
          // PACKED_DOUBLE_ELEMENTS.
          DCHECK(IsDoubleElementsKind(Subclass::kind()));
2307 2308 2309
          auto elements = FixedDoubleArray::cast(receiver->elements());

          for (uint32_t k = start_from; k < length; ++k) {
2310
            if (elements->is_the_hole(k)) {
2311 2312 2313 2314 2315
              return Just(true);
            }
          }
          return Just(false);
        }
2316
      } else if (!IsObjectElementsKind(Subclass::kind())) {
2317
        // Search for non-number, non-Undefined value, with either
2318 2319
        // PACKED_SMI_ELEMENTS, PACKED_DOUBLE_ELEMENTS, HOLEY_SMI_ELEMENTS or
        // HOLEY_DOUBLE_ELEMENTS. Guaranteed to return false, since these
2320 2321 2322 2323
        // elements kinds can only contain Number values or undefined.
        return Just(false);
      } else {
        // Search for non-number, non-Undefined value with either
2324
        // PACKED_ELEMENTS or HOLEY_ELEMENTS.
2325
        DCHECK(IsObjectElementsKind(Subclass::kind()));
2326 2327 2328
        auto elements = FixedArray::cast(receiver->elements());

        for (uint32_t k = start_from; k < length; ++k) {
2329
          Object element_k = elements->get(k);
2330
          if (element_k == the_hole) {
2331 2332 2333 2334 2335 2336 2337 2338 2339 2340
            continue;
          }

          if (value->SameValueZero(element_k)) return Just(true);
        }
        return Just(false);
      }
    } else {
      if (!value->IsNaN()) {
        double search_value = value->Number();
2341
        if (IsDoubleElementsKind(Subclass::kind())) {
2342 2343
          // Search for non-NaN Number in PACKED_DOUBLE_ELEMENTS or
          // HOLEY_DOUBLE_ELEMENTS --- Skip TheHole, and trust UCOMISD or
2344 2345 2346 2347
          // similar operation for result.
          auto elements = FixedDoubleArray::cast(receiver->elements());

          for (uint32_t k = start_from; k < length; ++k) {
2348
            if (elements->is_the_hole(k)) {
2349 2350 2351 2352 2353 2354
              continue;
            }
            if (elements->get_scalar(k) == search_value) return Just(true);
          }
          return Just(false);
        } else {
2355 2356
          // Search for non-NaN Number in PACKED_ELEMENTS, HOLEY_ELEMENTS,
          // PACKED_SMI_ELEMENTS or HOLEY_SMI_ELEMENTS --- Skip non-Numbers,
2357 2358 2359 2360
          // and trust UCOMISD or similar operation for result
          auto elements = FixedArray::cast(receiver->elements());

          for (uint32_t k = start_from; k < length; ++k) {
2361
            Object element_k = elements->get(k);
2362 2363 2364 2365 2366 2367 2368 2369
            if (element_k->IsNumber() && element_k->Number() == search_value) {
              return Just(true);
            }
          }
          return Just(false);
        }
      } else {
        // Search for NaN --- NaN cannot be represented with Smi elements, so
2370
        // abort if ElementsKind is PACKED_SMI_ELEMENTS or HOLEY_SMI_ELEMENTS
2371
        if (IsSmiElementsKind(Subclass::kind())) return Just(false);
2372

2373
        if (IsDoubleElementsKind(Subclass::kind())) {
2374 2375
          // Search for NaN in PACKED_DOUBLE_ELEMENTS or
          // HOLEY_DOUBLE_ELEMENTS --- Skip The Hole and trust
2376 2377 2378 2379
          // std::isnan(elementK) for result
          auto elements = FixedDoubleArray::cast(receiver->elements());

          for (uint32_t k = start_from; k < length; ++k) {
2380
            if (elements->is_the_hole(k)) {
2381 2382 2383 2384 2385 2386
              continue;
            }
            if (std::isnan(elements->get_scalar(k))) return Just(true);
          }
          return Just(false);
        } else {
2387 2388
          // Search for NaN in PACKED_ELEMENTS, HOLEY_ELEMENTS,
          // PACKED_SMI_ELEMENTS or HOLEY_SMI_ELEMENTS. Return true if
2389
          // elementK->IsHeapNumber() && std::isnan(elementK->Number())
2390
          DCHECK(IsSmiOrObjectElementsKind(Subclass::kind()));
2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401
          auto elements = FixedArray::cast(receiver->elements());

          for (uint32_t k = start_from; k < length; ++k) {
            if (elements->get(k)->IsNaN()) return Just(true);
          }
          return Just(false);
        }
      }
    }
  }

2402 2403 2404
  static Handle<FixedArray> CreateListFromArrayLikeImpl(Isolate* isolate,
                                                        Handle<JSObject> object,
                                                        uint32_t length) {
2405
    Handle<FixedArray> result = isolate->factory()->NewFixedArray(length);
2406
    Handle<FixedArrayBase> elements(object->elements(), isolate);
2407
    for (uint32_t i = 0; i < length; i++) {
2408
      if (!Subclass::HasElementImpl(isolate, *object, i, *elements)) continue;
2409 2410 2411 2412 2413 2414 2415 2416 2417 2418
      Handle<Object> value;
      value = Subclass::GetImpl(isolate, *elements, i);
      if (value->IsName()) {
        value = isolate->factory()->InternalizeName(Handle<Name>::cast(value));
      }
      result->set(i, *value);
    }
    return result;
  }

cbruni's avatar
cbruni committed
2419 2420
  static Handle<Object> RemoveElement(Handle<JSArray> receiver,
                                      Where remove_position) {
2421
    Isolate* isolate = receiver->GetIsolate();
2422
    ElementsKind kind = KindTraits::Kind;
2423
    if (IsSmiOrObjectElementsKind(kind)) {
2424 2425 2426 2427
      HandleScope scope(isolate);
      JSObject::EnsureWritableFastElements(receiver);
    }
    Handle<FixedArrayBase> backing_store(receiver->elements(), isolate);
jgruber's avatar
jgruber committed
2428
    uint32_t length = static_cast<uint32_t>(Smi::ToInt(receiver->length()));
2429
    DCHECK_GT(length, 0);
cbruni's avatar
cbruni committed
2430 2431
    int new_length = length - 1;
    int remove_index = remove_position == AT_START ? 0 : new_length;
2432 2433
    Handle<Object> result =
        Subclass::GetImpl(isolate, *backing_store, remove_index);
cbruni's avatar
cbruni committed
2434
    if (remove_position == AT_START) {
2435 2436
      Subclass::MoveElements(isolate, receiver, backing_store, 0, 1, new_length,
                             0, 0);
cbruni's avatar
cbruni committed
2437
    }
2438
    Subclass::SetLengthImpl(isolate, receiver, new_length, backing_store);
2439

2440
    if (IsHoleyElementsKind(kind) && result->IsTheHole(isolate)) {
2441
      return isolate->factory()->undefined_value();
cbruni's avatar
cbruni committed
2442 2443 2444 2445 2446 2447 2448
    }
    return result;
  }

  static uint32_t AddArguments(Handle<JSArray> receiver,
                               Handle<FixedArrayBase> backing_store,
                               Arguments* args, uint32_t add_size,
2449
                               Where add_position) {
jgruber's avatar
jgruber committed
2450
    uint32_t length = Smi::ToInt(receiver->length());
2451
    DCHECK_LT(0, add_size);
cbruni's avatar
cbruni committed
2452 2453 2454 2455 2456 2457
    uint32_t elms_len = backing_store->length();
    // Check we do not overflow the new_length.
    DCHECK(add_size <= static_cast<uint32_t>(Smi::kMaxValue - length));
    uint32_t new_length = length + add_size;

    if (new_length > elms_len) {
2458
      // New backing storage is needed.
cbruni's avatar
cbruni committed
2459 2460
      uint32_t capacity = JSObject::NewElementsCapacity(new_length);
      // If we add arguments to the start we have to shift the existing objects.
2461
      int copy_dst_index = add_position == AT_START ? add_size : 0;
cbruni's avatar
cbruni committed
2462
      // Copy over all objects to a new backing_store.
2463
      backing_store = Subclass::ConvertElementsWithCapacity(
cbruni's avatar
cbruni committed
2464 2465 2466
          receiver, backing_store, KindTraits::Kind, capacity, 0,
          copy_dst_index, ElementsAccessor::kCopyToEndAndInitializeToHole);
      receiver->set_elements(*backing_store);
2467
    } else if (add_position == AT_START) {
cbruni's avatar
cbruni committed
2468 2469 2470
      // If the backing store has enough capacity and we add elements to the
      // start we have to shift the existing objects.
      Isolate* isolate = receiver->GetIsolate();
2471 2472
      Subclass::MoveElements(isolate, receiver, backing_store, add_size, 0,
                             length, 0, 0);
cbruni's avatar
cbruni committed
2473
    }
2474

2475
    int insertion_index = add_position == AT_START ? 0 : length;
cbruni's avatar
cbruni committed
2476
    // Copy the arguments to the start.
2477
    Subclass::CopyArguments(args, backing_store, add_size, 1, insertion_index);
cbruni's avatar
cbruni committed
2478 2479 2480 2481 2482 2483 2484 2485 2486 2487
    // Set the length.
    receiver->set_length(Smi::FromInt(new_length));
    return new_length;
  }

  static void CopyArguments(Arguments* args, Handle<FixedArrayBase> dst_store,
                            uint32_t copy_size, uint32_t src_index,
                            uint32_t dst_index) {
    // Add the provided values.
    DisallowHeapAllocation no_gc;
2488
    FixedArrayBase raw_backing_store = *dst_store;
cbruni's avatar
cbruni committed
2489 2490
    WriteBarrierMode mode = raw_backing_store->GetWriteBarrierMode(no_gc);
    for (uint32_t i = 0; i < copy_size; i++) {
2491
      Object argument = (*args)[src_index + i];
2492
      DCHECK(!argument->IsTheHole());
2493
      Subclass::SetImpl(raw_backing_store, dst_index + i, argument, mode);
2494 2495
    }
  }
2496 2497
};

2498
template <typename Subclass, typename KindTraits>
2499
class FastSmiOrObjectElementsAccessor
2500
    : public FastElementsAccessor<Subclass, KindTraits> {
2501 2502
 public:
  explicit FastSmiOrObjectElementsAccessor(const char* name)
2503
      : FastElementsAccessor<Subclass, KindTraits>(name) {}
2504

2505
  static inline void SetImpl(Handle<JSObject> holder, uint32_t entry,
2506
                             Object value) {
2507 2508 2509
    SetImpl(holder->elements(), entry, value);
  }

2510
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
2511
                             Object value) {
2512 2513 2514
    FixedArray::cast(backing_store)->set(entry, value);
  }

2515
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
2516
                             Object value, WriteBarrierMode mode) {
2517 2518 2519
    FixedArray::cast(backing_store)->set(entry, value, mode);
  }

2520
  static Object GetRaw(FixedArray backing_store, uint32_t entry) {
2521
    uint32_t index = Subclass::GetIndexForEntryImpl(backing_store, entry);
2522 2523 2524
    return backing_store->get(index);
  }

2525 2526 2527 2528 2529
  // NOTE: this method violates the handlified function signature convention:
  // raw pointer parameters in the function that allocates.
  // See ElementsAccessor::CopyElements() for details.
  // This method could actually allocate if copying from double elements to
  // object elements.
2530 2531
  static void CopyElementsImpl(Isolate* isolate, FixedArrayBase from,
                               uint32_t from_start, FixedArrayBase to,
2532 2533
                               ElementsKind from_kind, uint32_t to_start,
                               int packed_size, int copy_size) {
2534
    DisallowHeapAllocation no_gc;
2535 2536
    ElementsKind to_kind = KindTraits::Kind;
    switch (from_kind) {
2537 2538 2539 2540
      case PACKED_SMI_ELEMENTS:
      case HOLEY_SMI_ELEMENTS:
      case PACKED_ELEMENTS:
      case HOLEY_ELEMENTS:
2541 2542
        CopyObjectToObjectElements(isolate, from, from_kind, from_start, to,
                                   to_kind, to_start, copy_size);
2543
        break;
2544 2545
      case PACKED_DOUBLE_ELEMENTS:
      case HOLEY_DOUBLE_ELEMENTS: {
2546
        AllowHeapAllocation allow_allocation;
2547
        DCHECK(IsObjectElementsKind(to_kind));
2548 2549
        CopyDoubleToObjectElements(isolate, from, from_start, to, to_start,
                                   copy_size);
2550
        break;
2551
      }
2552
      case DICTIONARY_ELEMENTS:
2553 2554
        CopyDictionaryToObjectElements(isolate, from, from_start, to, to_kind,
                                       to_start, copy_size);
2555
        break;
2556 2557
      case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
      case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
2558 2559
      case FAST_STRING_WRAPPER_ELEMENTS:
      case SLOW_STRING_WRAPPER_ELEMENTS:
2560 2561
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS:
        TYPED_ARRAYS(TYPED_ARRAY_CASE)
2562
#undef TYPED_ARRAY_CASE
2563 2564 2565 2566 2567 2568
      // This function is currently only used for JSArrays with non-zero
      // length.
      UNREACHABLE();
      break;
      case NO_ELEMENTS:
        break;  // Nothing to do.
2569 2570
    }
  }
2571

