Commit 2fd6d609 authored by cbruni's avatar cbruni Committed by Commit bot

[elements] Handlify raw parameter_map pointers for SloppyArgumentsAccessor

Handlify pointers in IncludesValueImpl and DirectCollectElementIndicesImpl.

BUG=chromium:648373

Review-Url: https://codereview.chromium.org/2354773006
Cr-Commit-Position: refs/heads/master@{#39586}
parent c19abadd
...@@ -3034,7 +3034,7 @@ class SloppyArgumentsElementsAccessor ...@@ -3034,7 +3034,7 @@ class SloppyArgumentsElementsAccessor
Handle<FixedArrayBase> backing_store, GetKeysConversion convert, Handle<FixedArrayBase> backing_store, GetKeysConversion convert,
PropertyFilter filter, Handle<FixedArray> list, uint32_t* nof_indices, PropertyFilter filter, Handle<FixedArray> list, uint32_t* nof_indices,
uint32_t insertion_index = 0) { uint32_t insertion_index = 0) {
FixedArray* parameter_map = FixedArray::cast(*backing_store); Handle<FixedArray> parameter_map(FixedArray::cast(*backing_store), isolate);
uint32_t length = parameter_map->length() - 2; uint32_t length = parameter_map->length() - 2;
for (uint32_t i = 0; i < length; ++i) { for (uint32_t i = 0; i < length; ++i) {
...@@ -3060,18 +3060,19 @@ class SloppyArgumentsElementsAccessor ...@@ -3060,18 +3060,19 @@ class SloppyArgumentsElementsAccessor
uint32_t start_from, uint32_t length) { uint32_t start_from, uint32_t length) {
DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
Handle<Map> original_map = handle(object->map(), isolate); Handle<Map> original_map = handle(object->map(), isolate);
FixedArray* parameter_map = FixedArray::cast(object->elements()); Handle<FixedArray> parameter_map(FixedArray::cast(object->elements()),
isolate);
bool search_for_hole = value->IsUndefined(isolate); bool search_for_hole = value->IsUndefined(isolate);
for (uint32_t k = start_from; k < length; ++k) { for (uint32_t k = start_from; k < length; ++k) {
uint32_t entry = uint32_t entry =
GetEntryForIndexImpl(*object, parameter_map, k, ALL_PROPERTIES); GetEntryForIndexImpl(*object, *parameter_map, k, ALL_PROPERTIES);
if (entry == kMaxUInt32) { if (entry == kMaxUInt32) {
if (search_for_hole) return Just(true); if (search_for_hole) return Just(true);
continue; continue;
} }
Handle<Object> element_k = GetImpl(parameter_map, entry); Handle<Object> element_k = GetImpl(*parameter_map, entry);
if (element_k->IsAccessorPair()) { if (element_k->IsAccessorPair()) {
LookupIterator it(isolate, object, k, LookupIterator::OWN); LookupIterator it(isolate, object, k, LookupIterator::OWN);
......
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc
function getRandomProperty(v, rand) { var properties = Object.getOwnPropertyNames(v); var proto = Object.getPrototypeOf(v); if (proto) {; } if ("constructor" && v.constructor.hasOwnProperty()) {; } if (properties.length == 0) { return "0"; } return properties[rand % properties.length]; }
var __v_4 = {};
__v_2 = {
FAST_ELEMENTS() {
return {
get 0() {
} };
} ,
Arguments: {
FAST_SLOPPY_ARGUMENTS_ELEMENTS() {
var __v_11 = (function( b) { return arguments; })("foo", NaN, "bar");
__v_11.__p_2006760047 = __v_11[getRandomProperty( 2006760047)];
__v_11.__defineGetter__(getRandomProperty( 1698457573), function() { gc(); __v_4[ 1486458228] = __v_2[ 1286067691]; return __v_11.__p_2006760047; });
;
Array.prototype.includes.call(__v_11);
},
Detached_Float64Array() {
} }
};
function __f_3(suites) {
Object.keys(suites).forEach(suite => __f_4(suites[suite]));
function __f_4(suite) {
Object.keys(suite).forEach(test => suite[test]());
}
}
__f_3(__v_2);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment