Plumb Isolate through GetDataProperty

Currently the Isolate is gotten off of the object that the operation is being performed on. GetDataProperty may end up using a per-Isolate lookup cache, which is not threadsafe when the Isolate is shared. Plumb the executing, non-shared Isolate through. Bug: v8:12646, v8:12547 Change-Id: Ia08ece9a9e8cbd7eba9ea38b01caa511895f5bf4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3475084Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#79180}

Plumb Isolate through GetDataProperty
Currently the Isolate is gotten off of the object that the operation is being performed on. GetDataProperty may end up using a per-Isolate lookup cache, which is not threadsafe when the Isolate is shared. Plumb the executing, non-shared Isolate through. Bug: v8:12646, v8:12547 Change-Id: Ia08ece9a9e8cbd7eba9ea38b01caa511895f5bf4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3475084Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#79180}
489527d4 · Shu-yu Guo · V8 LUCI CQ · a781137c · 489527d4 · 489527d4
Commit 489527d4 authored Feb 18, 2022 by Shu-yu Guo Committed by V8 LUCI CQ Feb 18, 2022
15 changed files
--- a/src/asmjs/asm-js.cc
+++ b/src/asmjs/asm-js.cc
@@ -42,10 +42,11 @@ Handle<Object> StdlibMathMember(Isolate* isolate, Handle<JSReceiver> stdlib,
                                Handle<Name> name) {
  Handle<Name> math_name(
      isolate->factory()->InternalizeString(base::StaticCharVector("Math")));
-  Handle<Object> math = JSReceiver::GetDataProperty(stdlib, math_name);
+  Handle<Object> math = JSReceiver::GetDataProperty(isolate, stdlib, math_name);
  if (!math->IsJSReceiver()) return isolate->factory()->undefined_value();
  Handle<JSReceiver> math_receiver = Handle<JSReceiver>::cast(math);
-  Handle<Object> value = JSReceiver::GetDataProperty(math_receiver, name);
+  Handle<Object> value =
+      JSReceiver::GetDataProperty(isolate, math_receiver, name);
  return value;
 }

@@ -55,13 +56,13 @@ bool AreStdlibMembersValid(Isolate* isolate, Handle<JSReceiver> stdlib,
  if (members.contains(wasm::AsmJsParser::StandardMember::kInfinity)) {
    members.Remove(wasm::AsmJsParser::StandardMember::kInfinity);
    Handle<Name> name = isolate->factory()->Infinity_string();
-    Handle<Object> value = JSReceiver::GetDataProperty(stdlib, name);
+    Handle<Object> value = JSReceiver::GetDataProperty(isolate, stdlib, name);
    if (!value->IsNumber() || !std::isinf(value->Number())) return false;
  }
  if (members.contains(wasm::AsmJsParser::StandardMember::kNaN)) {
    members.Remove(wasm::AsmJsParser::StandardMember::kNaN);
    Handle<Name> name = isolate->factory()->NaN_string();
-    Handle<Object> value = JSReceiver::GetDataProperty(stdlib, name);
+    Handle<Object> value = JSReceiver::GetDataProperty(isolate, stdlib, name);
    if (!value->IsNaN()) return false;
  }
 #define STDLIB_MATH_FUNC(fname, FName, ignore1, ignore2)                   \
@@ -91,16 +92,16 @@ bool AreStdlibMembersValid(Isolate* isolate, Handle<JSReceiver> stdlib,
  }
  STDLIB_MATH_VALUE_LIST(STDLIB_MATH_CONST)
 #undef STDLIB_MATH_CONST
-#define STDLIB_ARRAY_TYPE(fname, FName)                                \
-  if (members.contains(wasm::AsmJsParser::StandardMember::k##FName)) { \
-    members.Remove(wasm::AsmJsParser::StandardMember::k##FName);       \
-    *is_typed_array = true;                                            \
-    Handle<Name> name(isolate->factory()->InternalizeString(           \
-        base::StaticCharVector(#FName)));                              \
-    Handle<Object> value = JSReceiver::GetDataProperty(stdlib, name);  \
-    if (!value->IsJSFunction()) return false;                          \
-    Handle<JSFunction> func = Handle<JSFunction>::cast(value);         \
-    if (!func.is_identical_to(isolate->fname())) return false;         \
+#define STDLIB_ARRAY_TYPE(fname, FName)                                        \
+  if (members.contains(wasm::AsmJsParser::StandardMember::k##FName)) {         \
+    members.Remove(wasm::AsmJsParser::StandardMember::k##FName);               \
+    *is_typed_array = true;                                                    \
+    Handle<Name> name(isolate->factory()->InternalizeString(                   \
+        base::StaticCharVector(#FName)));                                      \
+    Handle<Object> value = JSReceiver::GetDataProperty(isolate, stdlib, name); \
+    if (!value->IsJSFunction()) return false;                                  \
+    Handle<JSFunction> func = Handle<JSFunction>::cast(value);                 \
+    if (!func.is_identical_to(isolate->fname())) return false;                 \
  }
  STDLIB_ARRAY_TYPE(int8_array_fun, Int8Array)
  STDLIB_ARRAY_TYPE(uint8_array_fun, Uint8Array)

--- a/src/builtins/builtins-console.cc
+++ b/src/builtins/builtins-console.cc
@@ -150,11 +150,12 @@ void ConsoleCall(
  HandleScope scope(isolate);
  debug::ConsoleCallArguments wrapper(args);
  Handle<Object> context_id_obj = JSObject::GetDataProperty(
-      args.target(), isolate->factory()->console_context_id_symbol());
+      isolate, args.target(), isolate->factory()->console_context_id_symbol());
  int context_id =
      context_id_obj->IsSmi() ? Handle<Smi>::cast(context_id_obj)->value() : 0;
  Handle<Object> context_name_obj = JSObject::GetDataProperty(
-      args.target(), isolate->factory()->console_context_name_symbol());
+      isolate, args.target(),
+      isolate->factory()->console_context_name_symbol());
  Handle<String> context_name = context_name_obj->IsString()
                                    ? Handle<String>::cast(context_name_obj)
                                    : isolate->factory()->anonymous_string();

--- a/src/debug/debug-evaluate.cc
+++ b/src/debug/debug-evaluate.cc
@@ -283,8 +283,8 @@ void DebugEvaluate::ContextBuilder::UpdateValues() {
      for (int i = 0; i < keys->length(); i++) {
        DCHECK(keys->get(i).IsString());
        Handle<String> key(String::cast(keys->get(i)), isolate_);
-        Handle<Object> value =
-            JSReceiver::GetDataProperty(element.materialized_object, key);
+        Handle<Object> value = JSReceiver::GetDataProperty(
+            isolate_, element.materialized_object, key);
        scope_iterator_.SetVariableValue(key, value);
      }
    }

--- a/src/debug/debug-interface.cc
+++ b/src/debug/debug-interface.cc
@@ -1224,7 +1224,7 @@ MaybeLocal<Message> GetMessageFromPromise(Local<Promise> p) {

  i::Handle<i::Symbol> key = isolate->factory()->promise_debug_message_symbol();
  i::Handle<i::Object> maybeMessage =
-      i::JSReceiver::GetDataProperty(promise, key);
+      i::JSReceiver::GetDataProperty(isolate, promise, key);

  if (!maybeMessage->IsJSMessageObject(isolate)) return MaybeLocal<Message>();
  return ToApiHandle<Message>(

--- a/src/debug/debug-scopes.cc
+++ b/src/debug/debug-scopes.cc
@@ -964,7 +964,8 @@ void ScopeIterator::VisitLocalScope(const Visitor& visitor, Mode mode,
      // Names of variables introduced by eval are strings.
      DCHECK(keys->get(i).IsString());
      Handle<String> key(String::cast(keys->get(i)), isolate_);
-      Handle<Object> value = JSReceiver::GetDataProperty(extension, key);
+      Handle<Object> value =
+          JSReceiver::GetDataProperty(isolate_, extension, key);
      if (visitor(key, value, scope_type)) return;
    }
  }

--- a/src/debug/debug.cc
+++ b/src/debug/debug.cc
@@ -1271,7 +1271,8 @@ void Debug::PrepareStep(StepAction step_action) {
          Handle<JSReceiver> return_value(
              JSReceiver::cast(thread_local_.return_value_), isolate_);
          Handle<Object> awaited_by = JSReceiver::GetDataProperty(
-              return_value, isolate_->factory()->promise_awaited_by_symbol());
+              isolate_, return_value,
+              isolate_->factory()->promise_awaited_by_symbol());
          if (awaited_by->IsJSGeneratorObject()) {
            DCHECK(!has_suspended_generator());
            thread_local_.suspended_generator_ = *awaited_by;
@@ -2141,7 +2142,8 @@ void Debug::OnPromiseReject(Handle<Object> promise, Handle<Object> value) {
  // Check whether the promise has been marked as having triggered a message.
  Handle<Symbol> key = isolate_->factory()->promise_debug_marker_symbol();
  if (!promise->IsJSObject() ||
-      JSReceiver::GetDataProperty(Handle<JSObject>::cast(promise), key)
+      JSReceiver::GetDataProperty(isolate_, Handle<JSObject>::cast(promise),
+                                  key)
          ->IsUndefined(isolate_)) {
    OnException(value, promise, v8::debug::kPromiseRejection);
  }

--- a/src/execution/isolate.cc
+++ b/src/execution/isolate.cc
@@ -901,7 +901,8 @@ bool GetStackTraceLimit(Isolate* isolate, int* result) {
  Handle<JSObject> error = isolate->error_function();

  Handle<String> key = isolate->factory()->stackTraceLimit_string();
-  Handle<Object> stack_trace_limit = JSReceiver::GetDataProperty(error, key);
+  Handle<Object> stack_trace_limit =
+      JSReceiver::GetDataProperty(isolate, error, key);
  if (!stack_trace_limit->IsNumber()) return false;

  // Ensure that limit is not negative.
@@ -1226,7 +1227,7 @@ MaybeHandle<JSObject> Isolate::CaptureAndSetErrorStack(
 Handle<FixedArray> Isolate::GetDetailedStackTrace(
    Handle<JSReceiver> error_object) {
  Handle<Object> error_stack = JSReceiver::GetDataProperty(
-      error_object, factory()->error_stack_symbol());
+      this, error_object, factory()->error_stack_symbol());
  if (!error_stack->IsErrorStackData()) {
    return Handle<FixedArray>();
  }
@@ -1243,7 +1244,7 @@ Handle<FixedArray> Isolate::GetDetailedStackTrace(
 Handle<FixedArray> Isolate::GetSimpleStackTrace(
    Handle<JSReceiver> error_object) {
  Handle<Object> error_stack = JSReceiver::GetDataProperty(
-      error_object, factory()->error_stack_symbol());
+      this, error_object, factory()->error_stack_symbol());
  if (error_stack->IsFixedArray()) {
    return Handle<FixedArray>::cast(error_stack);
  }
@@ -2349,19 +2350,19 @@ bool Isolate::ComputeLocationFromException(MessageLocation* target,

  Handle<Name> start_pos_symbol = factory()->error_start_pos_symbol();
  Handle<Object> start_pos = JSReceiver::GetDataProperty(
-      Handle<JSObject>::cast(exception), start_pos_symbol);
+      this, Handle<JSObject>::cast(exception), start_pos_symbol);
  if (!start_pos->IsSmi()) return false;
  int start_pos_value = Handle<Smi>::cast(start_pos)->value();

  Handle<Name> end_pos_symbol = factory()->error_end_pos_symbol();
  Handle<Object> end_pos = JSReceiver::GetDataProperty(
-      Handle<JSObject>::cast(exception), end_pos_symbol);
+      this, Handle<JSObject>::cast(exception), end_pos_symbol);
  if (!end_pos->IsSmi()) return false;
  int end_pos_value = Handle<Smi>::cast(end_pos)->value();

