• littledan's avatar
    Make array __proto__ manipulations not disturb the species protector · 04c8c11e
    littledan authored
    Previously, the species protector was invalidated whenever the __proto__ of
    an Array instance was manipulated. Then, if the map's new_target_is_base field
    remained set, it was correct to conclude that GetPrototypeOf(array) was
    %ArrayPrototype%. However, this choice caused the popular D3 framework to
    invalidate the species protector, causing many functions to become slower.
    
    This patch eliminates that aspect of the species protector. Instead, the check
    is to look at the instance->map()->prototype(). It is valid to look directly
    at the map's prototype slot, ignoring hidden prototypes and proxies, because
    - This is only called on Array instances, so the receiver cannot be a Proxy.
    - For hidden prototypes, any inaccuracy would only result in conservatively
      taking the slow path.
    
    Theoretically, this patch could make methods applied to arrays from other
    contexts slower. However, the slowdown would only affect a particular array
    instance and not have a global spill-over effect. Further, the slowdown could
    be addressed by tracking, either in the instance's map or in the actual
    prototype object, whether it is a %ArrayPrototype% from any context, in a way
    which is cheap to query, and use that rather than comparing to the currently
    executing native context.
    
    In interactive testing, this patch led the OnShape CAD system to experience
    faster load times (110+s -> 40s).
    
    BUG=chromium:606207
    LOG=Y
    
    Review-Url: https://codereview.chromium.org/1936393002
    Cr-Commit-Position: refs/heads/master@{#36033}
    04c8c11e
objects.h 398 KB