[keyed-store-generic] Update protectors if needed

When adding or overwriting properties of an object, the generic keyed store stub must check if that property's name might have an associated protector (e.g. the ArraySpeciesProtector) and take the slow path if so to ensure that the protector is updated as needed. BUG=v8:6269 Review-Url: https://codereview.chromium.org/2821213004 Cr-Commit-Position: refs/heads/master@{#44726}

[keyed-store-generic] Update protectors if needed
When adding or overwriting properties of an object, the generic keyed store stub must check if that property's name might have an associated protector (e.g. the ArraySpeciesProtector) and take the slow path if so to ensure that the protector is updated as needed. BUG=v8:6269 Review-Url: https://codereview.chromium.org/2821213004 Cr-Commit-Position: refs/heads/master@{#44726}
34a26e7d · jkummerow · Commit bot · 0e97280f · 34a26e7d · 34a26e7d
Commit 34a26e7d authored Apr 19, 2017 by jkummerow Committed by Commit bot Apr 19, 2017
5 changed files
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -5796,6 +5796,21 @@ void CodeStubAssembler::UpdateFeedback(Node* feedback, Node* feedback_vector,
                         SKIP_WRITE_BARRIER);
 }

+void CodeStubAssembler::CheckForAssociatedProtector(Node* name,
+                                                    Label* if_protector) {
+  // This list must be kept in sync with LookupIterator::UpdateProtector!
+  // TODO(jkummerow): Would it be faster to have a bit in Symbol::flags()?
+  GotoIf(WordEqual(name, LoadRoot(Heap::kconstructor_stringRootIndex)),
+         if_protector);
+  GotoIf(WordEqual(name, LoadRoot(Heap::kiterator_symbolRootIndex)),
+         if_protector);
+  GotoIf(WordEqual(name, LoadRoot(Heap::kspecies_symbolRootIndex)),
+         if_protector);
+  GotoIf(WordEqual(name, LoadRoot(Heap::kis_concat_spreadable_symbolRootIndex)),
+         if_protector);
+  // Fall through if no case matched.
+}
+
 Node* CodeStubAssembler::LoadReceiverMap(Node* receiver) {
  return Select(TaggedIsSmi(receiver),
                [=] { return LoadRoot(Heap::kHeapNumberMapRootIndex); },

--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@@ -1140,6 +1140,10 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
  // Update the type feedback vector.
  void UpdateFeedback(Node* feedback, Node* feedback_vector, Node* slot_id);

+  // Check if a property name might require protector invalidation when it is
+  // used for a property store or deletion.
+  void CheckForAssociatedProtector(Node* name, Label* if_protector);
+
  Node* LoadReceiverMap(Node* receiver);

  // Emits keyed sloppy arguments load. Returns either the loaded value.

--- a/src/ic/keyed-store-generic.cc
+++ b/src/ic/keyed-store-generic.cc
@@ -789,6 +789,7 @@ void KeyedStoreGenericAssembler::EmitGenericPropertyStore(

      BIND(&data_property);
      {
+        CheckForAssociatedProtector(p->name, slow);
        OverwriteExistingFastProperty(receiver, receiver_map, properties,
                                      descriptors, name_index, details,
                                      p->value, slow);
@@ -822,6 +823,7 @@ void KeyedStoreGenericAssembler::EmitGenericPropertyStore(

      BIND(&overwrite);
      {
+        CheckForAssociatedProtector(p->name, slow);
        StoreValueByKeyIndex<NameDictionary>(properties, var_name_index.value(),
                                             p->value);
        Return(p->value);
@@ -830,6 +832,7 @@ void KeyedStoreGenericAssembler::EmitGenericPropertyStore(

    BIND(&not_found);
    {
+      CheckForAssociatedProtector(p->name, slow);
      Label extensible(this);
      GotoIf(IsPrivateSymbol(p->name), &extensible);
      Node* bitfield2 = LoadMapBitField2(receiver_map);

--- a/src/lookup.h
+++ b/src/lookup.h
@@ -260,10 +260,11 @@ class V8_EXPORT_PRIVATE LookupIterator final BASE_EMBEDDED {
  void WriteDataValue(Handle<Object> value, bool initializing_store);
  inline void UpdateProtector() {
    if (IsElement()) return;
+    // This list must be kept in sync with
+    // CodeStubAssembler::HasAssociatedProtector!
    if (*name_ == heap()->is_concat_spreadable_symbol() ||
        *name_ == heap()->constructor_string() ||
        *name_ == heap()->species_symbol() ||
-        *name_ == heap()->has_instance_symbol() ||
        *name_ == heap()->iterator_symbol()) {
      InternalUpdateProtector();
    }

--- a/test/mjsunit/keyed-store-generic.js
+++ b/test/mjsunit/keyed-store-generic.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --no-stress-opt
+
+function f(a, i, v) { a[i] = v; }
+f("make it generic", 0, 0);
+
+(function TestIsConcatSpreadableProtector() {
+  var o = {length: 1, '0': 99};
+  %OptimizeObjectForAddingMultipleProperties(o, 0);
+  f(o, Symbol.isConcatSpreadable, true);
+  assertEquals([99], [].concat(o));
+})();
+
+(function TestSpeciesProtector() {
+  function MyArray() {}
+  assertTrue(%SpeciesProtector());
+  f(Array.prototype, "constructor", MyArray);
+  assertFalse(%SpeciesProtector());
+})();