elements.cc 96.1 KB
Newer Older
1
// Copyright 2012 the V8 project authors. All rights reserved.
2 3
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
4

5
#include "src/elements.h"
6

7 8
#include "src/arguments.h"
#include "src/conversions.h"
9
#include "src/factory.h"
10
#include "src/messages.h"
11
#include "src/objects-inl.h"
12
#include "src/utils.h"
13 14 15 16 17 18 19 20

// Each concrete ElementsAccessor can handle exactly one ElementsKind,
// several abstract ElementsAccessor classes are used to allow sharing
// common code.
//
// Inheritance hierarchy:
// - ElementsAccessorBase                        (abstract)
//   - FastElementsAccessor                      (abstract)
21 22 23 24 25
//     - FastSmiOrObjectElementsAccessor
//       - FastPackedSmiElementsAccessor
//       - FastHoleySmiElementsAccessor
//       - FastPackedObjectElementsAccessor
//       - FastHoleyObjectElementsAccessor
26
//     - FastDoubleElementsAccessor
27 28
//       - FastPackedDoubleElementsAccessor
//       - FastHoleyDoubleElementsAccessor
29 30 31 32 33 34 35 36 37 38
//   - TypedElementsAccessor: template, with instantiations:
//     - FixedUint8ElementsAccessor
//     - FixedInt8ElementsAccessor
//     - FixedUint16ElementsAccessor
//     - FixedInt16ElementsAccessor
//     - FixedUint32ElementsAccessor
//     - FixedInt32ElementsAccessor
//     - FixedFloat32ElementsAccessor
//     - FixedFloat64ElementsAccessor
//     - FixedUint8ClampedElementsAccessor
39
//   - DictionaryElementsAccessor
40
//   - SloppyArgumentsElementsAccessor
41 42
//     - FastSloppyArgumentsElementsAccessor
//     - SlowSloppyArgumentsElementsAccessor
43 44


45 46 47 48
namespace v8 {
namespace internal {


49 50 51
namespace {


52 53
static const int kPackedSizeNotKnown = -1;

cbruni's avatar
cbruni committed
54 55
enum Where { AT_START, AT_END };

56

57 58 59 60 61
// First argument in list is the accessor class, the second argument is the
// accessor ElementsKind, and the third is the backing store class.  Use the
// fast element handler for smi-only arrays.  The implementation is currently
// identical.  Note that the order must match that of the ElementsKind enum for
// the |accessor_array[]| below to work.
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
#define ELEMENTS_LIST(V)                                                      \
  V(FastPackedSmiElementsAccessor, FAST_SMI_ELEMENTS, FixedArray)             \
  V(FastHoleySmiElementsAccessor, FAST_HOLEY_SMI_ELEMENTS, FixedArray)        \
  V(FastPackedObjectElementsAccessor, FAST_ELEMENTS, FixedArray)              \
  V(FastHoleyObjectElementsAccessor, FAST_HOLEY_ELEMENTS, FixedArray)         \
  V(FastPackedDoubleElementsAccessor, FAST_DOUBLE_ELEMENTS, FixedDoubleArray) \
  V(FastHoleyDoubleElementsAccessor, FAST_HOLEY_DOUBLE_ELEMENTS,              \
    FixedDoubleArray)                                                         \
  V(DictionaryElementsAccessor, DICTIONARY_ELEMENTS, SeededNumberDictionary)  \
  V(FastSloppyArgumentsElementsAccessor, FAST_SLOPPY_ARGUMENTS_ELEMENTS,      \
    FixedArray)                                                               \
  V(SlowSloppyArgumentsElementsAccessor, SLOW_SLOPPY_ARGUMENTS_ELEMENTS,      \
    FixedArray)                                                               \
  V(FixedUint8ElementsAccessor, UINT8_ELEMENTS, FixedUint8Array)              \
  V(FixedInt8ElementsAccessor, INT8_ELEMENTS, FixedInt8Array)                 \
  V(FixedUint16ElementsAccessor, UINT16_ELEMENTS, FixedUint16Array)           \
  V(FixedInt16ElementsAccessor, INT16_ELEMENTS, FixedInt16Array)              \
  V(FixedUint32ElementsAccessor, UINT32_ELEMENTS, FixedUint32Array)           \
  V(FixedInt32ElementsAccessor, INT32_ELEMENTS, FixedInt32Array)              \
  V(FixedFloat32ElementsAccessor, FLOAT32_ELEMENTS, FixedFloat32Array)        \
  V(FixedFloat64ElementsAccessor, FLOAT64_ELEMENTS, FixedFloat64Array)        \
  V(FixedUint8ClampedElementsAccessor, UINT8_CLAMPED_ELEMENTS,                \
84
    FixedUint8ClampedArray)
85 86 87 88 89 90 91 92 93


template<ElementsKind Kind> class ElementsKindTraits {
 public:
  typedef FixedArrayBase BackingStore;
};

#define ELEMENTS_TRAITS(Class, KindParam, Store)               \
template<> class ElementsKindTraits<KindParam> {               \
94
 public:   /* NOLINT */                                        \
95 96 97 98 99 100 101
  static const ElementsKind Kind = KindParam;                  \
  typedef Store BackingStore;                                  \
};
ELEMENTS_LIST(ELEMENTS_TRAITS)
#undef ELEMENTS_TRAITS


102
MUST_USE_RESULT
103
MaybeHandle<Object> ThrowArrayLengthRangeError(Isolate* isolate) {
104
  THROW_NEW_ERROR(isolate, NewRangeError(MessageTemplate::kInvalidArrayLength),
105
                  Object);
106 107
}

108

109 110 111 112
void CopyObjectToObjectElements(FixedArrayBase* from_base,
                                ElementsKind from_kind, uint32_t from_start,
                                FixedArrayBase* to_base, ElementsKind to_kind,
                                uint32_t to_start, int raw_copy_size) {
113
  DCHECK(to_base->map() !=
114
      from_base->GetIsolate()->heap()->fixed_cow_array_map());
115
  DisallowHeapAllocation no_allocation;
116 117
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
118
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
119
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
120 121
    copy_size = Min(from_base->length() - from_start,
                    to_base->length() - to_start);
122
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
123
      int start = to_start + copy_size;
124
      int length = to_base->length() - start;
125
      if (length > 0) {
126
        Heap* heap = from_base->GetHeap();
127
        MemsetPointer(FixedArray::cast(to_base)->data_start() + start,
128
                      heap->the_hole_value(), length);
129 130
      }
    }
131
  }
132
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
133
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
134
  if (copy_size == 0) return;
135 136
  FixedArray* from = FixedArray::cast(from_base);
  FixedArray* to = FixedArray::cast(to_base);
137 138
  DCHECK(IsFastSmiOrObjectElementsKind(from_kind));
  DCHECK(IsFastSmiOrObjectElementsKind(to_kind));
139 140 141 142 143 144 145 146

  WriteBarrierMode write_barrier_mode =
      (IsFastObjectElementsKind(from_kind) && IsFastObjectElementsKind(to_kind))
          ? UPDATE_WRITE_BARRIER
          : SKIP_WRITE_BARRIER;
  for (int i = 0; i < copy_size; i++) {
    Object* value = from->get(from_start + i);
    to->set(to_start + i, value, write_barrier_mode);
147 148 149 150
  }
}


151 152 153
static void CopyDictionaryToObjectElements(
    FixedArrayBase* from_base, uint32_t from_start, FixedArrayBase* to_base,
    ElementsKind to_kind, uint32_t to_start, int raw_copy_size) {
154
  DisallowHeapAllocation no_allocation;
155
  SeededNumberDictionary* from = SeededNumberDictionary::cast(from_base);
156 157
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
158
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
159 160 161
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
    copy_size = from->max_number_key() + 1 - from_start;
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
162
      int start = to_start + copy_size;
163
      int length = to_base->length() - start;
164 165
      if (length > 0) {
        Heap* heap = from->GetHeap();
166
        MemsetPointer(FixedArray::cast(to_base)->data_start() + start,
167
                      heap->the_hole_value(), length);
168 169 170
      }
    }
  }
171 172
  DCHECK(to_base != from_base);
  DCHECK(IsFastSmiOrObjectElementsKind(to_kind));
173
  if (copy_size == 0) return;
174
  FixedArray* to = FixedArray::cast(to_base);
175 176 177 178
  uint32_t to_length = to->length();
  if (to_start + copy_size > to_length) {
    copy_size = to_length - to_start;
  }
179 180 181
  WriteBarrierMode write_barrier_mode = IsFastObjectElementsKind(to_kind)
                                            ? UPDATE_WRITE_BARRIER
                                            : SKIP_WRITE_BARRIER;
182 183 184 185
  for (int i = 0; i < copy_size; i++) {
    int entry = from->FindEntry(i + from_start);
    if (entry != SeededNumberDictionary::kNotFound) {
      Object* value = from->ValueAt(entry);
186
      DCHECK(!value->IsTheHole());
187
      to->set(i + to_start, value, write_barrier_mode);
188 189 190 191
    } else {
      to->set_the_hole(i + to_start);
    }
  }
192 193 194
}


195 196 197 198
// NOTE: this method violates the handlified function signature convention:
// raw pointer parameters in the function that allocates.
// See ElementsAccessorBase::CopyElements() for details.
static void CopyDoubleToObjectElements(FixedArrayBase* from_base,
199
                                       uint32_t from_start,
200
                                       FixedArrayBase* to_base,
201
                                       uint32_t to_start, int raw_copy_size) {
202 203
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
204
    DisallowHeapAllocation no_allocation;
205
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
206
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
207 208
    copy_size = Min(from_base->length() - from_start,
                    to_base->length() - to_start);
209
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
210 211 212 213
      // Also initialize the area that will be copied over since HeapNumber
      // allocation below can cause an incremental marking step, requiring all
      // existing heap objects to be propertly initialized.
      int start = to_start;
214
      int length = to_base->length() - start;
215
      if (length > 0) {
216
        Heap* heap = from_base->GetHeap();
217
        MemsetPointer(FixedArray::cast(to_base)->data_start() + start,
218
                      heap->the_hole_value(), length);
219 220
      }
    }
221
  }
222

223
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
224
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
225
  if (copy_size == 0) return;
226 227 228

  // From here on, the code below could actually allocate. Therefore the raw
  // values are wrapped into handles.
229
  Isolate* isolate = from_base->GetIsolate();
230 231
  Handle<FixedDoubleArray> from(FixedDoubleArray::cast(from_base), isolate);
  Handle<FixedArray> to(FixedArray::cast(to_base), isolate);
232 233 234 235 236 237

  // create an outer loop to not waste too much time on creating HandleScopes
  // on the other hand we might overflow a single handle scope depending on
  // the copy_size
  int offset = 0;
  while (offset < copy_size) {
238
    HandleScope scope(isolate);
239 240
    offset += 100;
    for (int i = offset - 100; i < offset && i < copy_size; ++i) {
241 242
      Handle<Object> value = FixedDoubleArray::get(from, i + from_start);
      to->set(i + to_start, *value, UPDATE_WRITE_BARRIER);
243 244 245 246 247
    }
  }
}


248
static void CopyDoubleToDoubleElements(FixedArrayBase* from_base,
249
                                       uint32_t from_start,
250 251
                                       FixedArrayBase* to_base,
                                       uint32_t to_start, int raw_copy_size) {
252
  DisallowHeapAllocation no_allocation;
253 254
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
255
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
256
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
257 258
    copy_size = Min(from_base->length() - from_start,
                    to_base->length() - to_start);
259
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
260
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
261
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
262 263
      }
    }
264
  }
265
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
266
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
267
  if (copy_size == 0) return;
268 269
  FixedDoubleArray* from = FixedDoubleArray::cast(from_base);
  FixedDoubleArray* to = FixedDoubleArray::cast(to_base);
270 271 272 273
  Address to_address = to->address() + FixedDoubleArray::kHeaderSize;
  Address from_address = from->address() + FixedDoubleArray::kHeaderSize;
  to_address += kDoubleSize * to_start;
  from_address += kDoubleSize * from_start;
274
  int words_per_double = (kDoubleSize / kPointerSize);
275 276
  CopyWords(reinterpret_cast<Object**>(to_address),
            reinterpret_cast<Object**>(from_address),
277
            static_cast<size_t>(words_per_double * copy_size));
278 279 280
}


281
static void CopySmiToDoubleElements(FixedArrayBase* from_base,
282
                                    uint32_t from_start,
283
                                    FixedArrayBase* to_base, uint32_t to_start,
284
                                    int raw_copy_size) {
285
  DisallowHeapAllocation no_allocation;
286 287
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
288
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
289
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
290
    copy_size = from_base->length() - from_start;
291
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
292
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
293
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
294 295 296
      }
    }
  }
297
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
298
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
299
  if (copy_size == 0) return;
300 301 302
  FixedArray* from = FixedArray::cast(from_base);
  FixedDoubleArray* to = FixedDoubleArray::cast(to_base);
  Object* the_hole = from->GetHeap()->the_hole_value();
303 304 305
  for (uint32_t from_end = from_start + static_cast<uint32_t>(copy_size);
       from_start < from_end; from_start++, to_start++) {
    Object* hole_or_smi = from->get(from_start);
306
    if (hole_or_smi == the_hole) {
307 308 309 310 311 312 313 314
      to->set_the_hole(to_start);
    } else {
      to->set(to_start, Smi::cast(hole_or_smi)->value());
    }
  }
}