2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590
  static Maybe<bool> CollectValuesOrEntriesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
      PropertyFilter filter) {
    int count = 0;
    if (get_entries) {
      // Collecting entries needs to allocate, so this code must be handlified.
      Handle<FixedArray> elements(FixedArray::cast(object->elements()),
                                  isolate);
      uint32_t length = elements->length();
      for (uint32_t index = 0; index < length; ++index) {
        if (!Subclass::HasEntryImpl(isolate, *elements, index)) continue;
        Handle<Object> value = Subclass::GetImpl(isolate, *elements, index);
        value = MakeEntryPair(isolate, index, value);
        values_or_entries->set(count++, *value);
      }
    } else {
      // No allocations here, so we can avoid handlification overhead.
      DisallowHeapAllocation no_gc;
2591
      FixedArray elements = FixedArray::cast(object->elements());
2592 2593 2594
      uint32_t length = elements->length();
      for (uint32_t index = 0; index < length; ++index) {
        if (!Subclass::HasEntryImpl(isolate, elements, index)) continue;
2595
        Object value = GetRaw(elements, index);
2596 2597 2598 2599 2600 2601 2602
        values_or_entries->set(count++, value);
      }
    }
    *nof_items = count;
    return Just(true);
  }

2603 2604 2605 2606 2607 2608
  static Maybe<int64_t> IndexOfValueImpl(Isolate* isolate,
                                         Handle<JSObject> receiver,
                                         Handle<Object> search_value,
                                         uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
    DisallowHeapAllocation no_gc;
2609
    FixedArrayBase elements_base = receiver->elements();
2610
    Object value = *search_value;
2611 2612 2613 2614 2615 2616

    if (start_from >= length) return Just<int64_t>(-1);

    length = std::min(static_cast<uint32_t>(elements_base->length()), length);

    // Only FAST_{,HOLEY_}ELEMENTS can store non-numbers.
2617
    if (!value->IsNumber() && !IsObjectElementsKind(Subclass::kind())) {
2618 2619 2620 2621 2622
      return Just<int64_t>(-1);
    }
    // NaN can never be found by strict equality.
    if (value->IsNaN()) return Just<int64_t>(-1);

2623 2624 2625 2626
    // k can be greater than receiver->length() below, but it is bounded by
    // elements_base->length() so we never read out of bounds. This means that
    // elements->get(k) can return the hole, for which the StrictEquals will
    // always fail.
2627
    FixedArray elements = FixedArray::cast(receiver->elements());
2628 2629 2630 2631 2632
    for (uint32_t k = start_from; k < length; ++k) {
      if (value->StrictEquals(elements->get(k))) return Just<int64_t>(k);
    }
    return Just<int64_t>(-1);
  }
2633
};
2634

2635 2636
class FastPackedSmiElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
2637 2638
          FastPackedSmiElementsAccessor,
          ElementsKindTraits<PACKED_SMI_ELEMENTS>> {
2639 2640 2641
 public:
  explicit FastPackedSmiElementsAccessor(const char* name)
      : FastSmiOrObjectElementsAccessor<
2642 2643
            FastPackedSmiElementsAccessor,
            ElementsKindTraits<PACKED_SMI_ELEMENTS>>(name) {}
2644 2645 2646 2647
};

class FastHoleySmiElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
2648 2649
          FastHoleySmiElementsAccessor,
          ElementsKindTraits<HOLEY_SMI_ELEMENTS>> {
2650 2651
 public:
  explicit FastHoleySmiElementsAccessor(const char* name)
2652 2653 2654
      : FastSmiOrObjectElementsAccessor<FastHoleySmiElementsAccessor,
                                        ElementsKindTraits<HOLEY_SMI_ELEMENTS>>(
            name) {}
2655 2656
};

2657 2658
class FastPackedObjectElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
2659 2660
          FastPackedObjectElementsAccessor,
          ElementsKindTraits<PACKED_ELEMENTS>> {
2661 2662
 public:
  explicit FastPackedObjectElementsAccessor(const char* name)
2663 2664 2665
      : FastSmiOrObjectElementsAccessor<FastPackedObjectElementsAccessor,
                                        ElementsKindTraits<PACKED_ELEMENTS>>(
            name) {}
2666 2667 2668 2669
};

class FastHoleyObjectElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
2670
          FastHoleyObjectElementsAccessor, ElementsKindTraits<HOLEY_ELEMENTS>> {
2671 2672
 public:
  explicit FastHoleyObjectElementsAccessor(const char* name)
2673 2674 2675
      : FastSmiOrObjectElementsAccessor<FastHoleyObjectElementsAccessor,
                                        ElementsKindTraits<HOLEY_ELEMENTS>>(
            name) {}
2676 2677
};

2678
template <typename Subclass, typename KindTraits>
2679
class FastDoubleElementsAccessor
2680
    : public FastElementsAccessor<Subclass, KindTraits> {
2681 2682
 public:
  explicit FastDoubleElementsAccessor(const char* name)
2683
      : FastElementsAccessor<Subclass, KindTraits>(name) {}
2684

2685
  static Handle<Object> GetImpl(Isolate* isolate, FixedArrayBase backing_store,
2686
                                uint32_t entry) {
2687 2688 2689 2690 2691
    return FixedDoubleArray::get(FixedDoubleArray::cast(backing_store), entry,
                                 isolate);
  }

  static inline void SetImpl(Handle<JSObject> holder, uint32_t entry,
2692
                             Object value) {
2693 2694 2695
    SetImpl(holder->elements(), entry, value);
  }

2696
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
2697
                             Object value) {
2698 2699 2700
    FixedDoubleArray::cast(backing_store)->set(entry, value->Number());
  }

2701
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
2702
                             Object value, WriteBarrierMode mode) {
2703 2704 2705
    FixedDoubleArray::cast(backing_store)->set(entry, value->Number());
  }

2706 2707
  static void CopyElementsImpl(Isolate* isolate, FixedArrayBase from,
                               uint32_t from_start, FixedArrayBase to,
2708 2709
                               ElementsKind from_kind, uint32_t to_start,
                               int packed_size, int copy_size) {
2710
    DisallowHeapAllocation no_allocation;
2711
    switch (from_kind) {
2712
      case PACKED_SMI_ELEMENTS:
2713
        CopyPackedSmiToDoubleElements(from, from_start, to, to_start,
2714
                                      packed_size, copy_size);
2715
        break;
2716
      case HOLEY_SMI_ELEMENTS:
2717
        CopySmiToDoubleElements(from, from_start, to, to_start, copy_size);
2718
        break;
2719 2720
      case PACKED_DOUBLE_ELEMENTS:
      case HOLEY_DOUBLE_ELEMENTS:
2721
        CopyDoubleToDoubleElements(from, from_start, to, to_start, copy_size);
2722
        break;
2723 2724
      case PACKED_ELEMENTS:
      case HOLEY_ELEMENTS:
2725
        CopyObjectToDoubleElements(from, from_start, to, to_start, copy_size);
2726 2727
        break;
      case DICTIONARY_ELEMENTS:
2728
        CopyDictionaryToDoubleElements(isolate, from, from_start, to, to_start,
2729
                                       copy_size);
2730
        break;
2731 2732
      case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
      case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
2733 2734 2735
      case FAST_STRING_WRAPPER_ELEMENTS:
      case SLOW_STRING_WRAPPER_ELEMENTS:
      case NO_ELEMENTS:
2736 2737
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS:
        TYPED_ARRAYS(TYPED_ARRAY_CASE)
2738
#undef TYPED_ARRAY_CASE
2739 2740 2741 2742
      // This function is currently only used for JSArrays with non-zero
      // length.
      UNREACHABLE();
      break;
2743 2744
    }
  }
2745

2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765
  static Maybe<bool> CollectValuesOrEntriesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
      PropertyFilter filter) {
    Handle<FixedDoubleArray> elements(
        FixedDoubleArray::cast(object->elements()), isolate);
    int count = 0;
    uint32_t length = elements->length();
    for (uint32_t index = 0; index < length; ++index) {
      if (!Subclass::HasEntryImpl(isolate, *elements, index)) continue;
      Handle<Object> value = Subclass::GetImpl(isolate, *elements, index);
      if (get_entries) {
        value = MakeEntryPair(isolate, index, value);
      }
      values_or_entries->set(count++, *value);
    }
    *nof_items = count;
    return Just(true);
  }

2766 2767 2768 2769 2770 2771
  static Maybe<int64_t> IndexOfValueImpl(Isolate* isolate,
                                         Handle<JSObject> receiver,
                                         Handle<Object> search_value,
                                         uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
    DisallowHeapAllocation no_gc;
2772
    FixedArrayBase elements_base = receiver->elements();
2773
    Object value = *search_value;
2774 2775 2776

    length = std::min(static_cast<uint32_t>(elements_base->length()), length);

2777 2778
    if (start_from >= length) return Just<int64_t>(-1);

2779 2780 2781 2782 2783 2784 2785
    if (!value->IsNumber()) {
      return Just<int64_t>(-1);
    }
    if (value->IsNaN()) {
      return Just<int64_t>(-1);
    }
    double numeric_search_value = value->Number();
2786
    FixedDoubleArray elements = FixedDoubleArray::cast(receiver->elements());
2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797

    for (uint32_t k = start_from; k < length; ++k) {
      if (elements->is_the_hole(k)) {
        continue;
      }
      if (elements->get_scalar(k) == numeric_search_value) {
        return Just<int64_t>(k);
      }
    }
    return Just<int64_t>(-1);
  }
2798
};
2799

2800 2801
class FastPackedDoubleElementsAccessor
    : public FastDoubleElementsAccessor<
2802 2803
          FastPackedDoubleElementsAccessor,
          ElementsKindTraits<PACKED_DOUBLE_ELEMENTS>> {
2804 2805
 public:
  explicit FastPackedDoubleElementsAccessor(const char* name)
2806 2807 2808
      : FastDoubleElementsAccessor<FastPackedDoubleElementsAccessor,
                                   ElementsKindTraits<PACKED_DOUBLE_ELEMENTS>>(
            name) {}
2809 2810 2811 2812
};

class FastHoleyDoubleElementsAccessor
    : public FastDoubleElementsAccessor<
2813 2814
          FastHoleyDoubleElementsAccessor,
          ElementsKindTraits<HOLEY_DOUBLE_ELEMENTS>> {
2815 2816
 public:
  explicit FastHoleyDoubleElementsAccessor(const char* name)
2817 2818 2819
      : FastDoubleElementsAccessor<FastHoleyDoubleElementsAccessor,
                                   ElementsKindTraits<HOLEY_DOUBLE_ELEMENTS>>(
            name) {}
2820 2821 2822 2823
};


// Super class for all external element arrays.
2824
template <ElementsKind Kind, typename ctype>
2825
class TypedElementsAccessor
2826 2827
    : public ElementsAccessorBase<TypedElementsAccessor<Kind, ctype>,
                                  ElementsKindTraits<Kind>> {
2828
 public:
2829
  explicit TypedElementsAccessor(const char* name)
2830
      : ElementsAccessorBase<AccessorClass,
2831
                             ElementsKindTraits<Kind> >(name) {}
2832

2833
  typedef typename ElementsKindTraits<Kind>::BackingStore BackingStore;
2834
  typedef TypedElementsAccessor<Kind, ctype> AccessorClass;
2835

2836
  static inline void SetImpl(Handle<JSObject> holder, uint32_t entry,
2837
                             Object value) {
2838 2839 2840
    SetImpl(holder->elements(), entry, value);
  }

2841
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
2842
                             Object value) {
2843 2844 2845
    BackingStore::cast(backing_store)->SetValue(entry, value);
  }

2846
  static inline void SetImpl(FixedArrayBase backing_store, uint32_t entry,
2847
                             Object value, WriteBarrierMode mode) {
2848 2849 2850
    BackingStore::cast(backing_store)->SetValue(entry, value);
  }

2851
  static Handle<Object> GetImpl(Isolate* isolate, FixedArrayBase backing_store,
2852
                                uint32_t entry) {
2853
    return BackingStore::get(isolate, BackingStore::cast(backing_store), entry);
2854 2855
  }

2856
  static PropertyDetails GetDetailsImpl(JSObject holder, uint32_t entry) {
2857
    return PropertyDetails(kData, DONT_DELETE, PropertyCellType::kNoCell);
2858
  }
2859

2860
  static PropertyDetails GetDetailsImpl(FixedArrayBase backing_store,
2861
                                        uint32_t entry) {
2862
    return PropertyDetails(kData, DONT_DELETE, PropertyCellType::kNoCell);
2863 2864
  }

2865
  static bool HasElementImpl(Isolate* isolate, JSObject holder, uint32_t index,
2866
                             FixedArrayBase backing_store,
2867
                             PropertyFilter filter) {
2868
    return index < AccessorClass::GetCapacityImpl(holder, backing_store);
2869 2870
  }

2871
  static bool HasAccessorsImpl(JSObject holder, FixedArrayBase backing_store) {
2872 2873 2874
    return false;
  }

2875 2876
  static void SetLengthImpl(Isolate* isolate, Handle<JSArray> array,
                            uint32_t length,
2877
                            Handle<FixedArrayBase> backing_store) {
2878 2879 2880 2881
    // External arrays do not support changing their length.
    UNREACHABLE();
  }

2882
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
2883
    UNREACHABLE();
2884
  }
2885

2886
  static uint32_t GetIndexForEntryImpl(FixedArrayBase backing_store,
2887 2888 2889 2890
                                       uint32_t entry) {
    return entry;
  }

2891
  static uint32_t GetEntryForIndexImpl(Isolate* isolate, JSObject holder,
2892
                                       FixedArrayBase backing_store,
2893
                                       uint32_t index, PropertyFilter filter) {
2894 2895
    return index < AccessorClass::GetCapacityImpl(holder, backing_store)
               ? index
2896
               : kMaxUInt32;
2897
  }
2898

2899
  static bool WasDetached(JSObject holder) {
2900
    JSArrayBufferView view = JSArrayBufferView::cast(holder);
2901
    return view->WasDetached();
2902 2903
  }

2904
  static uint32_t GetCapacityImpl(JSObject holder,
2905
                                  FixedArrayBase backing_store) {
2906
    if (WasDetached(holder)) return 0;
2907 2908
    return backing_store->length();
  }
2909

2910
  static uint32_t NumberOfElementsImpl(JSObject receiver,
2911
                                       FixedArrayBase backing_store) {
2912 2913 2914
    return AccessorClass::GetCapacityImpl(receiver, backing_store);
  }

2915 2916 2917
  static void AddElementsToKeyAccumulatorImpl(Handle<JSObject> receiver,
                                              KeyAccumulator* accumulator,
                                              AddKeyConversion convert) {
2918
    Isolate* isolate = receiver->GetIsolate();
2919
    Handle<FixedArrayBase> elements(receiver->elements(), isolate);
2920 2921
    uint32_t length = AccessorClass::GetCapacityImpl(*receiver, *elements);
    for (uint32_t i = 0; i < length; i++) {
2922
      Handle<Object> value = AccessorClass::GetImpl(isolate, *elements, i);
2923 2924 2925
      accumulator->AddKey(value, convert);
    }
  }
2926 2927 2928 2929 2930 2931 2932

  static Maybe<bool> CollectValuesOrEntriesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
      PropertyFilter filter) {
    int count = 0;
    if ((filter & ONLY_CONFIGURABLE) == 0) {
2933
      Handle<FixedArrayBase> elements(object->elements(), isolate);
2934 2935
      uint32_t length = AccessorClass::GetCapacityImpl(*object, *elements);
      for (uint32_t index = 0; index < length; ++index) {
2936 2937
        Handle<Object> value =
            AccessorClass::GetImpl(isolate, *elements, index);
2938 2939 2940 2941 2942 2943 2944 2945 2946
        if (get_entries) {
          value = MakeEntryPair(isolate, index, value);
        }
        values_or_entries->set(count++, *value);
      }
    }
    *nof_items = count;
    return Just(true);
  }
2947

2948 2949
  static Object FillImpl(Handle<JSObject> receiver, Handle<Object> obj_value,
                         uint32_t start, uint32_t end) {
2950
    Handle<JSTypedArray> array = Handle<JSTypedArray>::cast(receiver);
2951
    DCHECK(!array->WasDetached());
2952
    DCHECK(obj_value->IsNumeric());
2953

2954
    ctype value = BackingStore::FromHandle(obj_value);
2955 2956

    // Ensure indexes are within array bounds
2957 2958 2959
    CHECK_LE(0, start);
    CHECK_LE(start, end);
    CHECK_LE(end, array->length_value());
2960 2961

    DisallowHeapAllocation no_gc;
2962
    BackingStore elements = BackingStore::cast(receiver->elements());
2963 2964 2965 2966 2967
    ctype* data = static_cast<ctype*>(elements->DataPtr());
    std::fill(data + start, data + end, value);
    return *array;
  }

2968 2969 2970 2971 2972
  static Maybe<bool> IncludesValueImpl(Isolate* isolate,
                                       Handle<JSObject> receiver,
                                       Handle<Object> value,
                                       uint32_t start_from, uint32_t length) {
    DisallowHeapAllocation no_gc;
2973

2974
    // TODO(caitp): return Just(false) here when implementing strict throwing on
2975 2976
    // detached views.
    if (WasDetached(*receiver)) {
2977 2978 2979
      return Just(value->IsUndefined(isolate) && length > start_from);
    }

2980
    BackingStore elements = BackingStore::cast(receiver->elements());
2981 2982 2983 2984
    if (value->IsUndefined(isolate) &&
        length > static_cast<uint32_t>(elements->length())) {
      return Just(true);
    }
2985
    ctype typed_search_value;
2986 2987 2988 2989 2990 2991
    // Prototype has no elements, and not searching for the hole --- limit
    // search to backing store length.
    if (static_cast<uint32_t>(elements->length()) < length) {
      length = elements->length();
    }

2992 2993 2994 2995 2996
    if (Kind == BIGINT64_ELEMENTS || Kind == BIGUINT64_ELEMENTS) {
      if (!value->IsBigInt()) return Just(false);
      bool lossless;
      typed_search_value = BackingStore::FromHandle(value, &lossless);
      if (!lossless) return Just(false);
2997
    } else {
2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019
      if (!value->IsNumber()) return Just(false);
      double search_value = value->Number();
      if (!std::isfinite(search_value)) {
        // Integral types cannot represent +Inf or NaN.
        if (Kind < FLOAT32_ELEMENTS || Kind > FLOAT64_ELEMENTS) {
          return Just(false);
        }
        if (std::isnan(search_value)) {
          for (uint32_t k = start_from; k < length; ++k) {
            double element_k = elements->get_scalar(k);
            if (std::isnan(element_k)) return Just(true);
          }
          return Just(false);
        }
      } else if (search_value < std::numeric_limits<ctype>::lowest() ||
                 search_value > std::numeric_limits<ctype>::max()) {
        // Return false if value can't be represented in this space.
        return Just(false);
      }
      typed_search_value = static_cast<ctype>(search_value);
      if (static_cast<double>(typed_search_value) != search_value) {
        return Just(false);  // Loss of precision.
3020 3021
      }
    }
3022 3023 3024 3025 3026 3027

    for (uint32_t k = start_from; k < length; ++k) {
      ctype element_k = elements->get_scalar(k);
      if (element_k == typed_search_value) return Just(true);
    }
    return Just(false);
3028
  }
3029 3030 3031 3032 3033 3034 3035

  static Maybe<int64_t> IndexOfValueImpl(Isolate* isolate,
                                         Handle<JSObject> receiver,
                                         Handle<Object> value,
                                         uint32_t start_from, uint32_t length) {
    DisallowHeapAllocation no_gc;

3036
    if (WasDetached(*receiver)) return Just<int64_t>(-1);
3037

3038
    BackingStore elements = BackingStore::cast(receiver->elements());
3039
    ctype typed_search_value;
3040

3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059
    if (Kind == BIGINT64_ELEMENTS || Kind == BIGUINT64_ELEMENTS) {
      if (!value->IsBigInt()) return Just<int64_t>(-1);
      bool lossless;
      typed_search_value = BackingStore::FromHandle(value, &lossless);
      if (!lossless) return Just<int64_t>(-1);
    } else {
      if (!value->IsNumber()) return Just<int64_t>(-1);
      double search_value = value->Number();
      if (!std::isfinite(search_value)) {
        // Integral types cannot represent +Inf or NaN.
        if (Kind < FLOAT32_ELEMENTS || Kind > FLOAT64_ELEMENTS) {
          return Just<int64_t>(-1);
        }
        if (std::isnan(search_value)) {
          return Just<int64_t>(-1);
        }
      } else if (search_value < std::numeric_limits<ctype>::lowest() ||
                 search_value > std::numeric_limits<ctype>::max()) {
        // Return false if value can't be represented in this ElementsKind.
3060 3061
        return Just<int64_t>(-1);
      }
3062 3063 3064 3065
      typed_search_value = static_cast<ctype>(search_value);
      if (static_cast<double>(typed_search_value) != search_value) {
        return Just<int64_t>(-1);  // Loss of precision.
      }
3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079
    }

    // Prototype has no elements, and not searching for the hole --- limit
    // search to backing store length.
    if (static_cast<uint32_t>(elements->length()) < length) {
      length = elements->length();
    }

    for (uint32_t k = start_from; k < length; ++k) {
      ctype element_k = elements->get_scalar(k);
      if (element_k == typed_search_value) return Just<int64_t>(k);
    }
    return Just<int64_t>(-1);
  }
3080

3081
  static Maybe<int64_t> LastIndexOfValueImpl(Handle<JSObject> receiver,
3082 3083 3084
                                             Handle<Object> value,
                                             uint32_t start_from) {
    DisallowHeapAllocation no_gc;
3085
    DCHECK(!WasDetached(*receiver));
3086

3087
    BackingStore elements = BackingStore::cast(receiver->elements());
3088
    ctype typed_search_value;
3089

3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108
    if (Kind == BIGINT64_ELEMENTS || Kind == BIGUINT64_ELEMENTS) {
      if (!value->IsBigInt()) return Just<int64_t>(-1);
      bool lossless;
      typed_search_value = BackingStore::FromHandle(value, &lossless);
      if (!lossless) return Just<int64_t>(-1);
    } else {
      if (!value->IsNumber()) return Just<int64_t>(-1);
      double search_value = value->Number();
      if (!std::isfinite(search_value)) {
        if (std::is_integral<ctype>::value) {
          // Integral types cannot represent +Inf or NaN.
          return Just<int64_t>(-1);
        } else if (std::isnan(search_value)) {
          // Strict Equality Comparison of NaN is always false.
          return Just<int64_t>(-1);
        }
      } else if (search_value < std::numeric_limits<ctype>::lowest() ||
                 search_value > std::numeric_limits<ctype>::max()) {
        // Return -1 if value can't be represented in this ElementsKind.
3109 3110
        return Just<int64_t>(-1);
      }
3111 3112 3113 3114
      typed_search_value = static_cast<ctype>(search_value);
      if (static_cast<double>(typed_search_value) != search_value) {
        return Just<int64_t>(-1);  // Loss of precision.
      }
3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125
    }

    DCHECK_LT(start_from, elements->length());

    uint32_t k = start_from;
    do {
      ctype element_k = elements->get_scalar(k);
      if (element_k == typed_search_value) return Just<int64_t>(k);
    } while (k-- != 0);
    return Just<int64_t>(-1);
  }
3126

3127
  static void ReverseImpl(JSObject receiver) {
3128
    DisallowHeapAllocation no_gc;
3129
    DCHECK(!WasDetached(receiver));
3130

3131
    BackingStore elements = BackingStore::cast(receiver->elements());
3132 3133 3134 3135 3136 3137 3138

    uint32_t len = elements->length();
    if (len == 0) return;

    ctype* data = static_cast<ctype*>(elements->DataPtr());
    std::reverse(data, data + len);
  }
3139

3140 3141 3142
  static Handle<FixedArray> CreateListFromArrayLikeImpl(Isolate* isolate,
                                                        Handle<JSObject> object,
                                                        uint32_t length) {
3143
    DCHECK(!WasDetached(*object));
3144 3145
    DCHECK(object->IsJSTypedArray());
    Handle<FixedArray> result = isolate->factory()->NewFixedArray(length);
3146 3147
    Handle<BackingStore> elements(BackingStore::cast(object->elements()),
                                  isolate);
3148 3149 3150 3151 3152 3153 3154
    for (uint32_t i = 0; i < length; i++) {
      Handle<Object> value = AccessorClass::GetImpl(isolate, *elements, i);
      result->set(i, *value);
    }
    return result;
  }

3155 3156
  static void CopyTypedArrayElementsSliceImpl(JSTypedArray source,
                                              JSTypedArray destination,
3157 3158 3159
                                              size_t start, size_t end) {
    DisallowHeapAllocation no_gc;
    DCHECK_EQ(destination->GetElementsKind(), AccessorClass::kind());
3160 3161
    CHECK(!source->WasDetached());
    CHECK(!destination->WasDetached());
3162
    DCHECK_LE(start, end);
3163
    DCHECK_LE(end, source->length_value());
3164

3165 3166
    size_t count = end - start;
    DCHECK_LE(count, destination->length_value());
3167

3168
    FixedTypedArrayBase src_elements =
3169
        FixedTypedArrayBase::cast(source->elements());
3170
    BackingStore dest_elements = BackingStore::cast(destination->elements());
3171

3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184
    size_t element_size = source->element_size();
    uint8_t* source_data =
        static_cast<uint8_t*>(src_elements->DataPtr()) + start * element_size;

    // Fast path for the same type result array
    if (source->type() == destination->type()) {
      uint8_t* dest_data = static_cast<uint8_t*>(dest_elements->DataPtr());

