[typedarray] Extend ElementsAccessor::CopyElements to all Object types

Previously, Strings without an iterator would go to the runtime path
and fail on because it expected a JSReceiver type. This was in-line
with what the elements accessor expected. We can actually handle all
object types in the final slow path (using LookupIterator) so it is no
problem to change the accept types.

Bug: chromium:816289
Change-Id: Iebb8de0bb7551aee3894c8a23836d079c93726a7
Reviewed-on: https://chromium-review.googlesource.com/937461Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51574}

src/elements.cc

@@ -1039,13 +1039,13 @@ class ElementsAccessorBase : public InternalElementsAccessor {
     UNREACHABLE();
   }
 
-  Object* CopyElements(Handle<JSReceiver> source, Handle<JSObject> destination,
+  Object* CopyElements(Handle<Object> source, Handle<JSObject> destination,
                        size_t length, uint32_t offset) final {
     return Subclass::CopyElementsHandleImpl(source, destination, length,
                                             offset);
   }
 
-  static Object* CopyElementsHandleImpl(Handle<JSReceiver> source,
+  static Object* CopyElementsHandleImpl(Handle<Object> source,
                                         Handle<JSObject> destination,
                                         size_t length, uint32_t offset) {
     UNREACHABLE();
@@ -3433,14 +3433,14 @@ class TypedElementsAccessor
     return false;
   }
 
-  static Object* CopyElementsHandleSlow(Handle<JSReceiver> source,
+  static Object* CopyElementsHandleSlow(Handle<Object> source,
                                         Handle<JSTypedArray> destination,
                                         size_t length, uint32_t offset) {
-    Isolate* isolate = source->GetIsolate();
+    Isolate* isolate = destination->GetIsolate();
     Handle<BackingStore> destination_elements(
         BackingStore::cast(destination->elements()));
     for (uint32_t i = 0; i < length; i++) {
-      LookupIterator it(isolate, source, i, source);
+      LookupIterator it(isolate, source, i);
       Handle<Object> elem;
       ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, elem,
                                          Object::GetProperty(&it));
@@ -3471,7 +3471,7 @@ class TypedElementsAccessor
   // This doesn't guarantee that the destination array will be completely
   // filled. The caller must do this by passing a source with equal length, if
   // that is required.
-  static Object* CopyElementsHandleImpl(Handle<JSReceiver> source,
+  static Object* CopyElementsHandleImpl(Handle<Object> source,
                                         Handle<JSObject> destination,
                                         size_t length, uint32_t offset) {
     Isolate* isolate = destination->GetIsolate();

src/elements.h

@@ -184,7 +184,7 @@ class ElementsAccessor {
                             ElementsKind source_kind,
                             Handle<FixedArrayBase> destination, int size) = 0;
 
-  virtual Object* CopyElements(Handle<JSReceiver> source,
+  virtual Object* CopyElements(Handle<Object> source,
                                Handle<JSObject> destination, size_t length,
                                uint32_t offset = 0) = 0;
 

src/runtime/runtime-typedarray.cc

@@ -48,7 +48,7 @@ RUNTIME_FUNCTION(Runtime_TypedArrayCopyElements) {
   HandleScope scope(isolate);
   DCHECK_EQ(3, args.length());
   CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, target, 0);
-  CONVERT_ARG_HANDLE_CHECKED(JSReceiver, source, 1);
+  CONVERT_ARG_HANDLE_CHECKED(Object, source, 1);
   CONVERT_NUMBER_ARG_HANDLE_CHECKED(length_obj, 2);
 
   size_t length;

test/mjsunit/regress/regress-816289.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+delete String.prototype[Symbol.iterator];
+Int8Array.from("anything");