  Handle<Name> script_symbol = factory()->error_script_symbol();
  Handle<Object> script = JSReceiver::GetDataProperty(
-      Handle<JSObject>::cast(exception), script_symbol);
+      this, Handle<JSObject>::cast(exception), script_symbol);
  if (!script->IsScript()) return false;

  Handle<Script> cast_script(Script::cast(*script), this);
@@ -2620,7 +2621,8 @@ bool PromiseIsRejectHandler(Isolate* isolate, Handle<JSReceiver> handler) {
  //    has a dependency edge to the generated outer Promise.
  // Otherwise, this is a real reject handler for the Promise.
  Handle<Symbol> key = isolate->factory()->promise_forwarding_handler_symbol();
-  Handle<Object> forwarding_handler = JSReceiver::GetDataProperty(handler, key);
+  Handle<Object> forwarding_handler =
+      JSReceiver::GetDataProperty(isolate, handler, key);
  return forwarding_handler->IsUndefined(isolate);
 }

@@ -2664,7 +2666,8 @@ bool Isolate::PromiseHasUserDefinedRejectHandler(Handle<JSPromise> promise) {
    if (promise->status() == Promise::kPending) {
      promises.push(promise);
    }
-    Handle<Object> outer_promise_obj = JSObject::GetDataProperty(promise, key);
+    Handle<Object> outer_promise_obj =
+        JSObject::GetDataProperty(this, promise, key);
    if (!outer_promise_obj->IsJSPromise()) break;
    promise = Handle<JSPromise>::cast(outer_promise_obj);
  }

--- a/src/execution/messages.cc
+++ b/src/execution/messages.cc
@@ -998,7 +998,7 @@ MaybeHandle<Object> ErrorUtils::GetFormattedStack(
  TRACE_EVENT0(TRACE_DISABLED_BY_DEFAULT("v8.stack_trace"), __func__);

  Handle<Object> error_stack = JSReceiver::GetDataProperty(
-      error_object, isolate->factory()->error_stack_symbol());
+      isolate, error_object, isolate->factory()->error_stack_symbol());
  if (error_stack->IsErrorStackData()) {
    Handle<ErrorStackData> error_stack_data =
        Handle<ErrorStackData>::cast(error_stack);
@@ -1041,7 +1041,7 @@ void ErrorUtils::SetFormattedStack(Isolate* isolate,
                                   Handle<JSObject> error_object,
                                   Handle<Object> formatted_stack) {
  Handle<Object> error_stack = JSReceiver::GetDataProperty(
-      error_object, isolate->factory()->error_stack_symbol());
+      isolate, error_object, isolate->factory()->error_stack_symbol());
  if (error_stack->IsErrorStackData()) {
    Handle<ErrorStackData> error_stack_data =
        Handle<ErrorStackData>::cast(error_stack);

--- a/src/objects/js-function.cc
+++ b/src/objects/js-function.cc
@@ -756,7 +756,8 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
                               JSReceiver::GetFunctionRealm(new_target), Map);
    DCHECK(context->IsNativeContext());
    Handle<Object> maybe_index = JSReceiver::GetDataProperty(
-        constructor, isolate->factory()->native_context_index_symbol());
+        isolate, constructor,
+        isolate->factory()->native_context_index_symbol());
    int index = maybe_index->IsSmi() ? Smi::ToInt(*maybe_index)
                                     : Context::OBJECT_FUNCTION_INDEX;
    Handle<JSFunction> realm_constructor(JSFunction::cast(context->get(index)),
@@ -880,7 +881,7 @@ Handle<String> JSFunction::GetDebugName(Handle<JSFunction> function) {
    // that exact behavior and go with SharedFunctionInfo::DebugName()
    // in case of the fast-path.
    Handle<Object> name =
-        GetDataProperty(function, isolate->factory()->name_string());
+        GetDataProperty(isolate, function, isolate->factory()->name_string());
    if (name->IsString()) return Handle<String>::cast(name);
  }
  return SharedFunctionInfo::DebugName(handle(function->shared(), isolate));
@@ -935,7 +936,7 @@ Handle<String> JSFunction::ToString(Handle<JSFunction> function) {