      // The spec defines the copy-step iteratively, which means that we
      // cannot use memcpy if the buffer is shared.
      uint8_t* end_ptr = source_data + count * element_size;
      while (source_data < end_ptr) {
        *dest_data++ = *source_data++;
3185
      }
3186
      return;
3187 3188
    }

3189
    switch (source->GetElementsKind()) {
3190
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype)                           \
3191 3192 3193 3194 3195 3196 3197 3198 3199
  case TYPE##_ELEMENTS:                                                     \
    CopyBetweenBackingStores<Type##ArrayTraits>(source_data, dest_elements, \
                                                count, 0);                  \
    break;
      TYPED_ARRAYS(TYPED_ARRAY_CASE)
#undef TYPED_ARRAY_CASE
      default:
        UNREACHABLE();
        break;
3200 3201
    }
  }
3202 3203 3204 3205 3206 3207 3208 3209

  static bool HasSimpleRepresentation(InstanceType type) {
    return !(type == FIXED_FLOAT32_ARRAY_TYPE ||
             type == FIXED_FLOAT64_ARRAY_TYPE ||
             type == FIXED_UINT8_CLAMPED_ARRAY_TYPE);
  }

  template <typename SourceTraits>
3210 3211
  static void CopyBetweenBackingStores(void* source_data_ptr, BackingStore dest,
                                       size_t length, uint32_t offset) {
3212
    DisallowHeapAllocation no_gc;
3213
    for (uint32_t i = 0; i < length; i++) {
3214 3215 3216 3217 3218
      // We use scalar accessors to avoid boxing/unboxing, so there are no
      // allocations.
      typename SourceTraits::ElementType elem =
          FixedTypedArray<SourceTraits>::get_scalar_from_data_ptr(
              source_data_ptr, i);
3219
      dest->set(offset + i, dest->from(elem));
3220 3221 3222
    }
  }

3223 3224
  static void CopyElementsFromTypedArray(JSTypedArray source,
                                         JSTypedArray destination,
3225
                                         size_t length, uint32_t offset) {
3226
    // The source is a typed array, so we know we don't need to do ToNumber
3227
    // side-effects, as the source elements will always be a number.
3228 3229
    DisallowHeapAllocation no_gc;

3230 3231
    CHECK(!source->WasDetached());
    CHECK(!destination->WasDetached());
3232

3233
    FixedTypedArrayBase source_elements =
3234
        FixedTypedArrayBase::cast(source->elements());
3235
    BackingStore destination_elements =
3236
        BackingStore::cast(destination->elements());
3237

3238
    DCHECK_LE(offset, destination->length_value());
3239
    DCHECK_LE(length, destination->length_value() - offset);
3240
    DCHECK(source->length()->IsSmi());
3241
    DCHECK_LE(length, source->length_value());
3242 3243 3244 3245 3246 3247

    InstanceType source_type = source_elements->map()->instance_type();
    InstanceType destination_type =
        destination_elements->map()->instance_type();

    bool same_type = source_type == destination_type;
3248
    bool same_size = source->element_size() == destination->element_size();
3249 3250 3251
    bool both_are_simple = HasSimpleRepresentation(source_type) &&
                           HasSimpleRepresentation(destination_type);

3252 3253
    uint8_t* source_data = static_cast<uint8_t*>(source_elements->DataPtr());
    uint8_t* dest_data = static_cast<uint8_t*>(destination_elements->DataPtr());
3254 3255
    size_t source_byte_length = source->byte_length();
    size_t dest_byte_length = destination->byte_length();
3256

3257 3258 3259 3260 3261
    // We can simply copy the backing store if the types are the same, or if
    // we are converting e.g. Uint8 <-> Int8, as the binary representation
    // will be the same. This is not the case for floats or clamped Uint8,
    // which have special conversion operations.
    if (same_type || (same_size && both_are_simple)) {
3262
      size_t element_size = source->element_size();
3263 3264
      std::memmove(dest_data + offset * element_size, source_data,
                   length * element_size);
3265
    } else {
3266
      std::unique_ptr<uint8_t[]> cloned_source_elements;
3267 3268 3269 3270

      // If the typedarrays are overlapped, clone the source.
      if (dest_data + dest_byte_length > source_data &&
          source_data + source_byte_length > dest_data) {
3271 3272 3273 3274
        cloned_source_elements.reset(new uint8_t[source_byte_length]);
        std::memcpy(cloned_source_elements.get(), source_data,
                    source_byte_length);
        source_data = cloned_source_elements.get();
3275 3276
      }

3277
      switch (source->GetElementsKind()) {
3278
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype)           \
3279 3280 3281
  case TYPE##_ELEMENTS:                                     \
    CopyBetweenBackingStores<Type##ArrayTraits>(            \
        source_data, destination_elements, length, offset); \
3282 3283 3284 3285 3286 3287 3288 3289 3290 3291
    break;
        TYPED_ARRAYS(TYPED_ARRAY_CASE)
        default:
          UNREACHABLE();
          break;
      }
#undef TYPED_ARRAY_CASE
    }
  }

3292
  static bool HoleyPrototypeLookupRequired(Isolate* isolate, Context context,
3293
                                           JSArray source) {
3294 3295 3296
    DisallowHeapAllocation no_gc;
    DisallowJavascriptExecution no_js(isolate);

3297
#ifdef V8_ENABLE_FORCE_SLOW_PATH
3298 3299 3300
    if (isolate->force_slow_path()) return true;
#endif

3301
    Object source_proto = source->map()->prototype();
3302

3303 3304 3305 3306
    // Null prototypes are OK - we don't need to do prototype chain lookups on
    // them.
    if (source_proto->IsNull(isolate)) return false;
    if (source_proto->IsJSProxy()) return true;
3307 3308
    if (!context->native_context()->is_initial_array_prototype(
            JSObject::cast(source_proto))) {
3309 3310
      return true;
    }
3311 3312

    return !isolate->IsNoElementsProtectorIntact(context);
3313 3314
  }

3315 3316 3317
  static bool TryCopyElementsFastNumber(Context context, JSArray source,
                                        JSTypedArray destination, size_t length,
                                        uint32_t offset) {
3318
    if (Kind == BIGINT64_ELEMENTS || Kind == BIGUINT64_ELEMENTS) return false;
3319
    Isolate* isolate = source->GetIsolate();
3320
    DisallowHeapAllocation no_gc;
3321 3322
    DisallowJavascriptExecution no_js(isolate);

3323
    CHECK(!destination->WasDetached());
3324

3325 3326 3327 3328 3329 3330 3331 3332 3333 3334
    size_t current_length;
    DCHECK(source->length()->IsNumber() &&
           TryNumberToSize(source->length(), &current_length) &&
           length <= current_length);
    USE(current_length);

    size_t dest_length = destination->length_value();
    DCHECK(length + offset <= dest_length);
    USE(dest_length);

3335
    ElementsKind kind = source->GetElementsKind();
3336
    BackingStore dest = BackingStore::cast(destination->elements());
3337

3338 3339 3340 3341 3342
    // When we find the hole, we normally have to look up the element on the
    // prototype chain, which is not handled here and we return false instead.
    // When the array has the original array prototype, and that prototype has
    // not been changed in a way that would affect lookups, we can just convert
    // the hole into undefined.
3343
    if (HoleyPrototypeLookupRequired(isolate, context, source)) return false;
3344

3345
    Object undefined = ReadOnlyRoots(isolate).undefined_value();
3346 3347

    // Fastpath for packed Smi kind.
3348
    if (kind == PACKED_SMI_ELEMENTS) {
3349
      FixedArray source_store = FixedArray::cast(source->elements());
3350 3351

      for (uint32_t i = 0; i < length; i++) {
3352
        Object elem = source_store->get(i);
3353
        DCHECK(elem->IsSmi());
jgruber's avatar
jgruber committed
3354
        int int_value = Smi::ToInt(elem);
3355
        dest->set(offset + i, dest->from(int_value));
3356 3357
      }
      return true;
3358
    } else if (kind == HOLEY_SMI_ELEMENTS) {
3359
      FixedArray source_store = FixedArray::cast(source->elements());
3360 3361
      for (uint32_t i = 0; i < length; i++) {
        if (source_store->is_the_hole(isolate, i)) {
3362
          dest->SetValue(offset + i, undefined);
3363
        } else {
3364
          Object elem = source_store->get(i);
3365
          DCHECK(elem->IsSmi());
jgruber's avatar
jgruber committed
3366
          int int_value = Smi::ToInt(elem);
3367
          dest->set(offset + i, dest->from(int_value));
3368 3369 3370
        }
      }
      return true;
3371
    } else if (kind == PACKED_DOUBLE_ELEMENTS) {
3372 3373
      // Fastpath for packed double kind. We avoid boxing and then immediately
      // unboxing the double here by using get_scalar.
3374
      FixedDoubleArray source_store =
3375 3376 3377 3378 3379 3380
          FixedDoubleArray::cast(source->elements());

      for (uint32_t i = 0; i < length; i++) {
        // Use the from_double conversion for this specific TypedArray type,
        // rather than relying on C++ to convert elem.
        double elem = source_store->get_scalar(i);
3381
        dest->set(offset + i, dest->from(elem));
3382 3383
      }
      return true;
3384
    } else if (kind == HOLEY_DOUBLE_ELEMENTS) {
3385
      FixedDoubleArray source_store =
3386 3387 3388
          FixedDoubleArray::cast(source->elements());
      for (uint32_t i = 0; i < length; i++) {
        if (source_store->is_the_hole(i)) {
3389
          dest->SetValue(offset + i, undefined);
3390 3391
        } else {
          double elem = source_store->get_scalar(i);
3392
          dest->set(offset + i, dest->from(elem));
3393 3394 3395
        }
      }
      return true;
3396 3397 3398 3399
    }
    return false;
  }

3400 3401 3402
  static Object CopyElementsHandleSlow(Handle<Object> source,
                                       Handle<JSTypedArray> destination,
                                       size_t length, uint32_t offset) {
3403
    Isolate* isolate = destination->GetIsolate();
3404
    Handle<BackingStore> destination_elements(
3405
        BackingStore::cast(destination->elements()), isolate);
3406
    for (uint32_t i = 0; i < length; i++) {
3407
      LookupIterator it(isolate, source, i);
3408 3409 3410
      Handle<Object> elem;
      ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, elem,
                                         Object::GetProperty(&it));
3411 3412 3413 3414 3415
      if (Kind == BIGINT64_ELEMENTS || Kind == BIGUINT64_ELEMENTS) {
        ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, elem,
                                           BigInt::FromObject(isolate, elem));
      } else {
        ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, elem,
3416
                                           Object::ToNumber(isolate, elem));
3417
      }
3418

3419
      if (V8_UNLIKELY(destination->WasDetached())) {
3420
        const char* op = "set";
3421
        const MessageTemplate message = MessageTemplate::kDetachedOperation;
3422 3423 3424 3425 3426
        Handle<String> operation =
            isolate->factory()->NewStringFromAsciiChecked(op);
        THROW_NEW_ERROR_RETURN_FAILURE(isolate,
                                       NewTypeError(message, operation));
      }
3427 3428
      // The spec says we store the length, then get each element, so we don't
      // need to check changes to length.
3429
      destination_elements->SetValue(offset + i, *elem);
3430
    }
3431
    return *isolate->factory()->undefined_value();
3432 3433
  }

3434 3435 3436
  // This doesn't guarantee that the destination array will be completely
  // filled. The caller must do this by passing a source with equal length, if
  // that is required.
3437 3438 3439
  static Object CopyElementsHandleImpl(Handle<Object> source,
                                       Handle<JSObject> destination,
                                       size_t length, uint32_t offset) {
3440
    Isolate* isolate = destination->GetIsolate();
3441 3442
    Handle<JSTypedArray> destination_ta =
        Handle<JSTypedArray>::cast(destination);
3443
    DCHECK_LE(offset + length, destination_ta->length_value());
3444
    CHECK(!destination_ta->WasDetached());
3445

3446 3447
    if (length == 0) return *isolate->factory()->undefined_value();

3448 3449 3450
    // All conversions from TypedArrays can be done without allocation.
    if (source->IsJSTypedArray()) {
      Handle<JSTypedArray> source_ta = Handle<JSTypedArray>::cast(source);
3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468
      ElementsKind source_kind = source_ta->GetElementsKind();
      bool source_is_bigint =
          source_kind == BIGINT64_ELEMENTS || source_kind == BIGUINT64_ELEMENTS;
      bool target_is_bigint =
          Kind == BIGINT64_ELEMENTS || Kind == BIGUINT64_ELEMENTS;
      if (target_is_bigint) {
        if (V8_UNLIKELY(!source_is_bigint)) {
          Handle<Object> first =
              JSReceiver::GetElement(isolate, source_ta, 0).ToHandleChecked();
          THROW_NEW_ERROR_RETURN_FAILURE(
              isolate, NewTypeError(MessageTemplate::kBigIntFromObject, first));
        }
      } else {
        if (V8_UNLIKELY(source_is_bigint)) {
          THROW_NEW_ERROR_RETURN_FAILURE(
              isolate, NewTypeError(MessageTemplate::kBigIntToNumber));
        }
      }
3469 3470
      // If we have to copy more elements than we have in the source, we need to
      // do special handling and conversion; that happens in the slow case.
3471
      if (!source_ta->WasDetached() &&
3472
          length + offset <= source_ta->length_value()) {
3473 3474 3475
        CopyElementsFromTypedArray(*source_ta, *destination_ta, length, offset);
        return *isolate->factory()->undefined_value();
      }
3476 3477 3478 3479
    }