315
static void CopyPackedSmiToDoubleElements(FixedArrayBase* from_base,
316
                                          uint32_t from_start,
317 318
                                          FixedArrayBase* to_base,
                                          uint32_t to_start, int packed_size,
319
                                          int raw_copy_size) {
320
  DisallowHeapAllocation no_allocation;
321 322 323
  int copy_size = raw_copy_size;
  uint32_t to_end;
  if (raw_copy_size < 0) {
324
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
325
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
326
    copy_size = packed_size - from_start;
327
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
328
      to_end = to_base->length();
329
      for (uint32_t i = to_start + copy_size; i < to_end; ++i) {
330
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
331
      }
332 333 334 335 336 337
    } else {
      to_end = to_start + static_cast<uint32_t>(copy_size);
    }
  } else {
    to_end = to_start + static_cast<uint32_t>(copy_size);
  }
338 339 340
  DCHECK(static_cast<int>(to_end) <= to_base->length());
  DCHECK(packed_size >= 0 && packed_size <= copy_size);
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
341
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
342
  if (copy_size == 0) return;
343 344
  FixedArray* from = FixedArray::cast(from_base);
  FixedDoubleArray* to = FixedDoubleArray::cast(to_base);
345 346 347
  for (uint32_t from_end = from_start + static_cast<uint32_t>(packed_size);
       from_start < from_end; from_start++, to_start++) {
    Object* smi = from->get(from_start);
348
    DCHECK(!smi->IsTheHole());
349 350 351 352 353
    to->set(to_start, Smi::cast(smi)->value());
  }
}


354
static void CopyObjectToDoubleElements(FixedArrayBase* from_base,
355
                                       uint32_t from_start,
356 357
                                       FixedArrayBase* to_base,
                                       uint32_t to_start, int raw_copy_size) {
358
  DisallowHeapAllocation no_allocation;
359 360
  int copy_size = raw_copy_size;
  if (raw_copy_size < 0) {
361
    DCHECK(raw_copy_size == ElementsAccessor::kCopyToEnd ||
362
           raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
363
    copy_size = from_base->length() - from_start;
364
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
365
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
366
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
367 368 369
      }
    }
  }
370
  DCHECK((copy_size + static_cast<int>(to_start)) <= to_base->length() &&
371
         (copy_size + static_cast<int>(from_start)) <= from_base->length());
372
  if (copy_size == 0) return;
373 374 375
  FixedArray* from = FixedArray::cast(from_base);
  FixedDoubleArray* to = FixedDoubleArray::cast(to_base);
  Object* the_hole = from->GetHeap()->the_hole_value();
376 377 378
  for (uint32_t from_end = from_start + copy_size;
       from_start < from_end; from_start++, to_start++) {
    Object* hole_or_object = from->get(from_start);
379
    if (hole_or_object == the_hole) {
380
      to->set_the_hole(to_start);
381
    } else {
382
      to->set(to_start, hole_or_object->Number());
383 384 385 386 387
    }
  }
}


388
static void CopyDictionaryToDoubleElements(FixedArrayBase* from_base,
389
                                           uint32_t from_start,
390
                                           FixedArrayBase* to_base,
391 392
                                           uint32_t to_start,
                                           int raw_copy_size) {
393
  DisallowHeapAllocation no_allocation;
394
  SeededNumberDictionary* from = SeededNumberDictionary::cast(from_base);
395 396
  int copy_size = raw_copy_size;
  if (copy_size < 0) {
397
    DCHECK(copy_size == ElementsAccessor::kCopyToEnd ||
398 399 400
           copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole);
    copy_size = from->max_number_key() + 1 - from_start;
    if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
401
      for (int i = to_start + copy_size; i < to_base->length(); ++i) {
402
        FixedDoubleArray::cast(to_base)->set_the_hole(i);
403 404 405 406
      }
    }
  }
  if (copy_size == 0) return;
407
  FixedDoubleArray* to = FixedDoubleArray::cast(to_base);
408 409 410 411
  uint32_t to_length = to->length();
  if (to_start + copy_size > to_length) {
    copy_size = to_length - to_start;
  }
412 413 414 415 416 417 418 419 420 421 422
  for (int i = 0; i < copy_size; i++) {
    int entry = from->FindEntry(i + from_start);
    if (entry != SeededNumberDictionary::kNotFound) {
      to->set(i + to_start, from->ValueAt(entry)->Number());
    } else {
      to->set_the_hole(i + to_start);
    }
  }
}


423 424
static void TraceTopFrame(Isolate* isolate) {
  StackFrameIterator it(isolate);
425 426 427 428 429 430 431 432 433 434 435 436 437 438
  if (it.done()) {
    PrintF("unknown location (no JavaScript frames present)");
    return;
  }
  StackFrame* raw_frame = it.frame();
  if (raw_frame->is_internal()) {
    Code* apply_builtin = isolate->builtins()->builtin(
        Builtins::kFunctionApply);
    if (raw_frame->unchecked_code() == apply_builtin) {
      PrintF("apply from ");
      it.Advance();
      raw_frame = it.frame();
    }
  }
439
  JavaScriptFrame::PrintTop(isolate, stdout, false, true);
440 441 442
}


443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459
// Base class for element handler implementations. Contains the
// the common logic for objects with different ElementsKinds.
// Subclasses must specialize method for which the element
// implementation differs from the base class implementation.
//
// This class is intended to be used in the following way:
//
//   class SomeElementsAccessor :
//       public ElementsAccessorBase<SomeElementsAccessor,
//                                   BackingStoreClass> {
//     ...
//   }
//
// This is an example of the Curiously Recurring Template Pattern (see
// http://en.wikipedia.org/wiki/Curiously_recurring_template_pattern).  We use
// CRTP to guarantee aggressive compile time optimizations (i.e.  inlining and
// specialization of SomeElementsAccessor methods).
460 461
template <typename ElementsAccessorSubclass,
          typename ElementsTraitsParam>
462
class ElementsAccessorBase : public ElementsAccessor {
463
 public:
464 465 466 467 468 469
  explicit ElementsAccessorBase(const char* name)
      : ElementsAccessor(name) { }

  typedef ElementsTraitsParam ElementsTraits;
  typedef typename ElementsTraitsParam::BackingStore BackingStore;

470
  static ElementsKind kind() { return ElementsTraits::Kind; }
471

472
  static void ValidateContents(Handle<JSObject> holder, int length) {
473 474
  }

475 476
  static void ValidateImpl(Handle<JSObject> holder) {
    Handle<FixedArrayBase> fixed_array_base(holder->elements());
477 478
    if (!fixed_array_base->IsHeapObject()) return;
    // Arrays that have been shifted in place can't be verified.
479
    if (fixed_array_base->IsFiller()) return;
480 481
    int length = 0;
    if (holder->IsJSArray()) {
482
      Object* length_obj = Handle<JSArray>::cast(holder)->length();
483 484 485 486 487 488 489 490 491
      if (length_obj->IsSmi()) {
        length = Smi::cast(length_obj)->value();
      }
    } else {
      length = fixed_array_base->length();
    }
    ElementsAccessorSubclass::ValidateContents(holder, length);
  }

492
  void Validate(Handle<JSObject> holder) final {
493
    DisallowHeapAllocation no_gc;
494
    ElementsAccessorSubclass::ValidateImpl(holder);
495 496
  }

497 498
  bool IsPacked(Handle<JSObject> holder, Handle<FixedArrayBase> backing_store,
                uint32_t start, uint32_t end) final {
499 500 501 502 503 504 505 506 507
    return ElementsAccessorSubclass::IsPackedImpl(holder, backing_store, start,
                                                  end);
  }

  static bool IsPackedImpl(Handle<JSObject> holder,
                           Handle<FixedArrayBase> backing_store, uint32_t start,
                           uint32_t end) {
    if (IsFastPackedElementsKind(kind())) return true;
    for (uint32_t i = start; i < end; i++) {
508
      if (!ElementsAccessorSubclass::HasElementImpl(holder, i, backing_store,
509
                                                    ALL_PROPERTIES)) {
510 511 512 513 514 515
        return false;
      }
    }
    return true;
  }

516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533
  static void TryTransitionResultArrayToPacked(Handle<JSArray> array) {
    if (!IsHoleyElementsKind(kind())) return;
    int length = Smi::cast(array->length())->value();
    Handle<FixedArrayBase> backing_store(array->elements());
    if (!ElementsAccessorSubclass::IsPackedImpl(array, backing_store, 0,
                                                length)) {
      return;
    }
    ElementsKind packed_kind = GetPackedElementsKind(kind());
    Handle<Map> new_map =
        JSObject::GetElementsTransitionMap(array, packed_kind);
    JSObject::MigrateToMap(array, new_map);
    if (FLAG_trace_elements_transitions) {
      JSObject::PrintElementsTransition(stdout, array, kind(), backing_store,
                                        packed_kind, backing_store);
    }
  }

534 535
  bool HasElement(Handle<JSObject> holder, uint32_t index,
                  Handle<FixedArrayBase> backing_store,
536
                  PropertyFilter filter) final {
537
    return ElementsAccessorSubclass::HasElementImpl(holder, index,
538
                                                    backing_store, filter);
539 540 541
  }

  static bool HasElementImpl(Handle<JSObject> holder, uint32_t index,
542
                             Handle<FixedArrayBase> backing_store,
543
                             PropertyFilter filter) {
544
    return ElementsAccessorSubclass::GetEntryForIndexImpl(
545
               *holder, *backing_store, index, filter) != kMaxUInt32;
546 547
  }

548 549
  Handle<Object> Get(Handle<FixedArrayBase> backing_store,
                     uint32_t entry) final {
550
    return ElementsAccessorSubclass::GetImpl(backing_store, entry);
551 552
  }

553 554 555 556
  static Handle<Object> GetImpl(Handle<FixedArrayBase> backing_store,
                                uint32_t entry) {
    uint32_t index = GetIndexForEntryImpl(*backing_store, entry);
    return BackingStore::get(Handle<BackingStore>::cast(backing_store), index);
557 558
  }

559
  void Set(FixedArrayBase* backing_store, uint32_t entry, Object* value) final {
560
    ElementsAccessorSubclass::SetImpl(backing_store, entry, value);
561 562
  }

563 564 565 566 567 568 569 570 571
  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value) {
    UNREACHABLE();
  }


  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value, WriteBarrierMode mode) {
    UNREACHABLE();
572 573
  }

574 575 576
  void Reconfigure(Handle<JSObject> object, Handle<FixedArrayBase> store,
                   uint32_t entry, Handle<Object> value,
                   PropertyAttributes attributes) final {
577
    ElementsAccessorSubclass::ReconfigureImpl(object, store, entry, value,
578 579 580 581
                                              attributes);
  }

  static void ReconfigureImpl(Handle<JSObject> object,
582
                              Handle<FixedArrayBase> store, uint32_t entry,
583 584 585 586 587
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    UNREACHABLE();
  }

588 589
  void Add(Handle<JSObject> object, uint32_t index, Handle<Object> value,
           PropertyAttributes attributes, uint32_t new_capacity) final {
590
    ElementsAccessorSubclass::AddImpl(object, index, value, attributes,
591 592 593
                                      new_capacity);
  }

594
  static void AddImpl(Handle<JSObject> object, uint32_t index,
595 596 597 598 599
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    UNREACHABLE();
  }

600 601
  uint32_t Push(Handle<JSArray> receiver, Handle<FixedArrayBase> backing_store,
                Arguments* args, uint32_t push_size) final {
602 603
    return ElementsAccessorSubclass::PushImpl(receiver, backing_store, args,
                                              push_size);
604 605 606
  }

  static uint32_t PushImpl(Handle<JSArray> receiver,
607 608
                           Handle<FixedArrayBase> elms_obj, Arguments* args,
                           uint32_t push_sized) {
609 610 611 612
    UNREACHABLE();
    return 0;
  }

613 614 615
  uint32_t Unshift(Handle<JSArray> receiver,
                   Handle<FixedArrayBase> backing_store, Arguments* args,
                   uint32_t unshift_size) final {
616 617 618 619 620 621 622 623 624 625 626
    return ElementsAccessorSubclass::UnshiftImpl(receiver, backing_store, args,
                                                 unshift_size);
  }

  static uint32_t UnshiftImpl(Handle<JSArray> receiver,
                              Handle<FixedArrayBase> elms_obj, Arguments* args,
                              uint32_t unshift_size) {
    UNREACHABLE();
    return 0;
  }

627 628 629
  Handle<JSArray> Slice(Handle<JSObject> receiver,
                        Handle<FixedArrayBase> backing_store, uint32_t start,
                        uint32_t end) final {
630 631 632 633 634 635 636 637 638 639 640
    return ElementsAccessorSubclass::SliceImpl(receiver, backing_store, start,
                                               end);
  }

  static Handle<JSArray> SliceImpl(Handle<JSObject> receiver,
                                   Handle<FixedArrayBase> backing_store,
                                   uint32_t start, uint32_t end) {
    UNREACHABLE();
    return Handle<JSArray>();
  }

641 642 643 644
  Handle<JSArray> Splice(Handle<JSArray> receiver,
                         Handle<FixedArrayBase> backing_store, uint32_t start,
                         uint32_t delete_count, Arguments* args,
                         uint32_t add_count) final {
645 646 647 648 649 650 651
    return ElementsAccessorSubclass::SpliceImpl(receiver, backing_store, start,
                                                delete_count, args, add_count);
  }

  static Handle<JSArray> SpliceImpl(Handle<JSArray> receiver,
                                    Handle<FixedArrayBase> backing_store,
                                    uint32_t start, uint32_t delete_count,
652
                                    Arguments* args, uint32_t add_count) {
653 654 655 656
    UNREACHABLE();
    return Handle<JSArray>();
  }

657 658
  Handle<Object> Pop(Handle<JSArray> receiver,
                     Handle<FixedArrayBase> backing_store) final {
cbruni's avatar
cbruni committed
659 660 661 662 663 664 665 666
    return ElementsAccessorSubclass::PopImpl(receiver, backing_store);
  }

  static Handle<Object> PopImpl(Handle<JSArray> receiver,
                                Handle<FixedArrayBase> backing_store) {
    UNREACHABLE();
    return Handle<Object>();
  }
667

668 669
  Handle<Object> Shift(Handle<JSArray> receiver,
                       Handle<FixedArrayBase> backing_store) final {
670 671 672 673 674 675 676 677 678
    return ElementsAccessorSubclass::ShiftImpl(receiver, backing_store);
  }

  static Handle<Object> ShiftImpl(Handle<JSArray> receiver,
                                  Handle<FixedArrayBase> backing_store) {
    UNREACHABLE();
    return Handle<Object>();
  }

679
  void SetLength(Handle<JSArray> array, uint32_t length) final {
680 681
    ElementsAccessorSubclass::SetLengthImpl(array, length,
                                            handle(array->elements()));
682 683
  }

684
  static void SetLengthImpl(Handle<JSArray> array, uint32_t length,
685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725
                            Handle<FixedArrayBase> backing_store) {
    DCHECK(!array->SetLengthWouldNormalize(length));
    DCHECK(IsFastElementsKind(array->GetElementsKind()));
    uint32_t old_length = 0;
    CHECK(array->length()->ToArrayIndex(&old_length));

    if (old_length < length) {
      ElementsKind kind = array->GetElementsKind();
      if (!IsFastHoleyElementsKind(kind)) {
        kind = GetHoleyElementsKind(kind);
        JSObject::TransitionElementsKind(array, kind);
      }
    }

    // Check whether the backing store should be shrunk.
    uint32_t capacity = backing_store->length();
    if (length == 0) {
      array->initialize_elements();
    } else if (length <= capacity) {
      if (array->HasFastSmiOrObjectElements()) {
        backing_store = JSObject::EnsureWritableFastElements(array);
      }
      if (2 * length <= capacity) {
        // If more than half the elements won't be used, trim the array.
        array->GetHeap()->RightTrimFixedArray<Heap::CONCURRENT_TO_SWEEPER>(
            *backing_store, capacity - length);
      } else {
        // Otherwise, fill the unused tail with holes.
        for (uint32_t i = length; i < old_length; i++) {
          BackingStore::cast(*backing_store)->set_the_hole(i);
        }
      }
    } else {
      // Check whether the backing store should be expanded.
      capacity = Max(length, JSObject::NewElementsCapacity(capacity));
      ElementsAccessorSubclass::GrowCapacityAndConvertImpl(array, capacity);
    }

    array->set_length(Smi::FromInt(length));
    JSObject::ValidateElements(array);
  }
726

727 728 729
  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity) {
730
    return ConvertElementsWithCapacity(
731
        object, old_elements, from_kind, capacity, 0, 0,
732 733 734 735 736 737
        ElementsAccessor::kCopyToEndAndInitializeToHole);
  }

  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity, int copy_size) {
738 739 740 741 742 743 744 745
    return ConvertElementsWithCapacity(object, old_elements, from_kind,
                                       capacity, 0, 0, copy_size);
  }

  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity, uint32_t src_index,
      uint32_t dst_index, int copy_size) {
746
    Isolate* isolate = object->GetIsolate();
747
    Handle<FixedArrayBase> new_elements;
748
    if (IsFastDoubleElementsKind(kind())) {
749
      new_elements = isolate->factory()->NewFixedDoubleArray(capacity);
750
    } else {
751
      new_elements = isolate->factory()->NewUninitializedFixedArray(capacity);
752 753
    }

754
    int packed_size = kPackedSizeNotKnown;
755
    if (IsFastPackedElementsKind(from_kind) && object->IsJSArray()) {
756
      packed_size = Smi::cast(JSArray::cast(*object)->length())->value();
757 758 759
    }

    ElementsAccessorSubclass::CopyElementsImpl(
760 761
        *old_elements, src_index, *new_elements, from_kind, dst_index,
        packed_size, copy_size);
762 763

    return new_elements;
764 765 766
  }

  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
767
                                         uint32_t capacity) {
768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796
    ElementsKind from_kind = object->GetElementsKind();
    if (IsFastSmiOrObjectElementsKind(from_kind)) {
      // Array optimizations rely on the prototype lookups of Array objects
      // always returning undefined. If there is a store to the initial
      // prototype object, make sure all of these optimizations are invalidated.
      object->GetIsolate()->UpdateArrayProtectorOnSetLength(object);
    }
    Handle<FixedArrayBase> old_elements(object->elements());
    // This method should only be called if there's a reason to update the
    // elements.
    DCHECK(IsFastDoubleElementsKind(from_kind) !=
               IsFastDoubleElementsKind(kind()) ||
           IsDictionaryElementsKind(from_kind) ||
           static_cast<uint32_t>(old_elements->length()) < capacity);
    Handle<FixedArrayBase> elements =
        ConvertElementsWithCapacity(object, old_elements, from_kind, capacity);

    ElementsKind to_kind = kind();
    if (IsHoleyElementsKind(from_kind)) to_kind = GetHoleyElementsKind(to_kind);
    Handle<Map> new_map = JSObject::GetElementsTransitionMap(object, to_kind);
    JSObject::SetMapAndElements(object, new_map, elements);

    // Transition through the allocation site as well if present.
    JSObject::UpdateAllocationSite(object, to_kind);

    if (FLAG_trace_elements_transitions) {
      JSObject::PrintElementsTransition(stdout, object, from_kind, old_elements,
                                        to_kind, elements);
    }
797 798
  }

799 800
  void GrowCapacityAndConvert(Handle<JSObject> object,
                              uint32_t capacity) final {
801 802 803
    ElementsAccessorSubclass::GrowCapacityAndConvertImpl(object, capacity);
  }

804
  void Delete(Handle<JSObject> obj, uint32_t entry) final {
805
    ElementsAccessorSubclass::DeleteImpl(obj, entry);
806
  }
807

808 809 810
  static void CopyElementsImpl(FixedArrayBase* from, uint32_t from_start,
                               FixedArrayBase* to, ElementsKind from_kind,
                               uint32_t to_start, int packed_size,
811
                               int copy_size) {
812
    UNREACHABLE();
813 814
  }

815 816 817
  void CopyElements(Handle<FixedArrayBase> from, uint32_t from_start,
                    ElementsKind from_kind, Handle<FixedArrayBase> to,
                    uint32_t to_start, int copy_size) final {
818
    DCHECK(!from.is_null());
819 820 821 822 823 824 825 826 827
    // NOTE: the ElementsAccessorSubclass::CopyElementsImpl() methods
    // violate the handlified function signature convention:
    // raw pointer parameters in the function that allocates. This is done
    // intentionally to avoid ArrayConcat() builtin performance degradation.
    // See the comment in another ElementsAccessorBase::CopyElements() for
    // details.
    ElementsAccessorSubclass::CopyElementsImpl(*from, from_start, *to,
                                               from_kind, to_start,
                                               kPackedSizeNotKnown, copy_size);
828
  }
829

830 831 832
  void CopyElements(JSObject* from_holder, uint32_t from_start,
                    ElementsKind from_kind, Handle<FixedArrayBase> to,
                    uint32_t to_start, int copy_size) final {
833 834 835 836 837 838 839 840
    int packed_size = kPackedSizeNotKnown;
    bool is_packed = IsFastPackedElementsKind(from_kind) &&
        from_holder->IsJSArray();
    if (is_packed) {
      packed_size =
          Smi::cast(JSArray::cast(from_holder)->length())->value();
      if (copy_size >= 0 && packed_size > copy_size) {
        packed_size = copy_size;
841 842
      }
    }
843 844 845 846 847 848 849 850 851 852
    FixedArrayBase* from = from_holder->elements();
    // NOTE: the ElementsAccessorSubclass::CopyElementsImpl() methods
    // violate the handlified function signature convention:
    // raw pointer parameters in the function that allocates. This is done
    // intentionally to avoid ArrayConcat() builtin performance degradation.
    //
    // Details: The idea is that allocations actually happen only in case of
    // copying from object with fast double elements to object with object
    // elements. In all the other cases there are no allocations performed and
    // handle creation causes noticeable performance degradation of the builtin.
853
    ElementsAccessorSubclass::CopyElementsImpl(
854
        from, from_start, *to, from_kind, to_start, packed_size, copy_size);
855 856
  }

857 858 859
  static void CollectElementIndicesImpl(Handle<JSObject> object,
                                        Handle<FixedArrayBase> backing_store,
                                        KeyAccumulator* keys, uint32_t range,
860
                                        PropertyFilter filter,
861
                                        uint32_t offset) {
862 863 864 865
    if (filter & ONLY_ALL_CAN_READ) {
      // Non-dictionary elements can't have all-can-read accessors.
      return;
    }
866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881
    uint32_t length = 0;
    if (object->IsJSArray()) {
      length = Smi::cast(JSArray::cast(*object)->length())->value();
    } else {
      length =
          ElementsAccessorSubclass::GetCapacityImpl(*object, *backing_store);
    }
    if (range < length) length = range;
    for (uint32_t i = offset; i < length; i++) {
      if (!ElementsAccessorSubclass::HasElementImpl(object, i, backing_store,
                                                    filter))
        continue;
      keys->AddKey(i);
    }
  }

882 883 884
  void CollectElementIndices(Handle<JSObject> object,
                             Handle<FixedArrayBase> backing_store,
                             KeyAccumulator* keys, uint32_t range,
885
                             PropertyFilter filter, uint32_t offset) final {
886 887 888 889
    ElementsAccessorSubclass::CollectElementIndicesImpl(
        object, backing_store, keys, range, filter, offset);
  };

890 891 892
  void AddElementsToKeyAccumulator(Handle<JSObject> receiver,
                                   KeyAccumulator* accumulator,
                                   AddKeyConversion convert) final {
893
    Handle<FixedArrayBase> from(receiver->elements());
894 895 896
    uint32_t add_length =
        ElementsAccessorSubclass::GetCapacityImpl(*receiver, *from);
    if (add_length == 0) return;
897

898 899 900 901 902 903
    for (uint32_t i = 0; i < add_length; i++) {
      if (!ElementsAccessorSubclass::HasEntryImpl(*from, i)) continue;
      Handle<Object> value = ElementsAccessorSubclass::GetImpl(from, i);
      DCHECK(!value->IsTheHole());
      DCHECK(!value->IsAccessorPair());
      DCHECK(!value->IsExecutableAccessorInfo());
904
      accumulator->AddKey(value, convert);
905 906 907
    }
  }

908 909
  static uint32_t GetCapacityImpl(JSObject* holder,
                                  FixedArrayBase* backing_store) {
910
    return backing_store->length();
911 912
  }

913
  uint32_t GetCapacity(JSObject* holder, FixedArrayBase* backing_store) final {
914
    return ElementsAccessorSubclass::GetCapacityImpl(holder, backing_store);
915 916
  }

917
  static bool HasEntryImpl(FixedArrayBase* backing_store, uint32_t entry) {
918 919 920
    return true;
  }

921 922 923
  static uint32_t GetIndexForEntryImpl(FixedArrayBase* backing_store,
                                       uint32_t entry) {
    return entry;
924 925
  }

926 927
  static uint32_t GetEntryForIndexImpl(JSObject* holder,
                                       FixedArrayBase* backing_store,
928
                                       uint32_t index, PropertyFilter filter) {
929 930 931 932 933 934 935
    if (IsHoleyElementsKind(kind())) {
      return index < ElementsAccessorSubclass::GetCapacityImpl(holder,
                                                               backing_store) &&
                     !BackingStore::cast(backing_store)->is_the_hole(index)
                 ? index
                 : kMaxUInt32;
    } else {
936 937 938 939 940 941
      uint32_t length =
          holder->IsJSArray()
              ? static_cast<uint32_t>(
                    Smi::cast(JSArray::cast(holder)->length())->value())
              : ElementsAccessorSubclass::GetCapacityImpl(holder,
                                                          backing_store);
942 943
      return index < length ? index : kMaxUInt32;
    }
944 945
  }