  // Check if we should print {function} as a class.
  Handle<Object> maybe_class_positions = JSReceiver::GetDataProperty(
-      function, isolate->factory()->class_positions_symbol());
+      isolate, function, isolate->factory()->class_positions_symbol());
  if (maybe_class_positions->IsClassPositions()) {
    ClassPositions class_positions =
        ClassPositions::cast(*maybe_class_positions);

--- a/src/objects/js-objects-inl.h
+++ b/src/objects/js-objects-inl.h
@@ -85,9 +85,10 @@ MaybeHandle<Object> JSReceiver::GetElement(Isolate* isolate,
  return Object::GetProperty(&it);
 }

-Handle<Object> JSReceiver::GetDataProperty(Handle<JSReceiver> object,
+Handle<Object> JSReceiver::GetDataProperty(Isolate* isolate,
+                                           Handle<JSReceiver> object,
                                           Handle<Name> name) {
-  LookupIterator it(object->GetIsolate(), object, name, object,
+  LookupIterator it(isolate, object, name, object,
                    LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
  if (!it.IsFound()) return it.factory()->undefined_value();
  return GetDataProperty(&it);

--- a/src/objects/js-objects.h
+++ b/src/objects/js-objects.h
@@ -260,7 +260,8 @@ class JSReceiver : public TorqueGeneratedJSReceiver<JSReceiver, HeapObject> {
      Isolate* isolate, Handle<JSReceiver> object, Handle<Object> value,
      bool from_javascript, ShouldThrow should_throw);

-  inline static Handle<Object> GetDataProperty(Handle<JSReceiver> object,
+  inline static Handle<Object> GetDataProperty(Isolate* isolate,
+                                               Handle<JSReceiver> object,
                                               Handle<Name> name);
  V8_EXPORT_PRIVATE static Handle<Object> GetDataProperty(
      LookupIterator* it, AllocationPolicy allocation_policy =

--- a/src/objects/objects.cc
+++ b/src/objects/objects.cc
@@ -441,11 +441,11 @@ Handle<String> AsStringOrEmpty(Isolate* isolate, Handle<Object> object) {
 Handle<String> NoSideEffectsErrorToString(Isolate* isolate,
                                          Handle<JSReceiver> error) {
  Handle<Name> name_key = isolate->factory()->name_string();
-  Handle<Object> name = JSReceiver::GetDataProperty(error, name_key);
+  Handle<Object> name = JSReceiver::GetDataProperty(isolate, error, name_key);
  Handle<String> name_str = AsStringOrEmpty(isolate, name);

  Handle<Name> msg_key = isolate->factory()->message_string();
-  Handle<Object> msg = JSReceiver::GetDataProperty(error, msg_key);
+  Handle<Object> msg = JSReceiver::GetDataProperty(isolate, error, msg_key);
  Handle<String> msg_str = AsStringOrEmpty(isolate, msg);

  if (name_str->length() == 0) return msg_str;
@@ -530,7 +530,7 @@ MaybeHandle<String> Object::NoSideEffectsToMaybeString(Isolate* isolate,
    // -- J S R e c e i v e r
    Handle<JSReceiver> receiver = Handle<JSReceiver>::cast(input);
    Handle<Object> to_string = JSReceiver::GetDataProperty(
-        receiver, isolate->factory()->toString_string());
+        isolate, receiver, isolate->factory()->toString_string());

    if (IsErrorObject(isolate, input) ||
        *to_string == *isolate->error_to_string()) {
@@ -541,7 +541,7 @@ MaybeHandle<String> Object::NoSideEffectsToMaybeString(Isolate* isolate,
                                        Handle<JSReceiver>::cast(input));
    } else if (*to_string == *isolate->object_to_string()) {
      Handle<Object> ctor = JSReceiver::GetDataProperty(
-          receiver, isolate->factory()->constructor_string());
+          isolate, receiver, isolate->factory()->constructor_string());
      if (ctor->IsFunction()) {
        Handle<String> ctor_name;
        if (ctor->IsJSBoundFunction()) {
@@ -599,7 +599,7 @@ Handle<String> Object::NoSideEffectsToString(Isolate* isolate,