    // Fast cases for packed numbers kinds where we don't need to allocate.
    if (source->IsJSArray()) {
3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490
      Handle<JSArray> source_js_array = Handle<JSArray>::cast(source);
      size_t current_length;
      if (source_js_array->length()->IsNumber() &&
          TryNumberToSize(source_js_array->length(), &current_length)) {
        if (length <= current_length) {
          Handle<JSArray> source_array = Handle<JSArray>::cast(source);
          if (TryCopyElementsFastNumber(isolate->context(), *source_array,
                                        *destination_ta, length, offset)) {
            return *isolate->factory()->undefined_value();
          }
        }
3491 3492 3493 3494
      }
    }
    // Final generic case that handles prototype chain lookups, getters, proxies
    // and observable side effects via valueOf, etc.
3495
    return CopyElementsHandleSlow(source, destination_ta, length, offset);
3496
  }
3497
};
3498

3499 3500
#define FIXED_ELEMENTS_ACCESSOR(Type, type, TYPE, ctype) \
  typedef TypedElementsAccessor<TYPE##_ELEMENTS, ctype>  \
3501
      Fixed##Type##ElementsAccessor;
3502

3503 3504
TYPED_ARRAYS(FIXED_ELEMENTS_ACCESSOR)
#undef FIXED_ELEMENTS_ACCESSOR
3505

3506
template <typename Subclass, typename ArgumentsAccessor, typename KindTraits>
3507
class SloppyArgumentsElementsAccessor
3508
    : public ElementsAccessorBase<Subclass, KindTraits> {
3509 3510
 public:
  explicit SloppyArgumentsElementsAccessor(const char* name)
3511
      : ElementsAccessorBase<Subclass, KindTraits>(name) {
3512 3513
    USE(KindTraits::Kind);
  }
3514

3515
  static void ConvertArgumentsStoreResult(
3516
      Handle<SloppyArgumentsElements> elements, Handle<Object> result) {
3517 3518 3519
    UNREACHABLE();
  }

3520
  static Handle<Object> GetImpl(Isolate* isolate, FixedArrayBase parameters,
3521
                                uint32_t entry) {
3522 3523 3524
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(parameters), isolate);
    uint32_t length = elements->parameter_map_length();
3525
    if (entry < length) {
3526
      // Read context mapped entry.
3527
      DisallowHeapAllocation no_gc;
3528
      Object probe = elements->get_mapped_entry(entry);
3529
      DCHECK(!probe->IsTheHole(isolate));
3530
      Context context = elements->context();
jgruber's avatar
jgruber committed
3531
      int context_entry = Smi::ToInt(probe);
3532
      DCHECK(!context->get(context_entry)->IsTheHole(isolate));
3533
      return handle(context->get(context_entry), isolate);
3534
    } else {
3535
      // Entry is not context mapped, defer to the arguments.
3536
      Handle<Object> result = ArgumentsAccessor::GetImpl(
3537 3538
          isolate, elements->arguments(), entry - length);
      return Subclass::ConvertArgumentsStoreResult(isolate, elements, result);
3539 3540
    }
  }
3541

3542 3543 3544 3545 3546
  static void TransitionElementsKindImpl(Handle<JSObject> object,
                                         Handle<Map> map) {
    UNREACHABLE();
  }

3547 3548
  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                         uint32_t capacity) {
3549
    UNREACHABLE();
3550 3551
  }

3552
  static inline void SetImpl(Handle<JSObject> holder, uint32_t entry,
3553
                             Object value) {
3554 3555 3556
    SetImpl(holder->elements(), entry, value);
  }

3557
  static inline void SetImpl(FixedArrayBase store, uint32_t entry,
3558
                             Object value) {
3559
    SloppyArgumentsElements elements = SloppyArgumentsElements::cast(store);
3560
    uint32_t length = elements->parameter_map_length();
3561
    if (entry < length) {
3562 3563
      // Store context mapped entry.
      DisallowHeapAllocation no_gc;
3564
      Object probe = elements->get_mapped_entry(entry);
3565
      DCHECK(!probe->IsTheHole());
3566
      Context context = elements->context();
jgruber's avatar
jgruber committed
3567
      int context_entry = Smi::ToInt(probe);
3568
      DCHECK(!context->get(context_entry)->IsTheHole());
3569
      context->set(context_entry, value);
3570
    } else {
3571
      //  Entry is not context mapped defer to arguments.
3572
      FixedArray arguments = elements->arguments();
3573
      Object current = ArgumentsAccessor::GetRaw(arguments, entry - length);
3574
      if (current->IsAliasedArgumentsEntry()) {
3575
        AliasedArgumentsEntry alias = AliasedArgumentsEntry::cast(current);
3576
        Context context = elements->context();
3577
        int context_entry = alias->aliased_context_slot();
3578
        DCHECK(!context->get(context_entry)->IsTheHole());
3579 3580 3581 3582
        context->set(context_entry, value);
      } else {
        ArgumentsAccessor::SetImpl(arguments, entry - length, value);
      }
3583 3584 3585
    }
  }

3586 3587
  static void SetLengthImpl(Isolate* isolate, Handle<JSArray> array,
                            uint32_t length,
3588 3589 3590
                            Handle<FixedArrayBase> parameter_map) {
    // Sloppy arguments objects are not arrays.
    UNREACHABLE();
3591 3592
  }

3593
  static uint32_t GetCapacityImpl(JSObject holder, FixedArrayBase store) {
3594
    SloppyArgumentsElements elements = SloppyArgumentsElements::cast(store);
3595
    FixedArray arguments = elements->arguments();
3596
    return elements->parameter_map_length() +
3597
           ArgumentsAccessor::GetCapacityImpl(holder, arguments);
3598 3599
  }

3600
  static uint32_t GetMaxNumberOfEntries(JSObject holder,
3601
                                        FixedArrayBase backing_store) {
3602
    SloppyArgumentsElements elements =
3603
        SloppyArgumentsElements::cast(backing_store);
3604
    FixedArrayBase arguments = elements->arguments();
3605
    return elements->parameter_map_length() +
3606 3607 3608
           ArgumentsAccessor::GetMaxNumberOfEntries(holder, arguments);
  }

3609
  static uint32_t NumberOfElementsImpl(JSObject receiver,
3610
                                       FixedArrayBase backing_store) {
3611
    Isolate* isolate = receiver->GetIsolate();
3612
    SloppyArgumentsElements elements =
3613
        SloppyArgumentsElements::cast(backing_store);
3614
    FixedArrayBase arguments = elements->arguments();
3615
    uint32_t nof_elements = 0;
3616
    uint32_t length = elements->parameter_map_length();
3617
    for (uint32_t entry = 0; entry < length; entry++) {
3618
      if (HasParameterMapArg(isolate, elements, entry)) nof_elements++;
3619 3620 3621 3622 3623
    }
    return nof_elements +
           ArgumentsAccessor::NumberOfElementsImpl(receiver, arguments);
  }

3624 3625 3626
  static void AddElementsToKeyAccumulatorImpl(Handle<JSObject> receiver,
                                              KeyAccumulator* accumulator,
                                              AddKeyConversion convert) {
3627 3628 3629
    Isolate* isolate = accumulator->isolate();
    Handle<FixedArrayBase> elements(receiver->elements(), isolate);
    uint32_t length = GetCapacityImpl(*receiver, *elements);
3630
    for (uint32_t entry = 0; entry < length; entry++) {
3631
      if (!HasEntryImpl(isolate, *elements, entry)) continue;
3632
      Handle<Object> value = GetImpl(isolate, *elements, entry);
3633 3634 3635 3636
      accumulator->AddKey(value, convert);
    }
  }

3637
  static bool HasEntryImpl(Isolate* isolate, FixedArrayBase parameters,
3638
                           uint32_t entry) {
3639
    SloppyArgumentsElements elements =
3640 3641
        SloppyArgumentsElements::cast(parameters);
    uint32_t length = elements->parameter_map_length();
3642
    if (entry < length) {
3643
      return HasParameterMapArg(isolate, elements, entry);
3644
    }
3645
    FixedArrayBase arguments = elements->arguments();
3646
    return ArgumentsAccessor::HasEntryImpl(isolate, arguments, entry - length);
3647 3648
  }

3649
  static bool HasAccessorsImpl(JSObject holder, FixedArrayBase backing_store) {
3650
    SloppyArgumentsElements elements =
3651
        SloppyArgumentsElements::cast(backing_store);
3652
    FixedArray arguments = elements->arguments();
3653 3654 3655
    return ArgumentsAccessor::HasAccessorsImpl(holder, arguments);
  }

3656
  static uint32_t GetIndexForEntryImpl(FixedArrayBase parameters,
3657
                                       uint32_t entry) {
3658
    SloppyArgumentsElements elements =
3659 3660
        SloppyArgumentsElements::cast(parameters);
    uint32_t length = elements->parameter_map_length();
3661
    if (entry < length) return entry;
3662
    FixedArray arguments = elements->arguments();
3663
    return ArgumentsAccessor::GetIndexForEntryImpl(arguments, entry - length);
3664 3665
  }

3666
  static uint32_t GetEntryForIndexImpl(Isolate* isolate, JSObject holder,
3667
                                       FixedArrayBase parameters,
3668
                                       uint32_t index, PropertyFilter filter) {
3669
    SloppyArgumentsElements elements =
3670 3671
        SloppyArgumentsElements::cast(parameters);
    if (HasParameterMapArg(isolate, elements, index)) return index;
3672
    FixedArray arguments = elements->arguments();
3673 3674
    uint32_t entry = ArgumentsAccessor::GetEntryForIndexImpl(
        isolate, holder, arguments, index, filter);
3675
    if (entry == kMaxUInt32) return kMaxUInt32;
3676 3677
    // Arguments entries could overlap with the dictionary entries, hence offset
    // them by the number of context mapped entries.
3678
    return elements->parameter_map_length() + entry;
3679 3680
  }

3681
  static PropertyDetails GetDetailsImpl(JSObject holder, uint32_t entry) {
3682
    SloppyArgumentsElements elements =
3683 3684
        SloppyArgumentsElements::cast(holder->elements());
    uint32_t length = elements->parameter_map_length();
3685
    if (entry < length) {
3686
      return PropertyDetails(kData, NONE, PropertyCellType::kNoCell);
3687
    }
3688
    FixedArray arguments = elements->arguments();
3689
    return ArgumentsAccessor::GetDetailsImpl(arguments, entry - length);
3690
  }
3691

3692
  static bool HasParameterMapArg(Isolate* isolate,
3693
                                 SloppyArgumentsElements elements,
3694 3695
                                 uint32_t index) {
    uint32_t length = elements->parameter_map_length();
3696
    if (index >= length) return false;
3697
    return !elements->get_mapped_entry(index)->IsTheHole(isolate);
3698
  }
3699

3700
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
3701
    Handle<SloppyArgumentsElements> elements(
3702
        SloppyArgumentsElements::cast(obj->elements()), obj->GetIsolate());
3703
    uint32_t length = elements->parameter_map_length();
3704 3705 3706 3707 3708 3709 3710
    uint32_t delete_or_entry = entry;
    if (entry < length) {
      delete_or_entry = kMaxUInt32;
    }
    Subclass::SloppyDeleteImpl(obj, elements, delete_or_entry);
    // SloppyDeleteImpl allocates a new dictionary elements store. For making
    // heap verification happy we postpone clearing out the mapped entry.
3711
    if (entry < length) {
3712 3713
      elements->set_mapped_entry(entry,
                                 obj->GetReadOnlyRoots().the_hole_value());
3714 3715
    }
  }
3716

3717 3718 3719 3720 3721 3722 3723
  static void SloppyDeleteImpl(Handle<JSObject> obj,
                               Handle<SloppyArgumentsElements> elements,
                               uint32_t entry) {
    // Implemented in subclasses.
    UNREACHABLE();
  }