946 947
  uint32_t GetEntryForIndex(JSObject* holder, FixedArrayBase* backing_store,
                            uint32_t index) final {
948 949
    return ElementsAccessorSubclass::GetEntryForIndexImpl(
        holder, backing_store, index, ALL_PROPERTIES);
950 951 952
  }

  static PropertyDetails GetDetailsImpl(FixedArrayBase* backing_store,
953
                                        uint32_t entry) {
954 955 956
    return PropertyDetails(NONE, DATA, 0, PropertyCellType::kNoCell);
  }

957 958
  PropertyDetails GetDetails(FixedArrayBase* backing_store,
                             uint32_t entry) final {
959
    return ElementsAccessorSubclass::GetDetailsImpl(backing_store, entry);
960 961
  }

962 963 964 965 966
 private:
  DISALLOW_COPY_AND_ASSIGN(ElementsAccessorBase);
};


967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986
class DictionaryElementsAccessor
    : public ElementsAccessorBase<DictionaryElementsAccessor,
                                  ElementsKindTraits<DICTIONARY_ELEMENTS> > {
 public:
  explicit DictionaryElementsAccessor(const char* name)
      : ElementsAccessorBase<DictionaryElementsAccessor,
                             ElementsKindTraits<DICTIONARY_ELEMENTS> >(name) {}

  static void SetLengthImpl(Handle<JSArray> array, uint32_t length,
                            Handle<FixedArrayBase> backing_store) {
    Handle<SeededNumberDictionary> dict =
        Handle<SeededNumberDictionary>::cast(backing_store);
    Isolate* isolate = array->GetIsolate();
    int capacity = dict->Capacity();
    uint32_t old_length = 0;
    CHECK(array->length()->ToArrayLength(&old_length));
    if (length < old_length) {
      if (dict->requires_slow_elements()) {
        // Find last non-deletable element in range of elements to be
        // deleted and adjust range accordingly.
987
        for (int entry = 0; entry < capacity; entry++) {
988
          DisallowHeapAllocation no_gc;
989 990 991
          Object* index = dict->KeyAt(entry);
          if (index->IsNumber()) {
            uint32_t number = static_cast<uint32_t>(index->Number());
992
            if (length <= number && number < old_length) {
993
              PropertyDetails details = dict->DetailsAt(entry);
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007
              if (!details.IsConfigurable()) length = number + 1;
            }
          }
        }
      }

      if (length == 0) {
        // Flush the backing store.
        JSObject::ResetElements(array);
      } else {
        DisallowHeapAllocation no_gc;
        // Remove elements that should be deleted.
        int removed_entries = 0;
        Handle<Object> the_hole_value = isolate->factory()->the_hole_value();
1008 1009 1010 1011
        for (int entry = 0; entry < capacity; entry++) {
          Object* index = dict->KeyAt(entry);
          if (index->IsNumber()) {
            uint32_t number = static_cast<uint32_t>(index->Number());
1012
            if (length <= number && number < old_length) {
1013
              dict->SetEntry(entry, the_hole_value, the_hole_value);
1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035
              removed_entries++;
            }
          }
        }

        // Update the number of elements.
        dict->ElementsRemoved(removed_entries);
      }
    }

    Handle<Object> length_obj = isolate->factory()->NewNumberFromUint(length);
    array->set_length(*length_obj);
  }

  static void CopyElementsImpl(FixedArrayBase* from, uint32_t from_start,
                               FixedArrayBase* to, ElementsKind from_kind,
                               uint32_t to_start, int packed_size,
                               int copy_size) {
    UNREACHABLE();
  }


1036 1037
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
    // TODO(verwaest): Remove reliance on index in Shrink.
1038 1039
    Handle<SeededNumberDictionary> dict(
        SeededNumberDictionary::cast(obj->elements()));
1040 1041
    uint32_t index = GetIndexForEntryImpl(*dict, entry);
    Handle<Object> result = SeededNumberDictionary::DeleteProperty(dict, entry);
1042 1043
    USE(result);
    DCHECK(result->IsTrue());
1044 1045
    Handle<FixedArray> new_elements =
        SeededNumberDictionary::Shrink(dict, index);
1046
    obj->set_elements(*new_elements);
1047 1048
  }

1049 1050 1051 1052 1053
  static Object* GetRaw(FixedArrayBase* store, uint32_t entry) {
    SeededNumberDictionary* backing_store = SeededNumberDictionary::cast(store);
    return backing_store->ValueAt(entry);
  }

1054
  static Handle<Object> GetImpl(Handle<FixedArrayBase> store, uint32_t entry) {
1055 1056
    Isolate* isolate = store->GetIsolate();
    return handle(GetRaw(*store, entry), isolate);
1057 1058
  }

1059 1060
  static inline void SetImpl(FixedArrayBase* store, uint32_t entry,
                             Object* value) {
1061 1062 1063 1064 1065
    SeededNumberDictionary* dictionary = SeededNumberDictionary::cast(store);
    dictionary->ValueAtPut(entry, value);
  }

  static void ReconfigureImpl(Handle<JSObject> object,
1066
                              Handle<FixedArrayBase> store, uint32_t entry,
1067 1068 1069
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    SeededNumberDictionary* dictionary = SeededNumberDictionary::cast(*store);
1070
    if (attributes != NONE) object->RequireSlowElements(dictionary);
1071 1072
    dictionary->ValueAtPut(entry, *value);
    PropertyDetails details = dictionary->DetailsAt(entry);
1073 1074
    details = PropertyDetails(attributes, DATA, details.dictionary_index(),
                              PropertyCellType::kNoCell);
1075
    dictionary->DetailsAtPut(entry, details);
1076 1077
  }

1078
  static void AddImpl(Handle<JSObject> object, uint32_t index,
1079 1080 1081 1082 1083 1084 1085 1086
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    PropertyDetails details(attributes, DATA, 0, PropertyCellType::kNoCell);
    Handle<SeededNumberDictionary> dictionary =
        object->HasFastElements()
            ? JSObject::NormalizeElements(object)
            : handle(SeededNumberDictionary::cast(object->elements()));
    Handle<SeededNumberDictionary> new_dictionary =
1087 1088 1089
        SeededNumberDictionary::AddNumberEntry(
            dictionary, index, value, details,
            object->map()->is_prototype_map());
1090
    if (attributes != NONE) object->RequireSlowElements(*new_dictionary);
1091 1092 1093 1094
    if (dictionary.is_identical_to(new_dictionary)) return;
    object->set_elements(*new_dictionary);
  }

1095
  static bool HasEntryImpl(FixedArrayBase* store, uint32_t entry) {
1096 1097
    DisallowHeapAllocation no_gc;
    SeededNumberDictionary* dict = SeededNumberDictionary::cast(store);
1098 1099
    Object* index = dict->KeyAt(entry);
    return !index->IsTheHole();
1100 1101
  }

1102
  static uint32_t GetIndexForEntryImpl(FixedArrayBase* store, uint32_t entry) {
1103 1104 1105
    DisallowHeapAllocation no_gc;
    SeededNumberDictionary* dict = SeededNumberDictionary::cast(store);
    uint32_t result = 0;
1106
    CHECK(dict->KeyAt(entry)->ToArrayIndex(&result));
1107 1108 1109
    return result;
  }

1110
  static uint32_t GetEntryForIndexImpl(JSObject* holder, FixedArrayBase* store,
1111
                                       uint32_t index, PropertyFilter filter) {
1112
    DisallowHeapAllocation no_gc;
1113 1114 1115
    SeededNumberDictionary* dictionary = SeededNumberDictionary::cast(store);
    int entry = dictionary->FindEntry(index);
    if (entry == SeededNumberDictionary::kNotFound) return kMaxUInt32;
1116
    if (filter != ALL_PROPERTIES) {
1117 1118 1119 1120 1121
      PropertyDetails details = dictionary->DetailsAt(entry);
      PropertyAttributes attr = details.attributes();
      if ((attr & filter) != 0) return kMaxUInt32;
    }
    return static_cast<uint32_t>(entry);
1122 1123 1124
  }

  static PropertyDetails GetDetailsImpl(FixedArrayBase* backing_store,
1125 1126
                                        uint32_t entry) {
    return SeededNumberDictionary::cast(backing_store)->DetailsAt(entry);
1127
  }
1128 1129 1130 1131

  static void CollectElementIndicesImpl(Handle<JSObject> object,
                                        Handle<FixedArrayBase> backing_store,
                                        KeyAccumulator* keys, uint32_t range,
1132
                                        PropertyFilter filter,
1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146
                                        uint32_t offset) {
    Handle<SeededNumberDictionary> dictionary =
        Handle<SeededNumberDictionary>::cast(backing_store);
    int capacity = dictionary->Capacity();
    for (int i = 0; i < capacity; i++) {
      Object* k = dictionary->KeyAt(i);
      if (!dictionary->IsKey(k)) continue;
      if (k->FilterKey(filter)) continue;
      if (dictionary->IsDeleted(i)) continue;
      DCHECK(k->IsNumber());
      DCHECK_LE(k->Number(), kMaxUInt32);
      uint32_t index = static_cast<uint32_t>(k->Number());
      if (index < offset) continue;
      PropertyDetails details = dictionary->DetailsAt(i);
1147 1148 1149 1150 1151 1152
      if (filter & ONLY_ALL_CAN_READ) {
        if (details.kind() != kAccessor) continue;
        Object* accessors = dictionary->ValueAt(i);
        if (!accessors->IsAccessorInfo()) continue;
        if (!AccessorInfo::cast(accessors)->all_can_read()) continue;
      }
1153 1154 1155 1156 1157 1158 1159
      PropertyAttributes attr = details.attributes();
      if ((attr & filter) != 0) continue;
      keys->AddKey(index);
    }

    keys->SortCurrentElementsList();
  }
1160 1161
};

1162

1163 1164
// Super class for all fast element arrays.
template<typename FastElementsAccessorSubclass,
1165
         typename KindTraits>
1166
class FastElementsAccessor
1167
    : public ElementsAccessorBase<FastElementsAccessorSubclass, KindTraits> {
1168 1169 1170
 public:
  explicit FastElementsAccessor(const char* name)
      : ElementsAccessorBase<FastElementsAccessorSubclass,
1171
                             KindTraits>(name) {}
1172

1173
  typedef typename KindTraits::BackingStore BackingStore;
1174

1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195
  static void DeleteAtEnd(Handle<JSObject> obj,
                          Handle<BackingStore> backing_store, uint32_t entry) {
    uint32_t length = static_cast<uint32_t>(backing_store->length());
    Heap* heap = obj->GetHeap();
    for (; entry > 0; entry--) {
      if (!backing_store->is_the_hole(entry - 1)) break;
    }
    if (entry == 0) {
      FixedArray* empty = heap->empty_fixed_array();
      if (obj->HasFastArgumentsElements()) {
        FixedArray::cast(obj->elements())->set(1, empty);
      } else {
        obj->set_elements(empty);
      }
      return;
    }

    heap->RightTrimFixedArray<Heap::CONCURRENT_TO_SWEEPER>(*backing_store,
                                                           length - entry);
  }

1196
  static void DeleteCommon(Handle<JSObject> obj, uint32_t entry,
1197
                           Handle<FixedArrayBase> store) {
1198
    DCHECK(obj->HasFastSmiOrObjectElements() ||
1199
           obj->HasFastDoubleElements() ||
1200
           obj->HasFastArgumentsElements());
1201
    Handle<BackingStore> backing_store = Handle<BackingStore>::cast(store);
1202 1203 1204 1205 1206 1207
    if (!obj->IsJSArray() &&
        entry == static_cast<uint32_t>(store->length()) - 1) {
      DeleteAtEnd(obj, backing_store, entry);
      return;
    }

1208
    backing_store->set_the_hole(entry);
1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222

    // TODO(verwaest): Move this out of elements.cc.
    // If an old space backing store is larger than a certain size and
    // has too few used values, normalize it.
    // To avoid doing the check on every delete we require at least
    // one adjacent hole to the value being deleted.
    const int kMinLengthForSparsenessCheck = 64;
    if (backing_store->length() < kMinLengthForSparsenessCheck) return;
    if (backing_store->GetHeap()->InNewSpace(*backing_store)) return;
    uint32_t length = 0;
    if (obj->IsJSArray()) {
      JSArray::cast(*obj)->length()->ToArrayLength(&length);
    } else {
      length = static_cast<uint32_t>(store->length());
1223
    }
1224 1225
    if ((entry > 0 && backing_store->is_the_hole(entry - 1)) ||
        (entry + 1 < length && backing_store->is_the_hole(entry + 1))) {
1226 1227 1228 1229 1230 1231 1232 1233 1234 1235
      if (!obj->IsJSArray()) {
        uint32_t i;
        for (i = entry + 1; i < length; i++) {
          if (!backing_store->is_the_hole(i)) break;
        }
        if (i == length) {
          DeleteAtEnd(obj, backing_store, entry);
          return;
        }
      }
1236 1237
      int num_used = 0;
      for (int i = 0; i < backing_store->length(); ++i) {
1238 1239 1240 1241 1242 1243 1244 1245 1246 1247
        if (!backing_store->is_the_hole(i)) {
          ++num_used;
          // Bail out if a number dictionary wouldn't be able to save at least
          // 75% space.
          if (4 * SeededNumberDictionary::ComputeCapacity(num_used) *
                  SeededNumberDictionary::kEntrySize >
              backing_store->length()) {
            return;
          }
        }
1248
      }
1249
      JSObject::NormalizeElements(obj);
1250 1251 1252
    }
  }

1253
  static void ReconfigureImpl(Handle<JSObject> object,
1254
                              Handle<FixedArrayBase> store, uint32_t entry,
1255 1256 1257 1258
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    Handle<SeededNumberDictionary> dictionary =
        JSObject::NormalizeElements(object);
1259 1260
    entry = dictionary->FindEntry(entry);
    DictionaryElementsAccessor::ReconfigureImpl(object, dictionary, entry,
1261
                                                value, attributes);
1262 1263
  }

1264
  static void AddImpl(Handle<JSObject> object, uint32_t index,
1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    DCHECK_EQ(NONE, attributes);
    ElementsKind from_kind = object->GetElementsKind();
    ElementsKind to_kind = FastElementsAccessorSubclass::kind();
    if (IsDictionaryElementsKind(from_kind) ||
        IsFastDoubleElementsKind(from_kind) !=
            IsFastDoubleElementsKind(to_kind) ||
        FastElementsAccessorSubclass::GetCapacityImpl(
            *object, object->elements()) != new_capacity) {
      FastElementsAccessorSubclass::GrowCapacityAndConvertImpl(object,
                                                               new_capacity);
    } else {
      if (from_kind != to_kind) {
        JSObject::TransitionElementsKind(object, to_kind);
      }
      if (IsFastSmiOrObjectElementsKind(from_kind)) {
        DCHECK(IsFastSmiOrObjectElementsKind(to_kind));
        JSObject::EnsureWritableFastElements(object);
      }
    }
1286
    FastElementsAccessorSubclass::SetImpl(object->elements(), index, *value);
1287 1288
  }

1289
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
1290 1291 1292 1293 1294 1295 1296
    ElementsKind kind = KindTraits::Kind;
    if (IsFastPackedElementsKind(kind)) {
      JSObject::TransitionElementsKind(obj, GetHoleyElementsKind(kind));
    }
    if (IsFastSmiOrObjectElementsKind(KindTraits::Kind)) {
      JSObject::EnsureWritableFastElements(obj);
    }
1297
    DeleteCommon(obj, entry, handle(obj->elements()));
1298 1299
  }

1300 1301
  static bool HasEntryImpl(FixedArrayBase* backing_store, uint32_t entry) {
    return !BackingStore::cast(backing_store)->is_the_hole(entry);
1302 1303
  }

1304
  static void ValidateContents(Handle<JSObject> holder, int length) {
1305
#if DEBUG
1306 1307 1308
    Isolate* isolate = holder->GetIsolate();
    HandleScope scope(isolate);
    Handle<FixedArrayBase> elements(holder->elements(), isolate);
1309
    Map* map = elements->map();
1310
    DCHECK((IsFastSmiOrObjectElementsKind(KindTraits::Kind) &&
1311 1312
            (map == isolate->heap()->fixed_array_map() ||
             map == isolate->heap()->fixed_cow_array_map())) ||
1313
           (IsFastDoubleElementsKind(KindTraits::Kind) ==
1314 1315
            ((map == isolate->heap()->fixed_array_map() && length == 0) ||
             map == isolate->heap()->fixed_double_array_map())));
1316
    if (length == 0) return;  // nothing to do!
1317
    DisallowHeapAllocation no_gc;
1318
    Handle<BackingStore> backing_store = Handle<BackingStore>::cast(elements);
1319 1320 1321 1322 1323 1324
    if (IsFastSmiElementsKind(KindTraits::Kind)) {
      for (int i = 0; i < length; i++) {
        DCHECK(BackingStore::get(backing_store, i)->IsSmi() ||
               (IsFastHoleyElementsKind(KindTraits::Kind) &&
                backing_store->is_the_hole(i)));
      }
1325 1326 1327
    }
#endif
  }
1328

cbruni's avatar
cbruni committed
1329 1330
  static Handle<Object> PopImpl(Handle<JSArray> receiver,
                                Handle<FixedArrayBase> backing_store) {
cbruni's avatar
cbruni committed
1331 1332
    return FastElementsAccessorSubclass::RemoveElement(receiver, backing_store,
                                                       AT_END);
1333 1334 1335 1336
  }

  static Handle<Object> ShiftImpl(Handle<JSArray> receiver,
                                  Handle<FixedArrayBase> backing_store) {
cbruni's avatar
cbruni committed
1337 1338
    return FastElementsAccessorSubclass::RemoveElement(receiver, backing_store,
                                                       AT_START);
cbruni's avatar
cbruni committed
1339 1340
  }

1341 1342
  static uint32_t PushImpl(Handle<JSArray> receiver,
                           Handle<FixedArrayBase> backing_store,
1343
                           Arguments* args, uint32_t push_size) {
cbruni's avatar
cbruni committed
1344 1345
    return FastElementsAccessorSubclass::AddArguments(receiver, backing_store,
                                                      args, push_size, AT_END);
1346
  }
1347

1348 1349 1350
  static uint32_t UnshiftImpl(Handle<JSArray> receiver,
                              Handle<FixedArrayBase> backing_store,
                              Arguments* args, uint32_t unshift_size) {
cbruni's avatar
cbruni committed
1351 1352
    return FastElementsAccessorSubclass::AddArguments(
        receiver, backing_store, args, unshift_size, AT_START);
1353 1354
  }

1355 1356 1357 1358 1359 1360
  static void MoveElements(Heap* heap, Handle<FixedArrayBase> backing_store,
                           int dst_index, int src_index, int len,
                           int hole_start, int hole_end) {
    UNREACHABLE();
  }

1361 1362 1363
  static Handle<JSArray> SliceImpl(Handle<JSObject> receiver,
                                   Handle<FixedArrayBase> backing_store,
                                   uint32_t start, uint32_t end) {
1364
    DCHECK(start < end);
1365 1366 1367 1368 1369 1370 1371 1372
    Isolate* isolate = receiver->GetIsolate();
    int result_len = end - start;
    Handle<JSArray> result_array = isolate->factory()->NewJSArray(
        KindTraits::Kind, result_len, result_len);
    DisallowHeapAllocation no_gc;
    FastElementsAccessorSubclass::CopyElementsImpl(
        *backing_store, start, result_array->elements(), KindTraits::Kind, 0,
        kPackedSizeNotKnown, result_len);
1373 1374
    FastElementsAccessorSubclass::TryTransitionResultArrayToPacked(
        result_array);
1375 1376 1377
    return result_array;
  }

1378 1379 1380
  static Handle<JSArray> SpliceImpl(Handle<JSArray> receiver,
                                    Handle<FixedArrayBase> backing_store,
                                    uint32_t start, uint32_t delete_count,
1381
                                    Arguments* args, uint32_t add_count) {
1382 1383
    Isolate* isolate = receiver->GetIsolate();
    Heap* heap = isolate->heap();
cbruni's avatar
cbruni committed
1384 1385
    uint32_t length = Smi::cast(receiver->length())->value();
    uint32_t new_length = length - delete_count + add_count;
1386 1387 1388 1389 1390 1391 1392 1393

    if (new_length == 0) {
      receiver->set_elements(heap->empty_fixed_array());
      receiver->set_length(Smi::FromInt(0));
      return isolate->factory()->NewJSArrayWithElements(
          backing_store, KindTraits::Kind, delete_count);
    }

cbruni's avatar
cbruni committed
1394
    // Construct the result array which holds the deleted elements.
1395 1396 1397 1398 1399 1400 1401 1402 1403
    Handle<JSArray> deleted_elements = isolate->factory()->NewJSArray(
        KindTraits::Kind, delete_count, delete_count);
    if (delete_count > 0) {
      DisallowHeapAllocation no_gc;
      FastElementsAccessorSubclass::CopyElementsImpl(
          *backing_store, start, deleted_elements->elements(), KindTraits::Kind,
          0, kPackedSizeNotKnown, delete_count);
    }

cbruni's avatar
cbruni committed
1404
    // Delete and move elements to make space for add_count new elements.
1405
    if (add_count < delete_count) {
cbruni's avatar
cbruni committed
1406 1407 1408
      FastElementsAccessorSubclass::SpliceShrinkStep(backing_store, heap, start,
                                                     delete_count, add_count,
                                                     length, new_length);
1409
    } else if (add_count > delete_count) {
cbruni's avatar
cbruni committed
1410 1411 1412
      backing_store = FastElementsAccessorSubclass::SpliceGrowStep(
          receiver, backing_store, isolate, heap, start, delete_count,
          add_count, length, new_length);
1413 1414
    }

cbruni's avatar
cbruni committed
1415 1416 1417
    // Copy over the arguments.
    FastElementsAccessorSubclass::CopyArguments(args, backing_store, add_count,
                                                3, start);
1418 1419

    receiver->set_length(Smi::FromInt(new_length));
1420 1421
    FastElementsAccessorSubclass::TryTransitionResultArrayToPacked(
        deleted_elements);
1422 1423 1424 1425
    return deleted_elements;
  }

 private:
cbruni's avatar
cbruni committed
1426 1427 1428 1429
  static void SpliceShrinkStep(Handle<FixedArrayBase> backing_store, Heap* heap,
                               uint32_t start, uint32_t delete_count,
                               uint32_t add_count, uint32_t len,
                               uint32_t new_length) {
1430 1431
    const int move_left_count = len - delete_count - start;
    const int move_left_dst_index = start + add_count;
cbruni's avatar
cbruni committed
1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445
    FastElementsAccessorSubclass::MoveElements(
        heap, backing_store, move_left_dst_index, start + delete_count,
        move_left_count, new_length, len);
  }


  static Handle<FixedArrayBase> SpliceGrowStep(
      Handle<JSArray> receiver, Handle<FixedArrayBase> backing_store,
      Isolate* isolate, Heap* heap, uint32_t start, uint32_t delete_count,
      uint32_t add_count, uint32_t length, uint32_t new_length) {
    // Check we do not overflow the new_length.
    DCHECK((add_count - delete_count) <= (Smi::kMaxValue - length));
    // Check if backing_store is big enough.
    if (new_length <= static_cast<uint32_t>(backing_store->length())) {
1446
      FastElementsAccessorSubclass::MoveElements(
cbruni's avatar
cbruni committed
1447 1448 1449
          heap, backing_store, start + add_count, start + delete_count,
          (length - delete_count - start), 0, 0);
      return backing_store;
1450
    }
cbruni's avatar
cbruni committed
1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463
    // New backing storage is needed.
    int capacity = JSObject::NewElementsCapacity(new_length);
    // Partially copy all elements up to start.
    Handle<FixedArrayBase> new_elms =
        FastElementsAccessorSubclass::ConvertElementsWithCapacity(
            receiver, backing_store, KindTraits::Kind, capacity, start);
    // Copy the trailing elements after start + delete_count
    FastElementsAccessorSubclass::CopyElementsImpl(
        *backing_store, start + delete_count, *new_elms, KindTraits::Kind,
        start + add_count, kPackedSizeNotKnown,
        ElementsAccessor::kCopyToEndAndInitializeToHole);
    receiver->set_elements(*new_elms);
    return new_elms;
1464 1465
  }

cbruni's avatar
cbruni committed
1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483
  static Handle<Object> RemoveElement(Handle<JSArray> receiver,
                                      Handle<FixedArrayBase> backing_store,
                                      Where remove_position) {
    uint32_t length =
        static_cast<uint32_t>(Smi::cast(receiver->length())->value());
    Isolate* isolate = receiver->GetIsolate();
    DCHECK(length > 0);
    int new_length = length - 1;
    int remove_index = remove_position == AT_START ? 0 : new_length;
    Handle<Object> result =
        FastElementsAccessorSubclass::GetImpl(backing_store, remove_index);
    if (remove_position == AT_START) {
      Heap* heap = isolate->heap();
      FastElementsAccessorSubclass::MoveElements(heap, backing_store, 0, 1,
                                                 new_length, 0, 0);
    }
    FastElementsAccessorSubclass::SetLengthImpl(receiver, new_length,
                                                backing_store);
1484

cbruni's avatar
cbruni committed
1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502
    if (IsHoleyElementsKind(KindTraits::Kind) && result->IsTheHole()) {
      return receiver->GetIsolate()->factory()->undefined_value();
    }
    return result;
  }

  static uint32_t AddArguments(Handle<JSArray> receiver,
                               Handle<FixedArrayBase> backing_store,
                               Arguments* args, uint32_t add_size,
                               Where remove_position) {
    uint32_t length = Smi::cast(receiver->length())->value();
    DCHECK(add_size > 0);
    uint32_t elms_len = backing_store->length();
    // Check we do not overflow the new_length.
    DCHECK(add_size <= static_cast<uint32_t>(Smi::kMaxValue - length));
    uint32_t new_length = length + add_size;

    if (new_length > elms_len) {
1503
      // New backing storage is needed.
cbruni's avatar
cbruni committed
1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518
      uint32_t capacity = JSObject::NewElementsCapacity(new_length);
      // If we add arguments to the start we have to shift the existing objects.
      int copy_dst_index = remove_position == AT_START ? add_size : 0;
      // Copy over all objects to a new backing_store.
      backing_store = FastElementsAccessorSubclass::ConvertElementsWithCapacity(
          receiver, backing_store, KindTraits::Kind, capacity, 0,
          copy_dst_index, ElementsAccessor::kCopyToEndAndInitializeToHole);
      receiver->set_elements(*backing_store);
    } else if (remove_position == AT_START) {
      // If the backing store has enough capacity and we add elements to the
      // start we have to shift the existing objects.
      Isolate* isolate = receiver->GetIsolate();
      FastElementsAccessorSubclass::MoveElements(isolate->heap(), backing_store,
                                                 add_size, 0, length, 0, 0);
    }
1519

cbruni's avatar
cbruni committed
1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539
    int insertion_index = remove_position == AT_START ? 0 : length;
    // Copy the arguments to the start.
    FastElementsAccessorSubclass::CopyArguments(args, backing_store, add_size,
                                                1, insertion_index);
    // Set the length.
    receiver->set_length(Smi::FromInt(new_length));
    return new_length;
  }

  static void CopyArguments(Arguments* args, Handle<FixedArrayBase> dst_store,
                            uint32_t copy_size, uint32_t src_index,
                            uint32_t dst_index) {
    // Add the provided values.
    DisallowHeapAllocation no_gc;
    FixedArrayBase* raw_backing_store = *dst_store;
    WriteBarrierMode mode = raw_backing_store->GetWriteBarrierMode(no_gc);
    for (uint32_t i = 0; i < copy_size; i++) {
      Object* argument = (*args)[i + src_index];
      FastElementsAccessorSubclass::SetImpl(raw_backing_store, i + dst_index,
                                            argument, mode);
1540 1541
    }
  }
1542 1543 1544 1545 1546 1547
};


template<typename FastElementsAccessorSubclass,
         typename KindTraits>
class FastSmiOrObjectElementsAccessor
1548
    : public FastElementsAccessor<FastElementsAccessorSubclass, KindTraits> {
1549 1550 1551
 public:
  explicit FastSmiOrObjectElementsAccessor(const char* name)
      : FastElementsAccessor<FastElementsAccessorSubclass,
1552
                             KindTraits>(name) {}
1553

1554 1555 1556 1557 1558 1559 1560 1561 1562 1563
  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value) {
    FixedArray::cast(backing_store)->set(entry, value);
  }

  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value, WriteBarrierMode mode) {
    FixedArray::cast(backing_store)->set(entry, value, mode);
  }

1564 1565 1566 1567 1568 1569
  static Object* GetRaw(FixedArray* backing_store, uint32_t entry) {
    uint32_t index = FastElementsAccessorSubclass::GetIndexForEntryImpl(
        backing_store, entry);
    return backing_store->get(index);
  }

1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582
  static void MoveElements(Heap* heap, Handle<FixedArrayBase> backing_store,
                           int dst_index, int src_index, int len,
                           int hole_start, int hole_end) {
    Handle<FixedArray> dst_elms = Handle<FixedArray>::cast(backing_store);
    if (len != 0) {
      DisallowHeapAllocation no_gc;
      heap->MoveElements(*dst_elms, dst_index, src_index, len);
    }
    if (hole_start != hole_end) {
      dst_elms->FillWithHoles(hole_start, hole_end);
    }
  }

1583 1584 1585 1586 1587 1588 1589 1590
  // NOTE: this method violates the handlified function signature convention:
  // raw pointer parameters in the function that allocates.
  // See ElementsAccessor::CopyElements() for details.
  // This method could actually allocate if copying from double elements to
  // object elements.
  static void CopyElementsImpl(FixedArrayBase* from, uint32_t from_start,
                               FixedArrayBase* to, ElementsKind from_kind,
                               uint32_t to_start, int packed_size,
1591
                               int copy_size) {
1592
    DisallowHeapAllocation no_gc;
1593 1594 1595 1596 1597 1598
    ElementsKind to_kind = KindTraits::Kind;
    switch (from_kind) {
      case FAST_SMI_ELEMENTS:
      case FAST_HOLEY_SMI_ELEMENTS:
      case FAST_ELEMENTS:
      case FAST_HOLEY_ELEMENTS:
1599
        CopyObjectToObjectElements(from, from_kind, from_start, to, to_kind,
1600
                                   to_start, copy_size);
1601
        break;
1602
      case FAST_DOUBLE_ELEMENTS:
1603 1604
      case FAST_HOLEY_DOUBLE_ELEMENTS: {
        AllowHeapAllocation allow_allocation;
1605 1606
        DCHECK(IsFastObjectElementsKind(to_kind));
        CopyDoubleToObjectElements(from, from_start, to, to_start, copy_size);
1607
        break;
1608
      }
1609
      case DICTIONARY_ELEMENTS:
1610 1611
        CopyDictionaryToObjectElements(from, from_start, to, to_kind, to_start,
                                       copy_size);
1612
        break;
1613 1614 1615
      case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
      case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
        UNREACHABLE();
1616 1617
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size)                       \
      case TYPE##_ELEMENTS:                                                   \
1618
        UNREACHABLE();
1619 1620
      TYPED_ARRAYS(TYPED_ARRAY_CASE)
#undef TYPED_ARRAY_CASE
1621 1622
    }
  }
1623
};
1624

1625

1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646
class FastPackedSmiElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
        FastPackedSmiElementsAccessor,
        ElementsKindTraits<FAST_SMI_ELEMENTS> > {
 public:
  explicit FastPackedSmiElementsAccessor(const char* name)
      : FastSmiOrObjectElementsAccessor<
          FastPackedSmiElementsAccessor,
          ElementsKindTraits<FAST_SMI_ELEMENTS> >(name) {}
};


class FastHoleySmiElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
        FastHoleySmiElementsAccessor,
        ElementsKindTraits<FAST_HOLEY_SMI_ELEMENTS> > {
 public:
  explicit FastHoleySmiElementsAccessor(const char* name)
      : FastSmiOrObjectElementsAccessor<
          FastHoleySmiElementsAccessor,
          ElementsKindTraits<FAST_HOLEY_SMI_ELEMENTS> >(name) {}
1647 1648 1649
};


1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675
class FastPackedObjectElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
        FastPackedObjectElementsAccessor,
        ElementsKindTraits<FAST_ELEMENTS> > {
 public:
  explicit FastPackedObjectElementsAccessor(const char* name)
      : FastSmiOrObjectElementsAccessor<
          FastPackedObjectElementsAccessor,
          ElementsKindTraits<FAST_ELEMENTS> >(name) {}
};


class FastHoleyObjectElementsAccessor
    : public FastSmiOrObjectElementsAccessor<
        FastHoleyObjectElementsAccessor,
        ElementsKindTraits<FAST_HOLEY_ELEMENTS> > {
 public:
  explicit FastHoleyObjectElementsAccessor(const char* name)
      : FastSmiOrObjectElementsAccessor<
          FastHoleyObjectElementsAccessor,
          ElementsKindTraits<FAST_HOLEY_ELEMENTS> >(name) {}
};


template<typename FastElementsAccessorSubclass,
         typename KindTraits>
1676
class FastDoubleElementsAccessor
1677
    : public FastElementsAccessor<FastElementsAccessorSubclass, KindTraits> {
1678 1679
 public:
  explicit FastDoubleElementsAccessor(const char* name)
1680
      : FastElementsAccessor<FastElementsAccessorSubclass,
1681
                             KindTraits>(name) {}
1682

1683 1684 1685 1686 1687 1688 1689 1690 1691 1692
  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value) {
    FixedDoubleArray::cast(backing_store)->set(entry, value->Number());
  }

  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value, WriteBarrierMode mode) {
    FixedDoubleArray::cast(backing_store)->set(entry, value->Number());
  }

1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706
  static void MoveElements(Heap* heap, Handle<FixedArrayBase> backing_store,
                           int dst_index, int src_index, int len,
                           int hole_start, int hole_end) {
    Handle<FixedDoubleArray> dst_elms =
        Handle<FixedDoubleArray>::cast(backing_store);
    if (len != 0) {
      MemMove(dst_elms->data_start() + dst_index,
              dst_elms->data_start() + src_index, len * kDoubleSize);
    }
    if (hole_start != hole_end) {
      dst_elms->FillWithHoles(hole_start, hole_end);
    }
  }

1707 1708 1709
  static void CopyElementsImpl(FixedArrayBase* from, uint32_t from_start,
                               FixedArrayBase* to, ElementsKind from_kind,
                               uint32_t to_start, int packed_size,
1710
                               int copy_size) {
1711
    DisallowHeapAllocation no_allocation;
1712
    switch (from_kind) {
1713
      case FAST_SMI_ELEMENTS:
1714
        CopyPackedSmiToDoubleElements(from, from_start, to, to_start,
1715
                                      packed_size, copy_size);
1716
        break;
1717
      case FAST_HOLEY_SMI_ELEMENTS:
1718
        CopySmiToDoubleElements(from, from_start, to, to_start, copy_size);
1719
        break;
1720
      case FAST_DOUBLE_ELEMENTS:
1721
      case FAST_HOLEY_DOUBLE_ELEMENTS:
1722
        CopyDoubleToDoubleElements(from, from_start, to, to_start, copy_size);
1723 1724 1725
        break;
      case FAST_ELEMENTS:
      case FAST_HOLEY_ELEMENTS:
1726
        CopyObjectToDoubleElements(from, from_start, to, to_start, copy_size);
1727 1728
        break;
      case DICTIONARY_ELEMENTS:
1729
        CopyDictionaryToDoubleElements(from, from_start, to, to_start,
1730
                                       copy_size);
1731
        break;
1732 1733
      case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
      case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
1734
        UNREACHABLE();
1735 1736 1737 1738 1739 1740

#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size)                       \
      case TYPE##_ELEMENTS:                                                   \
        UNREACHABLE();
      TYPED_ARRAYS(TYPED_ARRAY_CASE)
#undef TYPED_ARRAY_CASE
1741 1742
    }
  }
1743
};
1744

1745

1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766
class FastPackedDoubleElementsAccessor
    : public FastDoubleElementsAccessor<
        FastPackedDoubleElementsAccessor,
        ElementsKindTraits<FAST_DOUBLE_ELEMENTS> > {
 public:
  explicit FastPackedDoubleElementsAccessor(const char* name)
      : FastDoubleElementsAccessor<
          FastPackedDoubleElementsAccessor,
          ElementsKindTraits<FAST_DOUBLE_ELEMENTS> >(name) {}
};


class FastHoleyDoubleElementsAccessor
    : public FastDoubleElementsAccessor<
        FastHoleyDoubleElementsAccessor,
        ElementsKindTraits<FAST_HOLEY_DOUBLE_ELEMENTS> > {
 public:
  explicit FastHoleyDoubleElementsAccessor(const char* name)
      : FastDoubleElementsAccessor<
          FastHoleyDoubleElementsAccessor,
          ElementsKindTraits<FAST_HOLEY_DOUBLE_ELEMENTS> >(name) {}
1767 1768 1769 1770
};


// Super class for all external element arrays.
1771
template<ElementsKind Kind>
1772
class TypedElementsAccessor
1773
    : public ElementsAccessorBase<TypedElementsAccessor<Kind>,
1774
                                  ElementsKindTraits<Kind> > {
1775
 public:
1776
  explicit TypedElementsAccessor(const char* name)
1777
      : ElementsAccessorBase<AccessorClass,
1778
                             ElementsKindTraits<Kind> >(name) {}
1779

1780
  typedef typename ElementsKindTraits<Kind>::BackingStore BackingStore;
1781
  typedef TypedElementsAccessor<Kind> AccessorClass;
1782

1783 1784 1785 1786 1787 1788 1789 1790 1791 1792
  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value) {
    BackingStore::cast(backing_store)->SetValue(entry, value);
  }

  static inline void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                             Object* value, WriteBarrierMode mode) {
    BackingStore::cast(backing_store)->SetValue(entry, value);
  }

1793 1794 1795 1796
  static Handle<Object> GetImpl(Handle<FixedArrayBase> backing_store,
                                uint32_t entry) {
    uint32_t index = GetIndexForEntryImpl(*backing_store, entry);
    return BackingStore::get(Handle<BackingStore>::cast(backing_store), index);
1797
  }
1798

1799
  static PropertyDetails GetDetailsImpl(FixedArrayBase* backing_store,
1800
                                        uint32_t entry) {
1801
    return PropertyDetails(DONT_DELETE, DATA, 0, PropertyCellType::kNoCell);
1802 1803
  }

1804 1805
  static void SetLengthImpl(Handle<JSArray> array, uint32_t length,
                            Handle<FixedArrayBase> backing_store) {
1806 1807 1808 1809
    // External arrays do not support changing their length.
    UNREACHABLE();
  }

1810
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
1811
    UNREACHABLE();
1812
  }
1813

1814 1815 1816 1817 1818
  static uint32_t GetIndexForEntryImpl(FixedArrayBase* backing_store,
                                       uint32_t entry) {
    return entry;
  }

1819 1820
  static uint32_t GetEntryForIndexImpl(JSObject* holder,
                                       FixedArrayBase* backing_store,
1821
                                       uint32_t index, PropertyFilter filter) {
1822 1823
    return index < AccessorClass::GetCapacityImpl(holder, backing_store)
               ? index
1824
               : kMaxUInt32;
1825
  }
1826