  Handle<String> builtin_tag = handle(receiver->class_name(), isolate);
  Handle<Object> tag_obj = JSReceiver::GetDataProperty(
-      receiver, isolate->factory()->to_string_tag_symbol());
+      isolate, receiver, isolate->factory()->to_string_tag_symbol());
  Handle<String> tag =
      tag_obj->IsString() ? Handle<String>::cast(tag_obj) : builtin_tag;


--- a/src/runtime/runtime-debug.cc
+++ b/src/runtime/runtime-debug.cc
@@ -354,7 +354,7 @@ MaybeHandle<JSArray> Runtime::GetInternalProperties(Isolate* isolate,
      Handle<Symbol> memory_symbol =
          isolate->factory()->array_buffer_wasm_memory_symbol();
      Handle<Object> memory_object =
-          JSObject::GetDataProperty(js_array_buffer, memory_symbol);
+          JSObject::GetDataProperty(isolate, js_array_buffer, memory_symbol);
      if (!memory_object->IsUndefined(isolate)) {
        result = ArrayList::Add(isolate, result,
                                isolate->factory()->NewStringFromAsciiChecked(

--- a/src/runtime/runtime-internal.cc
+++ b/src/runtime/runtime-internal.cc
@@ -721,7 +721,8 @@ RUNTIME_FUNCTION(Runtime_GetInitializerFunction) {

  CONVERT_ARG_HANDLE_CHECKED(JSReceiver, constructor, 0);
  Handle<Symbol> key = isolate->factory()->class_fields_symbol();
-  Handle<Object> initializer = JSReceiver::GetDataProperty(constructor, key);
+  Handle<Object> initializer =
+      JSReceiver::GetDataProperty(isolate, constructor, key);
  return *initializer;
 }


--- a/test/cctest/test-serialize.cc
+++ b/test/cctest/test-serialize.cc
@@ -651,7 +651,8 @@ UNINITIALIZED_TEST(ContextSerializerCustomContext) {
      CHECK(context->global_proxy() == *global_proxy);
      Handle<String> o = isolate->factory()->NewStringFromAsciiChecked("o");
      Handle<JSObject> global_object(context->global_object(), isolate);
-      Handle<Object> property = JSReceiver::GetDataProperty(global_object, o);
+      Handle<Object> property =
+          JSReceiver::GetDataProperty(isolate, global_object, o);
      CHECK(property.is_identical_to(global_proxy));

      v8::Local<v8::Context> v8_context = v8::Utils::ToLocal(context);
@@ -2163,9 +2164,9 @@ TEST(CodeSerializerLargeStrings) {

  CHECK_EQ(6 * 1999999, Handle<String>::cast(copy_result)->length());
  Handle<Object> property = JSReceiver::GetDataProperty(
-      isolate->global_object(), f->NewStringFromAsciiChecked("s"));
+      isolate, isolate->global_object(), f->NewStringFromAsciiChecked("s"));
  CHECK(isolate->heap()->InSpace(HeapObject::cast(*property), LO_SPACE));
-  property = JSReceiver::GetDataProperty(isolate->global_object(),
+  property = JSReceiver::GetDataProperty(isolate, isolate->global_object(),
                                         f->NewStringFromAsciiChecked("t"));
  CHECK(isolate->heap()->InSpace(HeapObject::cast(*property), LO_SPACE));
  // Make sure we do not serialize too much, e.g. include the source string.