3724 3725
  static void CollectElementIndicesImpl(Handle<JSObject> object,
                                        Handle<FixedArrayBase> backing_store,
3726
                                        KeyAccumulator* keys) {
3727 3728 3729 3730 3731
    Isolate* isolate = keys->isolate();
    uint32_t nof_indices = 0;
    Handle<FixedArray> indices = isolate->factory()->NewFixedArray(
        GetCapacityImpl(*object, *backing_store));
    DirectCollectElementIndicesImpl(isolate, object, backing_store,
3732 3733
                                    GetKeysConversion::kKeepNumbers,
                                    ENUMERABLE_STRINGS, indices, &nof_indices);
3734
    SortIndices(isolate, indices, nof_indices);
3735 3736
    for (uint32_t i = 0; i < nof_indices; i++) {
      keys->AddKey(indices->get(i));
3737 3738 3739 3740 3741 3742 3743 3744
    }
  }

  static Handle<FixedArray> DirectCollectElementIndicesImpl(
      Isolate* isolate, Handle<JSObject> object,
      Handle<FixedArrayBase> backing_store, GetKeysConversion convert,
      PropertyFilter filter, Handle<FixedArray> list, uint32_t* nof_indices,
      uint32_t insertion_index = 0) {
3745 3746 3747
    Handle<SloppyArgumentsElements> elements =
        Handle<SloppyArgumentsElements>::cast(backing_store);
    uint32_t length = elements->parameter_map_length();
3748 3749

    for (uint32_t i = 0; i < length; ++i) {
3750
      if (elements->get_mapped_entry(i)->IsTheHole(isolate)) continue;
3751
      if (convert == GetKeysConversion::kConvertToString) {
3752 3753 3754 3755 3756 3757 3758 3759
        Handle<String> index_string = isolate->factory()->Uint32ToString(i);
        list->set(insertion_index, *index_string);
      } else {
        list->set(insertion_index, Smi::FromInt(i), SKIP_WRITE_BARRIER);
      }
      insertion_index++;
    }

3760
    Handle<FixedArray> store(elements->arguments(), isolate);
3761 3762 3763 3764
    return ArgumentsAccessor::DirectCollectElementIndicesImpl(
        isolate, object, store, convert, filter, list, nof_indices,
        insertion_index);
  }
3765 3766 3767 3768 3769 3770

  static Maybe<bool> IncludesValueImpl(Isolate* isolate,
                                       Handle<JSObject> object,
                                       Handle<Object> value,
                                       uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
3771
    Handle<Map> original_map(object->map(), isolate);
3772 3773
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(object->elements()), isolate);
3774 3775 3776
    bool search_for_hole = value->IsUndefined(isolate);

    for (uint32_t k = start_from; k < length; ++k) {
3777
      DCHECK_EQ(object->map(), *original_map);
3778 3779
      uint32_t entry =
          GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
3780 3781 3782 3783 3784
      if (entry == kMaxUInt32) {
        if (search_for_hole) return Just(true);
        continue;
      }

3785
      Handle<Object> element_k = Subclass::GetImpl(isolate, *elements, entry);
3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806

      if (element_k->IsAccessorPair()) {
        LookupIterator it(isolate, object, k, LookupIterator::OWN);
        DCHECK(it.IsFound());
        DCHECK_EQ(it.state(), LookupIterator::ACCESSOR);
        ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, element_k,
                                         Object::GetPropertyWithAccessor(&it),
                                         Nothing<bool>());

        if (value->SameValueZero(*element_k)) return Just(true);

        if (object->map() != *original_map) {
          // Some mutation occurred in accessor. Abort "fast" path
          return IncludesValueSlowPath(isolate, object, value, k + 1, length);
        }
      } else if (value->SameValueZero(*element_k)) {
        return Just(true);
      }
    }
    return Just(false);
  }
3807 3808 3809 3810 3811 3812

  static Maybe<int64_t> IndexOfValueImpl(Isolate* isolate,
                                         Handle<JSObject> object,
                                         Handle<Object> value,
                                         uint32_t start_from, uint32_t length) {
    DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
3813
    Handle<Map> original_map(object->map(), isolate);
3814 3815
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(object->elements()), isolate);
3816 3817

    for (uint32_t k = start_from; k < length; ++k) {
3818
      DCHECK_EQ(object->map(), *original_map);
3819 3820
      uint32_t entry =
          GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
3821 3822 3823 3824
      if (entry == kMaxUInt32) {
        continue;
      }

3825
      Handle<Object> element_k = Subclass::GetImpl(isolate, *elements, entry);
3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848

      if (element_k->IsAccessorPair()) {
        LookupIterator it(isolate, object, k, LookupIterator::OWN);
        DCHECK(it.IsFound());
        DCHECK_EQ(it.state(), LookupIterator::ACCESSOR);
        ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, element_k,
                                         Object::GetPropertyWithAccessor(&it),
                                         Nothing<int64_t>());

        if (value->StrictEquals(*element_k)) {
          return Just<int64_t>(k);
        }

        if (object->map() != *original_map) {
          // Some mutation occurred in accessor. Abort "fast" path.
          return IndexOfValueSlowPath(isolate, object, value, k + 1, length);
        }
      } else if (value->StrictEquals(*element_k)) {
        return Just<int64_t>(k);
      }
    }
    return Just<int64_t>(-1);
  }
3849 3850 3851 3852 3853 3854 3855 3856

  static Handle<JSObject> SliceImpl(Handle<JSObject> receiver, uint32_t start,
                                    uint32_t end) {
    Isolate* isolate = receiver->GetIsolate();
    uint32_t result_len = end < start ? 0u : end - start;
    Handle<JSArray> result_array =
        isolate->factory()->NewJSArray(HOLEY_ELEMENTS, result_len, result_len);
    DisallowHeapAllocation no_gc;
3857 3858
    FixedArray elements = FixedArray::cast(result_array->elements());
    FixedArray parameters = FixedArray::cast(receiver->elements());
3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871
    uint32_t insertion_index = 0;
    for (uint32_t i = start; i < end; i++) {
      uint32_t entry = GetEntryForIndexImpl(isolate, *receiver, parameters, i,
                                            ALL_PROPERTIES);
      if (entry != kMaxUInt32 && HasEntryImpl(isolate, parameters, entry)) {
        elements->set(insertion_index, *GetImpl(isolate, parameters, entry));
      } else {
        elements->set_the_hole(isolate, insertion_index);
      }
      insertion_index++;
    }
    return result_array;
  }
3872 3873 3874
};


3875 3876 3877 3878 3879 3880 3881 3882 3883 3884
class SlowSloppyArgumentsElementsAccessor
    : public SloppyArgumentsElementsAccessor<
          SlowSloppyArgumentsElementsAccessor, DictionaryElementsAccessor,
          ElementsKindTraits<SLOW_SLOPPY_ARGUMENTS_ELEMENTS> > {
 public:
  explicit SlowSloppyArgumentsElementsAccessor(const char* name)
      : SloppyArgumentsElementsAccessor<
            SlowSloppyArgumentsElementsAccessor, DictionaryElementsAccessor,
            ElementsKindTraits<SLOW_SLOPPY_ARGUMENTS_ELEMENTS> >(name) {}

3885 3886 3887 3888 3889 3890
  static Handle<Object> ConvertArgumentsStoreResult(
      Isolate* isolate, Handle<SloppyArgumentsElements> elements,
      Handle<Object> result) {
    // Elements of the arguments object in slow mode might be slow aliases.
    if (result->IsAliasedArgumentsEntry()) {
      DisallowHeapAllocation no_gc;
3891
      AliasedArgumentsEntry alias = AliasedArgumentsEntry::cast(*result);
3892
      Context context = elements->context();
3893 3894 3895 3896 3897 3898
      int context_entry = alias->aliased_context_slot();
      DCHECK(!context->get(context_entry)->IsTheHole(isolate));
      return handle(context->get(context_entry), isolate);
    }
    return result;
  }
3899 3900 3901 3902 3903
  static void SloppyDeleteImpl(Handle<JSObject> obj,
                               Handle<SloppyArgumentsElements> elements,
                               uint32_t entry) {
    // No need to delete a context mapped entry from the arguments elements.
    if (entry == kMaxUInt32) return;
3904
    Isolate* isolate = obj->GetIsolate();
3905 3906
    Handle<NumberDictionary> dict(NumberDictionary::cast(elements->arguments()),
                                  isolate);
3907
    int length = elements->parameter_map_length();
3908
    dict = NumberDictionary::DeleteEntry(isolate, dict, entry - length);
3909
    elements->set_arguments(*dict);
3910
  }
3911
  static void AddImpl(Handle<JSObject> object, uint32_t index,
3912 3913
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
3914 3915 3916 3917 3918
    Isolate* isolate = object->GetIsolate();
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(object->elements()), isolate);
    Handle<FixedArrayBase> old_arguments(
        FixedArrayBase::cast(elements->arguments()), isolate);
3919 3920 3921
    Handle<NumberDictionary> dictionary =
        old_arguments->IsNumberDictionary()
            ? Handle<NumberDictionary>::cast(old_arguments)
3922
            : JSObject::NormalizeElements(object);
3923
    PropertyDetails details(kData, attributes, PropertyCellType::kNoCell);
3924
    Handle<NumberDictionary> new_dictionary =
3925
        NumberDictionary::Add(isolate, dictionary, index, value, details);
3926
    if (attributes != NONE) object->RequireSlowElements(*new_dictionary);
3927
    if (*dictionary != *new_dictionary) {
3928
      elements->set_arguments(*new_dictionary);
3929 3930 3931 3932
    }
  }

  static void ReconfigureImpl(Handle<JSObject> object,
3933
                              Handle<FixedArrayBase> store, uint32_t entry,
3934 3935
                              Handle<Object> value,
                              PropertyAttributes attributes) {
3936
    Isolate* isolate = object->GetIsolate();
3937 3938 3939
    Handle<SloppyArgumentsElements> elements =
        Handle<SloppyArgumentsElements>::cast(store);
    uint32_t length = elements->parameter_map_length();
3940
    if (entry < length) {
3941
      Object probe = elements->get_mapped_entry(entry);
3942
      DCHECK(!probe->IsTheHole(isolate));
3943
      Context context = elements->context();
jgruber's avatar
jgruber committed
3944
      int context_entry = Smi::ToInt(probe);
3945
      DCHECK(!context->get(context_entry)->IsTheHole(isolate));
3946
      context->set(context_entry, *value);
3947 3948

      // Redefining attributes of an aliased element destroys fast aliasing.
3949 3950
      elements->set_mapped_entry(entry,
                                 ReadOnlyRoots(isolate).the_hole_value());
3951 3952
      // For elements that are still writable we re-establish slow aliasing.
      if ((attributes & READ_ONLY) == 0) {
3953
        value = isolate->factory()->NewAliasedArgumentsEntry(context_entry);
3954 3955
      }

3956
      PropertyDetails details(kData, attributes, PropertyCellType::kNoCell);
3957 3958
      Handle<NumberDictionary> arguments(
          NumberDictionary::cast(elements->arguments()), isolate);
3959 3960
      arguments =
          NumberDictionary::Add(isolate, arguments, entry, value, details);
3961 3962 3963 3964
      // If the attributes were NONE, we would have called set rather than
      // reconfigure.
      DCHECK_NE(NONE, attributes);
      object->RequireSlowElements(*arguments);
3965
      elements->set_arguments(*arguments);
3966
    } else {
3967
      Handle<FixedArrayBase> arguments(elements->arguments(), isolate);
3968
      DictionaryElementsAccessor::ReconfigureImpl(
3969
          object, arguments, entry - length, value, attributes);
3970 3971 3972 3973 3974
    }
  }
};


3975 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985
class FastSloppyArgumentsElementsAccessor
    : public SloppyArgumentsElementsAccessor<
          FastSloppyArgumentsElementsAccessor, FastHoleyObjectElementsAccessor,
          ElementsKindTraits<FAST_SLOPPY_ARGUMENTS_ELEMENTS> > {
 public:
  explicit FastSloppyArgumentsElementsAccessor(const char* name)
      : SloppyArgumentsElementsAccessor<
            FastSloppyArgumentsElementsAccessor,
            FastHoleyObjectElementsAccessor,
            ElementsKindTraits<FAST_SLOPPY_ARGUMENTS_ELEMENTS> >(name) {}

3986 3987 3988 3989 3990 3991 3992
  static Handle<Object> ConvertArgumentsStoreResult(
      Isolate* isolate, Handle<SloppyArgumentsElements> paramtere_map,
      Handle<Object> result) {
    DCHECK(!result->IsAliasedArgumentsEntry());
    return result;
  }

3993
  static Handle<FixedArray> GetArguments(Isolate* isolate,
3994
                                         FixedArrayBase store) {
3995
    SloppyArgumentsElements elements = SloppyArgumentsElements::cast(store);
3996
    return Handle<FixedArray>(elements->arguments(), isolate);
3997 3998
  }

3999
  static Handle<NumberDictionary> NormalizeImpl(
4000
      Handle<JSObject> object, Handle<FixedArrayBase> elements) {
4001
    Handle<FixedArray> arguments =
4002
        GetArguments(object->GetIsolate(), *elements);
4003 4004 4005
    return FastHoleyObjectElementsAccessor::NormalizeImpl(object, arguments);
  }

4006
  static Handle<NumberDictionary> NormalizeArgumentsElements(
4007 4008
      Handle<JSObject> object, Handle<SloppyArgumentsElements> elements,
      uint32_t* entry) {
4009
    Handle<NumberDictionary> dictionary = JSObject::NormalizeElements(object);
4010 4011 4012 4013 4014 4015
    elements->set_arguments(*dictionary);
    // kMaxUInt32 indicates that a context mapped element got deleted. In this
    // case we only normalize the elements (aka. migrate to SLOW_SLOPPY).
    if (*entry == kMaxUInt32) return dictionary;
    uint32_t length = elements->parameter_map_length();
    if (*entry >= length) {
4016 4017
      *entry =
          dictionary->FindEntry(object->GetIsolate(), *entry - length) + length;
4018 4019 4020 4021 4022 4023 4024 4025 4026 4027
    }
    return dictionary;
  }

  static void SloppyDeleteImpl(Handle<JSObject> obj,
                               Handle<SloppyArgumentsElements> elements,
                               uint32_t entry) {
    // Always normalize element on deleting an entry.
    NormalizeArgumentsElements(obj, elements, &entry);
    SlowSloppyArgumentsElementsAccessor::SloppyDeleteImpl(obj, elements, entry);
4028 4029
  }