1827 1828 1829
  static uint32_t GetCapacityImpl(JSObject* holder,
                                  FixedArrayBase* backing_store) {
    JSArrayBufferView* view = JSArrayBufferView::cast(holder);
1830 1831 1832
    if (view->WasNeutered()) return 0;
    return backing_store->length();
  }
1833 1834 1835 1836
};



1837 1838 1839
#define FIXED_ELEMENTS_ACCESSOR(Type, type, TYPE, ctype, size)       \
  typedef TypedElementsAccessor<TYPE##_ELEMENTS >                    \
      Fixed##Type##ElementsAccessor;
1840

1841 1842
TYPED_ARRAYS(FIXED_ELEMENTS_ACCESSOR)
#undef FIXED_ELEMENTS_ACCESSOR
1843 1844


1845 1846 1847 1848 1849 1850 1851 1852
template <typename SloppyArgumentsElementsAccessorSubclass,
          typename ArgumentsAccessor, typename KindTraits>
class SloppyArgumentsElementsAccessor
    : public ElementsAccessorBase<SloppyArgumentsElementsAccessorSubclass,
                                  KindTraits> {
 public:
  explicit SloppyArgumentsElementsAccessor(const char* name)
      : ElementsAccessorBase<SloppyArgumentsElementsAccessorSubclass,
1853 1854 1855
                             KindTraits>(name) {
    USE(KindTraits::Kind);
  }
1856

1857 1858 1859
  static Handle<Object> GetImpl(Handle<FixedArrayBase> parameters,
                                uint32_t entry) {
    Isolate* isolate = parameters->GetIsolate();
1860
    Handle<FixedArray> parameter_map = Handle<FixedArray>::cast(parameters);
1861 1862
    uint32_t length = parameter_map->length() - 2;
    if (entry < length) {
1863
      DisallowHeapAllocation no_gc;
1864
      Object* probe = parameter_map->get(entry + 2);
1865
      Context* context = Context::cast(parameter_map->get(0));
1866
      int context_entry = Smi::cast(probe)->value();
1867 1868
      DCHECK(!context->get(context_entry)->IsTheHole());
      return handle(context->get(context_entry), isolate);
1869 1870 1871 1872
    } else {
      // Object is not mapped, defer to the arguments.
      Handle<FixedArray> arguments(FixedArray::cast(parameter_map->get(1)),
                                   isolate);
1873 1874
      Handle<Object> result =
          ArgumentsAccessor::GetImpl(arguments, entry - length);
1875 1876 1877
      // Elements of the arguments object in slow mode might be slow aliases.
      if (result->IsAliasedArgumentsEntry()) {
        DisallowHeapAllocation no_gc;
1878
        AliasedArgumentsEntry* alias = AliasedArgumentsEntry::cast(*result);
1879
        Context* context = Context::cast(parameter_map->get(0));
1880
        int context_entry = alias->aliased_context_slot();
1881 1882
        DCHECK(!context->get(context_entry)->IsTheHole());
        return handle(context->get(context_entry), isolate);
1883
      }
1884
      return result;
1885 1886
    }
  }
1887

1888 1889
  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                         uint32_t capacity) {
1890
    UNREACHABLE();
1891 1892
  }

1893 1894
  static inline void SetImpl(FixedArrayBase* store, uint32_t entry,
                             Object* value) {
1895
    FixedArray* parameter_map = FixedArray::cast(store);
1896 1897 1898
    uint32_t length = parameter_map->length() - 2;
    if (entry < length) {
      Object* probe = parameter_map->get(entry + 2);
1899
      Context* context = Context::cast(parameter_map->get(0));
1900 1901 1902
      int context_entry = Smi::cast(probe)->value();
      DCHECK(!context->get(context_entry)->IsTheHole());
      context->set(context_entry, value);
1903
    } else {
1904
      FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
1905 1906 1907 1908 1909 1910 1911 1912 1913 1914
      Object* current = ArgumentsAccessor::GetRaw(arguments, entry - length);
      if (current->IsAliasedArgumentsEntry()) {
        AliasedArgumentsEntry* alias = AliasedArgumentsEntry::cast(current);
        Context* context = Context::cast(parameter_map->get(0));
        int context_entry = alias->aliased_context_slot();
        DCHECK(!context->get(context_entry)->IsTheHole());
        context->set(context_entry, value);
      } else {
        ArgumentsAccessor::SetImpl(arguments, entry - length, value);
      }
1915 1916 1917
    }
  }

1918 1919 1920 1921
  static void SetLengthImpl(Handle<JSArray> array, uint32_t length,
                            Handle<FixedArrayBase> parameter_map) {
    // Sloppy arguments objects are not arrays.
    UNREACHABLE();
1922 1923
  }

1924 1925 1926 1927
  static uint32_t GetCapacityImpl(JSObject* holder,
                                  FixedArrayBase* backing_store) {
    FixedArray* parameter_map = FixedArray::cast(backing_store);
    FixedArrayBase* arguments = FixedArrayBase::cast(parameter_map->get(1));
1928
    return parameter_map->length() - 2 +
1929
           ArgumentsAccessor::GetCapacityImpl(holder, arguments);
1930 1931
  }

1932
  static bool HasEntryImpl(FixedArrayBase* parameters, uint32_t entry) {
1933 1934
    FixedArray* parameter_map = FixedArray::cast(parameters);
    uint32_t length = parameter_map->length() - 2;
1935 1936
    if (entry < length) {
      return !GetParameterMapArg(parameter_map, entry)->IsTheHole();
1937 1938 1939
    }

    FixedArrayBase* arguments = FixedArrayBase::cast(parameter_map->get(1));
1940
    return ArgumentsAccessor::HasEntryImpl(arguments, entry - length);
1941 1942
  }

1943 1944
  static uint32_t GetIndexForEntryImpl(FixedArrayBase* parameters,
                                       uint32_t entry) {
1945 1946
    FixedArray* parameter_map = FixedArray::cast(parameters);
    uint32_t length = parameter_map->length() - 2;
1947
    if (entry < length) return entry;
1948 1949

    FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
1950
    return ArgumentsAccessor::GetIndexForEntryImpl(arguments, entry - length);
1951 1952
  }

1953 1954
  static uint32_t GetEntryForIndexImpl(JSObject* holder,
                                       FixedArrayBase* parameters,
1955
                                       uint32_t index, PropertyFilter filter) {
1956
    FixedArray* parameter_map = FixedArray::cast(parameters);
1957 1958
    Object* probe = GetParameterMapArg(parameter_map, index);
    if (!probe->IsTheHole()) return index;
1959 1960

    FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
1961 1962
    uint32_t entry = ArgumentsAccessor::GetEntryForIndexImpl(holder, arguments,
                                                             index, filter);
1963 1964
    if (entry == kMaxUInt32) return entry;
    return (parameter_map->length() - 2) + entry;
1965 1966
  }

1967
  static PropertyDetails GetDetailsImpl(FixedArrayBase* parameters,
1968
                                        uint32_t entry) {
1969 1970
    FixedArray* parameter_map = FixedArray::cast(parameters);
    uint32_t length = parameter_map->length() - 2;
1971
    if (entry < length) {
1972 1973 1974
      return PropertyDetails(NONE, DATA, 0, PropertyCellType::kNoCell);
    }
    FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
1975
    return ArgumentsAccessor::GetDetailsImpl(arguments, entry - length);
1976
  }
1977

1978
  static Object* GetParameterMapArg(FixedArray* parameter_map, uint32_t index) {
1979
    uint32_t length = parameter_map->length() - 2;
1980 1981
    return index < length
               ? parameter_map->get(index + 2)
1982
               : Object::cast(parameter_map->GetHeap()->the_hole_value());
1983
  }
1984

1985
  static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
1986 1987
    FixedArray* parameter_map = FixedArray::cast(obj->elements());
    uint32_t length = static_cast<uint32_t>(parameter_map->length()) - 2;
1988
    if (entry < length) {
1989 1990 1991
      // TODO(kmillikin): We could check if this was the last aliased
      // parameter, and revert to normal elements in that case.  That
      // would enable GC of the context.
1992
      parameter_map->set_the_hole(entry + 2);
1993 1994
    } else {
      SloppyArgumentsElementsAccessorSubclass::DeleteFromArguments(
1995
          obj, entry - length);
1996 1997
    }
  }
1998 1999 2000
};


2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
class SlowSloppyArgumentsElementsAccessor
    : public SloppyArgumentsElementsAccessor<
          SlowSloppyArgumentsElementsAccessor, DictionaryElementsAccessor,
          ElementsKindTraits<SLOW_SLOPPY_ARGUMENTS_ELEMENTS> > {
 public:
  explicit SlowSloppyArgumentsElementsAccessor(const char* name)
      : SloppyArgumentsElementsAccessor<
            SlowSloppyArgumentsElementsAccessor, DictionaryElementsAccessor,
            ElementsKindTraits<SLOW_SLOPPY_ARGUMENTS_ELEMENTS> >(name) {}

2011
  static void DeleteFromArguments(Handle<JSObject> obj, uint32_t entry) {
2012 2013 2014
    Handle<FixedArray> parameter_map(FixedArray::cast(obj->elements()));
    Handle<SeededNumberDictionary> dict(
        SeededNumberDictionary::cast(parameter_map->get(1)));
2015 2016 2017
    // TODO(verwaest): Remove reliance on index in Shrink.
    uint32_t index = GetIndexForEntryImpl(*dict, entry);
    Handle<Object> result = SeededNumberDictionary::DeleteProperty(dict, entry);
2018 2019
    USE(result);
    DCHECK(result->IsTrue());
2020 2021
    Handle<FixedArray> new_elements =
        SeededNumberDictionary::Shrink(dict, index);
2022 2023 2024
    parameter_map->set(1, *new_elements);
  }

2025
  static void AddImpl(Handle<JSObject> object, uint32_t index,
2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    Handle<FixedArray> parameter_map(FixedArray::cast(object->elements()));
    Handle<FixedArrayBase> old_elements(
        FixedArrayBase::cast(parameter_map->get(1)));
    Handle<SeededNumberDictionary> dictionary =
        old_elements->IsSeededNumberDictionary()
            ? Handle<SeededNumberDictionary>::cast(old_elements)
            : JSObject::NormalizeElements(object);
    PropertyDetails details(attributes, DATA, 0, PropertyCellType::kNoCell);
    Handle<SeededNumberDictionary> new_dictionary =
2037 2038 2039
        SeededNumberDictionary::AddNumberEntry(
            dictionary, index, value, details,
            object->map()->is_prototype_map());
2040
    if (attributes != NONE) object->RequireSlowElements(*new_dictionary);
2041 2042 2043 2044 2045 2046
    if (*dictionary != *new_dictionary) {
      FixedArray::cast(object->elements())->set(1, *new_dictionary);
    }
  }

  static void ReconfigureImpl(Handle<JSObject> object,
2047
                              Handle<FixedArrayBase> store, uint32_t entry,
2048 2049 2050 2051
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    Handle<FixedArray> parameter_map = Handle<FixedArray>::cast(store);
    uint32_t length = parameter_map->length() - 2;
2052 2053
    if (entry < length) {
      Object* probe = parameter_map->get(entry + 2);
2054 2055
      DCHECK(!probe->IsTheHole());
      Context* context = Context::cast(parameter_map->get(0));
2056 2057 2058
      int context_entry = Smi::cast(probe)->value();
      DCHECK(!context->get(context_entry)->IsTheHole());
      context->set(context_entry, *value);
2059 2060

      // Redefining attributes of an aliased element destroys fast aliasing.
2061
      parameter_map->set_the_hole(entry + 2);
2062 2063 2064
      // For elements that are still writable we re-establish slow aliasing.
      if ((attributes & READ_ONLY) == 0) {
        Isolate* isolate = store->GetIsolate();
2065
        value = isolate->factory()->NewAliasedArgumentsEntry(context_entry);
2066 2067 2068 2069 2070
      }

      PropertyDetails details(attributes, DATA, 0, PropertyCellType::kNoCell);
      Handle<SeededNumberDictionary> arguments(
          SeededNumberDictionary::cast(parameter_map->get(1)));
2071 2072
      arguments = SeededNumberDictionary::AddNumberEntry(
          arguments, entry, value, details, object->map()->is_prototype_map());
2073 2074 2075 2076
      // If the attributes were NONE, we would have called set rather than
      // reconfigure.
      DCHECK_NE(NONE, attributes);
      object->RequireSlowElements(*arguments);
2077 2078 2079 2080 2081
      parameter_map->set(1, *arguments);
    } else {
      Handle<FixedArrayBase> arguments(
          FixedArrayBase::cast(parameter_map->get(1)));
      DictionaryElementsAccessor::ReconfigureImpl(
2082
          object, arguments, entry - length, value, attributes);
2083 2084 2085 2086 2087
    }
  }
};