4030
  static void AddImpl(Handle<JSObject> object, uint32_t index,
4031 4032 4033
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    DCHECK_EQ(NONE, attributes);
4034 4035 4036 4037
    Isolate* isolate = object->GetIsolate();
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(object->elements()), isolate);
    Handle<FixedArray> old_arguments(elements->arguments(), isolate);
4038
    if (old_arguments->IsNumberDictionary() ||
4039
        static_cast<uint32_t>(old_arguments->length()) < new_capacity) {
4040 4041
      GrowCapacityAndConvertImpl(object, new_capacity);
    }
4042
    FixedArray arguments = elements->arguments();
4043 4044 4045 4046 4047 4048
    // For fast holey objects, the entry equals the index. The code above made
    // sure that there's enough space to store the value. We cannot convert
    // index to entry explicitly since the slot still contains the hole, so the
    // current EntryForIndex would indicate that it is "absent" by returning
    // kMaxUInt32.
    FastHoleyObjectElementsAccessor::SetImpl(arguments, index, *value);
4049
  }
4050

4051
  static void ReconfigureImpl(Handle<JSObject> object,
4052
                              Handle<FixedArrayBase> store, uint32_t entry,
4053 4054
                              Handle<Object> value,
                              PropertyAttributes attributes) {
4055 4056
    DCHECK_EQ(object->elements(), *store);
    Handle<SloppyArgumentsElements> elements(
4057
        SloppyArgumentsElements::cast(*store), object->GetIsolate());
4058
    NormalizeArgumentsElements(object, elements, &entry);
4059
    SlowSloppyArgumentsElementsAccessor::ReconfigureImpl(object, store, entry,
4060
                                                         value, attributes);
4061
  }
4062

4063 4064
  static void CopyElementsImpl(Isolate* isolate, FixedArrayBase from,
                               uint32_t from_start, FixedArrayBase to,
4065 4066
                               ElementsKind from_kind, uint32_t to_start,
                               int packed_size, int copy_size) {
4067 4068
    DCHECK(!to->IsDictionary());
    if (from_kind == SLOW_SLOPPY_ARGUMENTS_ELEMENTS) {
4069 4070
      CopyDictionaryToObjectElements(isolate, from, from_start, to,
                                     HOLEY_ELEMENTS, to_start, copy_size);
4071 4072
    } else {
      DCHECK_EQ(FAST_SLOPPY_ARGUMENTS_ELEMENTS, from_kind);
4073
      CopyObjectToObjectElements(isolate, from, HOLEY_ELEMENTS, from_start, to,
4074
                                 HOLEY_ELEMENTS, to_start, copy_size);
4075 4076 4077 4078 4079
    }
  }

  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                         uint32_t capacity) {
4080 4081 4082 4083 4084
    Isolate* isolate = object->GetIsolate();
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(object->elements()), isolate);
    Handle<FixedArray> old_arguments(FixedArray::cast(elements->arguments()),
                                     isolate);
4085 4086 4087 4088
    ElementsKind from_kind = object->GetElementsKind();
    // This method should only be called if there's a reason to update the
    // elements.
    DCHECK(from_kind == SLOW_SLOPPY_ARGUMENTS_ELEMENTS ||
4089 4090 4091
           static_cast<uint32_t>(old_arguments->length()) < capacity);
    Handle<FixedArrayBase> arguments =
        ConvertElementsWithCapacity(object, old_arguments, from_kind, capacity);
4092 4093 4094
    Handle<Map> new_map = JSObject::GetElementsTransitionMap(
        object, FAST_SLOPPY_ARGUMENTS_ELEMENTS);
    JSObject::MigrateToMap(object, new_map);
4095
    elements->set_arguments(FixedArray::cast(*arguments));
4096
    JSObject::ValidateElements(*object);
4097 4098 4099
  }
};

4100
template <typename Subclass, typename BackingStoreAccessor, typename KindTraits>
4101
class StringWrapperElementsAccessor
4102
    : public ElementsAccessorBase<Subclass, KindTraits> {
4103 4104
 public:
  explicit StringWrapperElementsAccessor(const char* name)
4105
      : ElementsAccessorBase<Subclass, KindTraits>(name) {
4106 4107 4108
    USE(KindTraits::Kind);
  }

4109 4110 4111 4112 4113
  static Handle<Object> GetInternalImpl(Handle<JSObject> holder,
                                        uint32_t entry) {
    return GetImpl(holder, entry);
  }

4114 4115 4116 4117 4118 4119
  static Handle<Object> GetImpl(Handle<JSObject> holder, uint32_t entry) {
    Isolate* isolate = holder->GetIsolate();
    Handle<String> string(GetString(*holder), isolate);
    uint32_t length = static_cast<uint32_t>(string->length());
    if (entry < length) {
      return isolate->factory()->LookupSingleCharacterStringFromCode(
4120
          String::Flatten(isolate, string)->Get(entry));
4121
    }
4122 4123 4124 4125
    return BackingStoreAccessor::GetImpl(isolate, holder->elements(),
                                         entry - length);
  }

4126
  static Handle<Object> GetImpl(Isolate* isolate, FixedArrayBase elements,
4127 4128
                                uint32_t entry) {
    UNREACHABLE();
4129 4130
  }

4131
  static PropertyDetails GetDetailsImpl(JSObject holder, uint32_t entry) {
4132 4133 4134 4135
    uint32_t length = static_cast<uint32_t>(GetString(holder)->length());
    if (entry < length) {
      PropertyAttributes attributes =
          static_cast<PropertyAttributes>(READ_ONLY | DONT_DELETE);
4136
      return PropertyDetails(kData, attributes, PropertyCellType::kNoCell);
4137 4138 4139 4140
    }
    return BackingStoreAccessor::GetDetailsImpl(holder, entry - length);
  }

4141
  static uint32_t GetEntryForIndexImpl(Isolate* isolate, JSObject holder,
4142
                                       FixedArrayBase backing_store,
4143 4144 4145 4146
                                       uint32_t index, PropertyFilter filter) {
    uint32_t length = static_cast<uint32_t>(GetString(holder)->length());
    if (index < length) return index;
    uint32_t backing_store_entry = BackingStoreAccessor::GetEntryForIndexImpl(
4147
        isolate, holder, backing_store, index, filter);
4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160
    if (backing_store_entry == kMaxUInt32) return kMaxUInt32;
    DCHECK(backing_store_entry < kMaxUInt32 - length);
    return backing_store_entry + length;
  }

  static void DeleteImpl(Handle<JSObject> holder, uint32_t entry) {
    uint32_t length = static_cast<uint32_t>(GetString(*holder)->length());
    if (entry < length) {
      return;  // String contents can't be deleted.
    }
    BackingStoreAccessor::DeleteImpl(holder, entry - length);
  }

4161
  static void SetImpl(Handle<JSObject> holder, uint32_t entry, Object value) {
4162 4163 4164 4165 4166 4167 4168 4169 4170 4171 4172
    uint32_t length = static_cast<uint32_t>(GetString(*holder)->length());
    if (entry < length) {
      return;  // String contents are read-only.
    }
    BackingStoreAccessor::SetImpl(holder->elements(), entry - length, value);
  }

  static void AddImpl(Handle<JSObject> object, uint32_t index,
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    DCHECK(index >= static_cast<uint32_t>(GetString(*object)->length()));
4173 4174 4175 4176 4177 4178
    // Explicitly grow fast backing stores if needed. Dictionaries know how to
    // extend their capacity themselves.
    if (KindTraits::Kind == FAST_STRING_WRAPPER_ELEMENTS &&
        (object->GetElementsKind() == SLOW_STRING_WRAPPER_ELEMENTS ||
         BackingStoreAccessor::GetCapacityImpl(*object, object->elements()) !=
             new_capacity)) {
4179
      GrowCapacityAndConvertImpl(object, new_capacity);
4180 4181 4182 4183 4184 4185 4186 4187 4188 4189 4190 4191 4192 4193 4194 4195 4196 4197 4198 4199 4200 4201
    }
    BackingStoreAccessor::AddImpl(object, index, value, attributes,
                                  new_capacity);
  }

  static void ReconfigureImpl(Handle<JSObject> object,
                              Handle<FixedArrayBase> store, uint32_t entry,
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    uint32_t length = static_cast<uint32_t>(GetString(*object)->length());
    if (entry < length) {
      return;  // String contents can't be reconfigured.
    }
    BackingStoreAccessor::ReconfigureImpl(object, store, entry - length, value,
                                          attributes);
  }

  static void AddElementsToKeyAccumulatorImpl(Handle<JSObject> receiver,
                                              KeyAccumulator* accumulator,
                                              AddKeyConversion convert) {
    Isolate* isolate = receiver->GetIsolate();
    Handle<String> string(GetString(*receiver), isolate);
4202
    string = String::Flatten(isolate, string);
4203 4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215
    uint32_t length = static_cast<uint32_t>(string->length());
    for (uint32_t i = 0; i < length; i++) {
      accumulator->AddKey(
          isolate->factory()->LookupSingleCharacterStringFromCode(
              string->Get(i)),
          convert);
    }
    BackingStoreAccessor::AddElementsToKeyAccumulatorImpl(receiver, accumulator,
                                                          convert);
  }

  static void CollectElementIndicesImpl(Handle<JSObject> object,
                                        Handle<FixedArrayBase> backing_store,
4216
                                        KeyAccumulator* keys) {
4217
    uint32_t length = GetString(*object)->length();
4218
    Factory* factory = keys->isolate()->factory();
4219
    for (uint32_t i = 0; i < length; i++) {
4220
      keys->AddKey(factory->NewNumberFromUint(i));
4221
    }
4222 4223
    BackingStoreAccessor::CollectElementIndicesImpl(object, backing_store,
                                                    keys);
4224 4225
  }

4226 4227
  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                         uint32_t capacity) {
4228 4229
    Handle<FixedArrayBase> old_elements(object->elements(),
                                        object->GetIsolate());
4230
    ElementsKind from_kind = object->GetElementsKind();
4231 4232 4233 4234 4235
    if (from_kind == FAST_STRING_WRAPPER_ELEMENTS) {
      // The optimizing compiler relies on the prototype lookups of String
      // objects always returning undefined. If there's a store to the
      // initial String.prototype object, make sure all the optimizations
      // are invalidated.
4236
      object->GetIsolate()->UpdateNoElementsProtectorOnSetLength(object);
4237
    }
4238 4239 4240 4241 4242 4243 4244 4245 4246
    // This method should only be called if there's a reason to update the
    // elements.
    DCHECK(from_kind == SLOW_STRING_WRAPPER_ELEMENTS ||
           static_cast<uint32_t>(old_elements->length()) < capacity);
    Subclass::BasicGrowCapacityAndConvertImpl(object, old_elements, from_kind,
                                              FAST_STRING_WRAPPER_ELEMENTS,
                                              capacity);
  }

4247 4248
  static void CopyElementsImpl(Isolate* isolate, FixedArrayBase from,
                               uint32_t from_start, FixedArrayBase to,
4249 4250
                               ElementsKind from_kind, uint32_t to_start,
                               int packed_size, int copy_size) {
4251 4252
    DCHECK(!to->IsDictionary());
    if (from_kind == SLOW_STRING_WRAPPER_ELEMENTS) {
4253 4254
      CopyDictionaryToObjectElements(isolate, from, from_start, to,
                                     HOLEY_ELEMENTS, to_start, copy_size);
4255 4256
    } else {
      DCHECK_EQ(FAST_STRING_WRAPPER_ELEMENTS, from_kind);
4257
      CopyObjectToObjectElements(isolate, from, HOLEY_ELEMENTS, from_start, to,
4258
                                 HOLEY_ELEMENTS, to_start, copy_size);
4259
    }
4260 4261
  }

4262
  static uint32_t NumberOfElementsImpl(JSObject object,
4263
                                       FixedArrayBase backing_store) {
4264 4265 4266 4267 4268
    uint32_t length = GetString(object)->length();
    return length +
           BackingStoreAccessor::NumberOfElementsImpl(object, backing_store);
  }

4269
 private:
4270
  static String GetString(JSObject holder) {
4271
    DCHECK(holder->IsJSValue());
4272
    JSValue js_value = JSValue::cast(holder);
4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286
    DCHECK(js_value->value()->IsString());
    return String::cast(js_value->value());
  }
};

class FastStringWrapperElementsAccessor
    : public StringWrapperElementsAccessor<
          FastStringWrapperElementsAccessor, FastHoleyObjectElementsAccessor,
          ElementsKindTraits<FAST_STRING_WRAPPER_ELEMENTS>> {
 public:
  explicit FastStringWrapperElementsAccessor(const char* name)
      : StringWrapperElementsAccessor<
            FastStringWrapperElementsAccessor, FastHoleyObjectElementsAccessor,
            ElementsKindTraits<FAST_STRING_WRAPPER_ELEMENTS>>(name) {}
4287

4288
  static Handle<NumberDictionary> NormalizeImpl(
4289 4290 4291
      Handle<JSObject> object, Handle<FixedArrayBase> elements) {
    return FastHoleyObjectElementsAccessor::NormalizeImpl(object, elements);
  }
4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302
};

class SlowStringWrapperElementsAccessor
    : public StringWrapperElementsAccessor<
          SlowStringWrapperElementsAccessor, DictionaryElementsAccessor,
          ElementsKindTraits<SLOW_STRING_WRAPPER_ELEMENTS>> {
 public:
  explicit SlowStringWrapperElementsAccessor(const char* name)
      : StringWrapperElementsAccessor<
            SlowStringWrapperElementsAccessor, DictionaryElementsAccessor,
            ElementsKindTraits<SLOW_STRING_WRAPPER_ELEMENTS>>(name) {}
4303

4304
  static bool HasAccessorsImpl(JSObject holder, FixedArrayBase backing_store) {
4305 4306
    return DictionaryElementsAccessor::HasAccessorsImpl(holder, backing_store);
  }
4307
};
4308

4309 4310 4311
}  // namespace


4312
void CheckArrayAbuse(Handle<JSObject> obj, const char* op, uint32_t index,
4313 4314
                     bool allow_appending) {
  DisallowHeapAllocation no_allocation;
4315
  Object raw_length;
4316 4317
  const char* elements_type = "array";
  if (obj->IsJSArray()) {
4318
    JSArray array = JSArray::cast(*obj);
4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330
    raw_length = array->length();
  } else {
    raw_length = Smi::FromInt(obj->elements()->length());
    elements_type = "object";
  }

  if (raw_length->IsNumber()) {
    double n = raw_length->Number();
    if (FastI2D(FastD2UI(n)) == n) {
      int32_t int32_length = DoubleToInt32(n);
      uint32_t compare_length = static_cast<uint32_t>(int32_length);
      if (allow_appending) compare_length++;
4331
      if (index >= compare_length) {
4332 4333
        PrintF("[OOB %s %s (%s length = %d, element accessed = %d) in ",
               elements_type, op, elements_type, static_cast<int>(int32_length),
4334
               static_cast<int>(index));
4335 4336 4337 4338 4339 4340 4341 4342 4343 4344 4345 4346 4347 4348
        TraceTopFrame(obj->GetIsolate());
        PrintF("]\n");
      }
    } else {
      PrintF("[%s elements length not integer value in ", elements_type);
      TraceTopFrame(obj->GetIsolate());
      PrintF("]\n");
    }
  } else {
    PrintF("[%s elements length not a number in ", elements_type);
    TraceTopFrame(obj->GetIsolate());
    PrintF("]\n");
  }
}
4349 4350


4351 4352
MaybeHandle<Object> ArrayConstructInitializeElements(Handle<JSArray> array,
                                                     Arguments* args) {
4353 4354 4355 4356 4357
  if (args->length() == 0) {
    // Optimize the case where there are no parameters passed.
    JSArray::Initialize(array, JSArray::kPreallocatedArrayElements);
    return array;

4358
  } else if (args->length() == 1 && args->at(0)->IsNumber()) {
4359
    uint32_t length;
4360
    if (!args->at(0)->ToArrayLength(&length)) {
4361 4362 4363 4364 4365
      return ThrowArrayLengthRangeError(array->GetIsolate());
    }

    // Optimize the case where there is one argument and the argument is a small
    // smi.
4366
    if (length > 0 && length < JSArray::kInitialMaxFastElementArray) {
4367 4368 4369
      ElementsKind elements_kind = array->GetElementsKind();
      JSArray::Initialize(array, length, length);

4370
      if (!IsHoleyElementsKind(elements_kind)) {
4371 4372
        elements_kind = GetHoleyElementsKind(elements_kind);
        JSObject::TransitionElementsKind(array, elements_kind);
4373
      }
4374 4375
    } else if (length == 0) {
      JSArray::Initialize(array, JSArray::kPreallocatedArrayElements);
4376 4377 4378 4379
    } else {
      // Take the argument as the length.
      JSArray::Initialize(array, 0);
      JSArray::SetLength(array, length);
4380
    }
4381
    return array;
4382 4383
  }

4384 4385
  Factory* factory = array->GetIsolate()->factory();

4386 4387
  // Set length and elements on the array.
  int number_of_elements = args->length();
4388 4389
  JSObject::EnsureCanContainElements(
      array, args, 0, number_of_elements, ALLOW_CONVERTED_DOUBLE_ELEMENTS);
4390 4391 4392

  // Allocate an appropriately typed elements array.
  ElementsKind elements_kind = array->GetElementsKind();
4393
  Handle<FixedArrayBase> elms;
4394
  if (IsDoubleElementsKind(elements_kind)) {
4395 4396
    elms = Handle<FixedArrayBase>::cast(
        factory->NewFixedDoubleArray(number_of_elements));
4397
  } else {
4398 4399
    elms = Handle<FixedArrayBase>::cast(
        factory->NewFixedArrayWithHoles(number_of_elements));
4400 4401 4402
  }

  // Fill in the content
4403
  switch (elements_kind) {
4404 4405
    case HOLEY_SMI_ELEMENTS:
    case PACKED_SMI_ELEMENTS: {
4406
      Handle<FixedArray> smi_elms = Handle<FixedArray>::cast(elms);
4407 4408
      for (int entry = 0; entry < number_of_elements; entry++) {
        smi_elms->set(entry, (*args)[entry], SKIP_WRITE_BARRIER);
4409 4410 4411
      }
      break;
    }
4412 4413
    case HOLEY_ELEMENTS:
    case PACKED_ELEMENTS: {
4414
      DisallowHeapAllocation no_gc;
4415
      WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc);
4416
      Handle<FixedArray> object_elms = Handle<FixedArray>::cast(elms);
4417 4418
      for (int entry = 0; entry < number_of_elements; entry++) {
        object_elms->set(entry, (*args)[entry], mode);
4419 4420 4421
      }
      break;
    }
4422 4423
    case HOLEY_DOUBLE_ELEMENTS:
    case PACKED_DOUBLE_ELEMENTS: {
4424 4425
      Handle<FixedDoubleArray> double_elms =
          Handle<FixedDoubleArray>::cast(elms);
4426 4427
      for (int entry = 0; entry < number_of_elements; entry++) {
        double_elms->set(entry, (*args)[entry]->Number());
4428 4429 4430 4431 4432 4433 4434 4435
      }
      break;
    }
    default:
      UNREACHABLE();
      break;
  }

4436
  array->set_elements(*elms);
4437 4438 4439 4440
  array->set_length(Smi::FromInt(number_of_elements));
  return array;
}

4441
void CopyFastNumberJSArrayElementsToTypedArray(Address raw_context,
4442 4443
                                               Address raw_source,
                                               Address raw_destination,
4444 4445
                                               uintptr_t length,
                                               uintptr_t offset) {
4446 4447 4448
  Context context = Context::cast(Object(raw_context));
  JSArray source = JSArray::cast(Object(raw_source));
  JSTypedArray destination = JSTypedArray::cast(Object(raw_destination));
4449 4450

  switch (destination->GetElementsKind()) {
4451
#define TYPED_ARRAYS_CASE(Type, type, TYPE, ctype)                             \
4452 4453 4454 4455 4456
  case TYPE##_ELEMENTS:                                                        \
    CHECK(Fixed##Type##ElementsAccessor::TryCopyElementsFastNumber(            \
        context, source, destination, length, static_cast<uint32_t>(offset))); \
    break;
    TYPED_ARRAYS(TYPED_ARRAYS_CASE)
4457 4458 4459 4460 4461 4462
#undef TYPED_ARRAYS_CASE
    default:
      UNREACHABLE();
  }
}

4463 4464
void CopyTypedArrayElementsToTypedArray(Address raw_source,
                                        Address raw_destination,
4465
                                        uintptr_t length, uintptr_t offset) {
4466 4467
  JSTypedArray source = JSTypedArray::cast(Object(raw_source));
  JSTypedArray destination = JSTypedArray::cast(Object(raw_destination));
4468

4469
  switch (destination->GetElementsKind()) {
4470
#define TYPED_ARRAYS_CASE(Type, type, TYPE, ctype)                   \
4471 4472 4473 4474 4475
  case TYPE##_ELEMENTS:                                              \
    Fixed##Type##ElementsAccessor::CopyElementsFromTypedArray(       \
        source, destination, length, static_cast<uint32_t>(offset)); \
    break;
    TYPED_ARRAYS(TYPED_ARRAYS_CASE)
4476 4477 4478 4479 4480
#undef TYPED_ARRAYS_CASE
    default:
      UNREACHABLE();
  }
}
4481

4482 4483
void CopyTypedArrayElementsSlice(Address raw_source, Address raw_destination,
                                 uintptr_t start, uintptr_t end) {
4484 4485
  JSTypedArray source = JSTypedArray::cast(Object(raw_source));
  JSTypedArray destination = JSTypedArray::cast(Object(raw_destination));
4486

4487 4488 4489 4490
  destination->GetElementsAccessor()->CopyTypedArrayElementsSlice(
      source, destination, start, end);
}

4491 4492 4493 4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505
void ElementsAccessor::InitializeOncePerProcess() {
  static ElementsAccessor* accessor_array[] = {
#define ACCESSOR_ARRAY(Class, Kind, Store) new Class(#Kind),
      ELEMENTS_LIST(ACCESSOR_ARRAY)
#undef ACCESSOR_ARRAY
  };

  STATIC_ASSERT((sizeof(accessor_array) / sizeof(*accessor_array)) ==
                kElementsKindCount);

  elements_accessors_ = accessor_array;
}


void ElementsAccessor::TearDown() {
4506
  if (elements_accessors_ == nullptr) return;
4507 4508 4509
#define ACCESSOR_DELETE(Class, Kind, Store) delete elements_accessors_[Kind];
  ELEMENTS_LIST(ACCESSOR_DELETE)
#undef ACCESSOR_DELETE
4510
  elements_accessors_ = nullptr;
4511 4512
}

4513
Handle<JSArray> ElementsAccessor::Concat(Isolate* isolate, Arguments* args,
4514 4515
                                         uint32_t concat_size,
                                         uint32_t result_len) {
4516
  ElementsKind result_elements_kind = GetInitialFastElementsKind();
4517
  bool has_raw_doubles = false;
4518 4519
  {
    DisallowHeapAllocation no_gc;
4520
    bool is_holey = false;
4521
    for (uint32_t i = 0; i < concat_size; i++) {
4522
      Object arg = (*args)[i];
4523
      ElementsKind arg_kind = JSArray::cast(arg)->GetElementsKind();
4524 4525
      has_raw_doubles = has_raw_doubles || IsDoubleElementsKind(arg_kind);
      is_holey = is_holey || IsHoleyElementsKind(arg_kind);
4526 4527
      result_elements_kind =
          GetMoreGeneralElementsKind(result_elements_kind, arg_kind);
4528 4529
    }
    if (is_holey) {
4530
      result_elements_kind = GetHoleyElementsKind(result_elements_kind);
4531 4532 4533 4534 4535 4536
    }
  }

  // If a double array is concatted into a fast elements array, the fast
  // elements array needs to be initialized to contain proper holes, since
  // boxing doubles may cause incremental marking.
4537
  bool requires_double_boxing =
4538
      has_raw_doubles && !IsDoubleElementsKind(result_elements_kind);
4539 4540 4541
  ArrayStorageAllocationMode mode = requires_double_boxing
                                        ? INITIALIZE_ARRAY_ELEMENTS_WITH_HOLE
                                        : DONT_INITIALIZE_ARRAY_ELEMENTS;
4542
  Handle<JSArray> result_array = isolate->factory()->NewJSArray(
4543
      result_elements_kind, result_len, result_len, mode);
4544
  if (result_len == 0) return result_array;
4545 4546

  uint32_t insertion_index = 0;
4547
  Handle<FixedArrayBase> storage(result_array->elements(), isolate);
4548
  ElementsAccessor* accessor = ElementsAccessor::ForKind(result_elements_kind);
4549 4550 4551
  for (uint32_t i = 0; i < concat_size; i++) {
    // It is crucial to keep |array| in a raw pointer form to avoid
    // performance degradation.
4552
    JSArray array = JSArray::cast((*args)[i]);
4553 4554 4555 4556 4557 4558
    uint32_t len = 0;
    array->length()->ToArrayLength(&len);
    if (len == 0) continue;
    ElementsKind from_kind = array->GetElementsKind();
    accessor->CopyElements(array, 0, from_kind, storage, insertion_index, len);
    insertion_index += len;
4559 4560
  }

4561
  DCHECK_EQ(insertion_index, result_len);
4562 4563 4564
  return result_array;
}

4565
ElementsAccessor** ElementsAccessor::elements_accessors_ = nullptr;
4566 4567

#undef ELEMENTS_LIST
4568 4569
}  // namespace internal
}  // namespace v8