2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098
class FastSloppyArgumentsElementsAccessor
    : public SloppyArgumentsElementsAccessor<
          FastSloppyArgumentsElementsAccessor, FastHoleyObjectElementsAccessor,
          ElementsKindTraits<FAST_SLOPPY_ARGUMENTS_ELEMENTS> > {
 public:
  explicit FastSloppyArgumentsElementsAccessor(const char* name)
      : SloppyArgumentsElementsAccessor<
            FastSloppyArgumentsElementsAccessor,
            FastHoleyObjectElementsAccessor,
            ElementsKindTraits<FAST_SLOPPY_ARGUMENTS_ELEMENTS> >(name) {}

2099
  static void DeleteFromArguments(Handle<JSObject> obj, uint32_t entry) {
2100 2101
    FixedArray* parameter_map = FixedArray::cast(obj->elements());
    Handle<FixedArray> arguments(FixedArray::cast(parameter_map->get(1)));
2102
    FastHoleyObjectElementsAccessor::DeleteCommon(obj, entry, arguments);
2103 2104
  }

2105
  static void AddImpl(Handle<JSObject> object, uint32_t index,
2106 2107 2108 2109 2110 2111 2112 2113 2114 2115
                      Handle<Object> value, PropertyAttributes attributes,
                      uint32_t new_capacity) {
    DCHECK_EQ(NONE, attributes);
    Handle<FixedArray> parameter_map(FixedArray::cast(object->elements()));
    Handle<FixedArrayBase> old_elements(
        FixedArrayBase::cast(parameter_map->get(1)));
    if (old_elements->IsSeededNumberDictionary() ||
        static_cast<uint32_t>(old_elements->length()) < new_capacity) {
      GrowCapacityAndConvertImpl(object, new_capacity);
    }
2116 2117 2118 2119 2120 2121 2122
    FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
    // For fast holey objects, the entry equals the index. The code above made
    // sure that there's enough space to store the value. We cannot convert
    // index to entry explicitly since the slot still contains the hole, so the
    // current EntryForIndex would indicate that it is "absent" by returning
    // kMaxUInt32.
    FastHoleyObjectElementsAccessor::SetImpl(arguments, index, *value);
2123
  }
2124

2125
  static void ReconfigureImpl(Handle<JSObject> object,
2126
                              Handle<FixedArrayBase> store, uint32_t entry,
2127 2128 2129 2130 2131 2132
                              Handle<Object> value,
                              PropertyAttributes attributes) {
    Handle<SeededNumberDictionary> dictionary =
        JSObject::NormalizeElements(object);
    FixedArray::cast(*store)->set(1, *dictionary);
    uint32_t length = static_cast<uint32_t>(store->length()) - 2;
2133 2134
    if (entry >= length) {
      entry = dictionary->FindEntry(entry - length) + length;
2135
    }
2136
    SlowSloppyArgumentsElementsAccessor::ReconfigureImpl(object, store, entry,
2137
                                                         value, attributes);
2138
  }
2139

2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174
  static void CopyElementsImpl(FixedArrayBase* from, uint32_t from_start,
                               FixedArrayBase* to, ElementsKind from_kind,
                               uint32_t to_start, int packed_size,
                               int copy_size) {
    DCHECK(!to->IsDictionary());
    if (from_kind == SLOW_SLOPPY_ARGUMENTS_ELEMENTS) {
      CopyDictionaryToObjectElements(from, from_start, to, FAST_HOLEY_ELEMENTS,
                                     to_start, copy_size);
    } else {
      DCHECK_EQ(FAST_SLOPPY_ARGUMENTS_ELEMENTS, from_kind);
      CopyObjectToObjectElements(from, FAST_HOLEY_ELEMENTS, from_start, to,
                                 FAST_HOLEY_ELEMENTS, to_start, copy_size);
    }
  }

  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                         uint32_t capacity) {
    Handle<FixedArray> parameter_map(FixedArray::cast(object->elements()));
    Handle<FixedArray> old_elements(FixedArray::cast(parameter_map->get(1)));
    ElementsKind from_kind = object->GetElementsKind();
    // This method should only be called if there's a reason to update the
    // elements.
    DCHECK(from_kind == SLOW_SLOPPY_ARGUMENTS_ELEMENTS ||
           static_cast<uint32_t>(old_elements->length()) < capacity);
    Handle<FixedArrayBase> elements =
        ConvertElementsWithCapacity(object, old_elements, from_kind, capacity);
    Handle<Map> new_map = JSObject::GetElementsTransitionMap(
        object, FAST_SLOPPY_ARGUMENTS_ELEMENTS);
    JSObject::MigrateToMap(object, new_map);
    parameter_map->set(1, *elements);
    JSObject::ValidateElements(object);
  }
};


2175 2176 2177
}  // namespace


2178
void CheckArrayAbuse(Handle<JSObject> obj, const char* op, uint32_t index,
2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196
                     bool allow_appending) {
  DisallowHeapAllocation no_allocation;
  Object* raw_length = NULL;
  const char* elements_type = "array";
  if (obj->IsJSArray()) {
    JSArray* array = JSArray::cast(*obj);
    raw_length = array->length();
  } else {
    raw_length = Smi::FromInt(obj->elements()->length());
    elements_type = "object";
  }

  if (raw_length->IsNumber()) {
    double n = raw_length->Number();
    if (FastI2D(FastD2UI(n)) == n) {
      int32_t int32_length = DoubleToInt32(n);
      uint32_t compare_length = static_cast<uint32_t>(int32_length);
      if (allow_appending) compare_length++;
2197
      if (index >= compare_length) {
2198 2199
        PrintF("[OOB %s %s (%s length = %d, element accessed = %d) in ",
               elements_type, op, elements_type, static_cast<int>(int32_length),
2200
               static_cast<int>(index));
2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214
        TraceTopFrame(obj->GetIsolate());
        PrintF("]\n");
      }
    } else {
      PrintF("[%s elements length not integer value in ", elements_type);
      TraceTopFrame(obj->GetIsolate());
      PrintF("]\n");
    }
  } else {
    PrintF("[%s elements length not a number in ", elements_type);
    TraceTopFrame(obj->GetIsolate());
    PrintF("]\n");
  }
}
2215 2216


2217 2218
MaybeHandle<Object> ArrayConstructInitializeElements(Handle<JSArray> array,
                                                     Arguments* args) {
2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231
  if (args->length() == 0) {
    // Optimize the case where there are no parameters passed.
    JSArray::Initialize(array, JSArray::kPreallocatedArrayElements);
    return array;

  } else if (args->length() == 1 && args->at<Object>(0)->IsNumber()) {
    uint32_t length;
    if (!args->at<Object>(0)->ToArrayLength(&length)) {
      return ThrowArrayLengthRangeError(array->GetIsolate());
    }

    // Optimize the case where there is one argument and the argument is a small
    // smi.
2232
    if (length > 0 && length < JSArray::kInitialMaxFastElementArray) {
2233 2234 2235 2236 2237 2238
      ElementsKind elements_kind = array->GetElementsKind();
      JSArray::Initialize(array, length, length);

      if (!IsFastHoleyElementsKind(elements_kind)) {
        elements_kind = GetHoleyElementsKind(elements_kind);
        JSObject::TransitionElementsKind(array, elements_kind);
2239
      }
2240 2241
    } else if (length == 0) {
      JSArray::Initialize(array, JSArray::kPreallocatedArrayElements);
2242 2243 2244 2245
    } else {
      // Take the argument as the length.
      JSArray::Initialize(array, 0);
      JSArray::SetLength(array, length);
2246
    }
2247
    return array;
2248 2249
  }

2250 2251
  Factory* factory = array->GetIsolate()->factory();

2252 2253
  // Set length and elements on the array.
  int number_of_elements = args->length();
2254 2255
  JSObject::EnsureCanContainElements(
      array, args, 0, number_of_elements, ALLOW_CONVERTED_DOUBLE_ELEMENTS);
2256 2257 2258

  // Allocate an appropriately typed elements array.
  ElementsKind elements_kind = array->GetElementsKind();
2259
  Handle<FixedArrayBase> elms;
2260
  if (IsFastDoubleElementsKind(elements_kind)) {
2261 2262
    elms = Handle<FixedArrayBase>::cast(
        factory->NewFixedDoubleArray(number_of_elements));
2263
  } else {
2264 2265
    elms = Handle<FixedArrayBase>::cast(
        factory->NewFixedArrayWithHoles(number_of_elements));
2266 2267 2268 2269 2270 2271
  }

  // Fill in the content
  switch (array->GetElementsKind()) {
    case FAST_HOLEY_SMI_ELEMENTS:
    case FAST_SMI_ELEMENTS: {
2272
      Handle<FixedArray> smi_elms = Handle<FixedArray>::cast(elms);
2273 2274
      for (int entry = 0; entry < number_of_elements; entry++) {
        smi_elms->set(entry, (*args)[entry], SKIP_WRITE_BARRIER);
2275 2276 2277 2278 2279
      }
      break;
    }
    case FAST_HOLEY_ELEMENTS:
    case FAST_ELEMENTS: {
2280
      DisallowHeapAllocation no_gc;
2281
      WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc);
2282
      Handle<FixedArray> object_elms = Handle<FixedArray>::cast(elms);
2283 2284
      for (int entry = 0; entry < number_of_elements; entry++) {
        object_elms->set(entry, (*args)[entry], mode);
2285 2286 2287 2288 2289
      }
      break;
    }
    case FAST_HOLEY_DOUBLE_ELEMENTS:
    case FAST_DOUBLE_ELEMENTS: {
2290 2291
      Handle<FixedDoubleArray> double_elms =
          Handle<FixedDoubleArray>::cast(elms);
2292 2293
      for (int entry = 0; entry < number_of_elements; entry++) {
        double_elms->set(entry, (*args)[entry]->Number());
2294 2295 2296 2297 2298 2299 2300 2301
      }
      break;
    }
    default:
      UNREACHABLE();
      break;
  }

2302
  array->set_elements(*elms);
2303 2304 2305 2306
  array->set_length(Smi::FromInt(number_of_elements));
  return array;
}

2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330

void ElementsAccessor::InitializeOncePerProcess() {
  static ElementsAccessor* accessor_array[] = {
#define ACCESSOR_ARRAY(Class, Kind, Store) new Class(#Kind),
      ELEMENTS_LIST(ACCESSOR_ARRAY)
#undef ACCESSOR_ARRAY
  };

  STATIC_ASSERT((sizeof(accessor_array) / sizeof(*accessor_array)) ==
                kElementsKindCount);

  elements_accessors_ = accessor_array;
}


void ElementsAccessor::TearDown() {
  if (elements_accessors_ == NULL) return;
#define ACCESSOR_DELETE(Class, Kind, Store) delete elements_accessors_[Kind];
  ELEMENTS_LIST(ACCESSOR_DELETE)
#undef ACCESSOR_DELETE
  elements_accessors_ = NULL;
}


2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355
Handle<JSArray> ElementsAccessor::Concat(Isolate* isolate, Arguments* args,
                                         uint32_t concat_size) {
  int result_len = 0;
  ElementsKind elements_kind = GetInitialFastElementsKind();
  bool has_double = false;
  {
    DisallowHeapAllocation no_gc;
    // Iterate through all the arguments performing checks
    // and calculating total length.
    bool is_holey = false;
    for (uint32_t i = 0; i < concat_size; i++) {
      Object* arg = (*args)[i];
      int len = Smi::cast(JSArray::cast(arg)->length())->value();

      // We shouldn't overflow when adding another len.
      const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
      STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
      USE(kHalfOfMaxInt);
      result_len += len;
      DCHECK(0 <= result_len);
      DCHECK(result_len <= FixedDoubleArray::kMaxLength);

      ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind();
      has_double = has_double || IsFastDoubleElementsKind(arg_kind);
      is_holey = is_holey || IsFastHoleyElementsKind(arg_kind);
2356
      elements_kind = GetMoreGeneralElementsKind(elements_kind, arg_kind);
2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391
    }
    if (is_holey) {
      elements_kind = GetHoleyElementsKind(elements_kind);
    }
  }

  // If a double array is concatted into a fast elements array, the fast
  // elements array needs to be initialized to contain proper holes, since
  // boxing doubles may cause incremental marking.
  ArrayStorageAllocationMode mode =
      has_double && IsFastObjectElementsKind(elements_kind)
          ? INITIALIZE_ARRAY_ELEMENTS_WITH_HOLE
          : DONT_INITIALIZE_ARRAY_ELEMENTS;
  Handle<JSArray> result_array = isolate->factory()->NewJSArray(
      elements_kind, result_len, result_len, Strength::WEAK, mode);
  if (result_len == 0) return result_array;
  int j = 0;
  Handle<FixedArrayBase> storage(result_array->elements(), isolate);
  ElementsAccessor* accessor = ElementsAccessor::ForKind(elements_kind);
  for (uint32_t i = 0; i < concat_size; i++) {
    // It is crucial to keep |array| in a raw pointer form to avoid
    // performance degradation.
    JSArray* array = JSArray::cast((*args)[i]);
    int len = Smi::cast(array->length())->value();
    if (len > 0) {
      ElementsKind from_kind = array->GetElementsKind();
      accessor->CopyElements(array, 0, from_kind, storage, j, len);
      j += len;
    }
  }

  DCHECK(j == result_len);
  return result_array;
}

2392
ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL;
2393 2394
}  // namespace internal
}  // namespace v8