Commit 6c6a2380 authored by verwaest's avatar verwaest Committed by Commit bot

Also check for access checks and indexed interceptors before allowing fast moving of elements

BUG=

Review URL: https://codereview.chromium.org/1200053002

Cr-Commit-Position: refs/heads/master@{#29215}
parent de62b486
...@@ -184,38 +184,34 @@ static void MoveDoubleElements(FixedDoubleArray* dst, int dst_index, ...@@ -184,38 +184,34 @@ static void MoveDoubleElements(FixedDoubleArray* dst, int dst_index,
} }
static bool ArrayPrototypeHasNoElements(Heap* heap, PrototypeIterator* iter) { static bool ArrayPrototypeHasNoElements(PrototypeIterator* iter) {
DisallowHeapAllocation no_gc; DisallowHeapAllocation no_gc;
for (; !iter->IsAtEnd(); iter->Advance()) { for (; !iter->IsAtEnd(); iter->Advance()) {
if (iter->GetCurrent()->IsJSProxy()) return false; if (iter->GetCurrent()->IsJSProxy()) return false;
if (JSObject::cast(iter->GetCurrent())->elements() != JSObject* current = JSObject::cast(iter->GetCurrent());
heap->empty_fixed_array()) { if (current->IsAccessCheckNeeded()) return false;
return false; if (current->HasIndexedInterceptor()) return false;
} if (current->elements()->length() != 0) return false;
} }
return true; return true;
} }
static inline bool IsJSArrayFastElementMovingAllowed(Heap* heap, static inline bool IsJSArrayFastElementMovingAllowed(Isolate* isolate,
JSArray* receiver) { JSArray* receiver) {
DisallowHeapAllocation no_gc; DisallowHeapAllocation no_gc;
Isolate* isolate = heap->isolate();
if (!isolate->IsFastArrayConstructorPrototypeChainIntact()) {
return false;
}
// If the array prototype chain is intact (and free of elements), and if the // If the array prototype chain is intact (and free of elements), and if the
// receiver's prototype is the array prototype, then we are done. // receiver's prototype is the array prototype, then we are done.
Object* prototype = receiver->map()->prototype(); Object* prototype = receiver->map()->prototype();
if (prototype->IsJSArray() && if (prototype->IsJSArray() &&
isolate->is_initial_array_prototype(JSArray::cast(prototype))) { isolate->is_initial_array_prototype(JSArray::cast(prototype)) &&
isolate->IsFastArrayConstructorPrototypeChainIntact()) {
return true; return true;
} }
// Slow case. // Slow case.
PrototypeIterator iter(isolate, receiver); PrototypeIterator iter(isolate, receiver);
return ArrayPrototypeHasNoElements(heap, &iter); return ArrayPrototypeHasNoElements(&iter);
} }
...@@ -231,7 +227,7 @@ static inline MaybeHandle<FixedArrayBase> EnsureJSArrayWithWritableFastElements( ...@@ -231,7 +227,7 @@ static inline MaybeHandle<FixedArrayBase> EnsureJSArrayWithWritableFastElements(
// If there may be elements accessors in the prototype chain, the fast path // If there may be elements accessors in the prototype chain, the fast path
// cannot be used if there arguments to add to the array. // cannot be used if there arguments to add to the array.
Heap* heap = isolate->heap(); Heap* heap = isolate->heap();
if (args != NULL && !IsJSArrayFastElementMovingAllowed(heap, *array)) { if (args != NULL && !IsJSArrayFastElementMovingAllowed(isolate, *array)) {
return MaybeHandle<FixedArrayBase>(); return MaybeHandle<FixedArrayBase>();
} }
if (array->map()->is_observed()) return MaybeHandle<FixedArrayBase>(); if (array->map()->is_observed()) return MaybeHandle<FixedArrayBase>();
...@@ -463,7 +459,7 @@ BUILTIN(ArrayShift) { ...@@ -463,7 +459,7 @@ BUILTIN(ArrayShift) {
EnsureJSArrayWithWritableFastElements(isolate, receiver, NULL, 0); EnsureJSArrayWithWritableFastElements(isolate, receiver, NULL, 0);
Handle<FixedArrayBase> elms_obj; Handle<FixedArrayBase> elms_obj;
if (!maybe_elms_obj.ToHandle(&elms_obj) || if (!maybe_elms_obj.ToHandle(&elms_obj) ||
!IsJSArrayFastElementMovingAllowed(heap, JSArray::cast(*receiver))) { !IsJSArrayFastElementMovingAllowed(isolate, JSArray::cast(*receiver))) {
return CallJsBuiltin(isolate, "$arrayShift", args); return CallJsBuiltin(isolate, "$arrayShift", args);
} }
Handle<JSArray> array = Handle<JSArray>::cast(receiver); Handle<JSArray> array = Handle<JSArray>::cast(receiver);
...@@ -566,7 +562,6 @@ BUILTIN(ArrayUnshift) { ...@@ -566,7 +562,6 @@ BUILTIN(ArrayUnshift) {
BUILTIN(ArraySlice) { BUILTIN(ArraySlice) {
HandleScope scope(isolate); HandleScope scope(isolate);
Heap* heap = isolate->heap();
Handle<Object> receiver = args.receiver(); Handle<Object> receiver = args.receiver();
int len = -1; int len = -1;
int relative_start = 0; int relative_start = 0;
...@@ -575,7 +570,7 @@ BUILTIN(ArraySlice) { ...@@ -575,7 +570,7 @@ BUILTIN(ArraySlice) {
DisallowHeapAllocation no_gc; DisallowHeapAllocation no_gc;
if (receiver->IsJSArray()) { if (receiver->IsJSArray()) {
JSArray* array = JSArray::cast(*receiver); JSArray* array = JSArray::cast(*receiver);
if (!IsJSArrayFastElementMovingAllowed(heap, array)) { if (!IsJSArrayFastElementMovingAllowed(isolate, array)) {
AllowHeapAllocation allow_allocation; AllowHeapAllocation allow_allocation;
return CallJsBuiltin(isolate, "$arraySlice", args); return CallJsBuiltin(isolate, "$arraySlice", args);
} }
...@@ -934,12 +929,11 @@ BUILTIN(ArrayConcat) { ...@@ -934,12 +929,11 @@ BUILTIN(ArrayConcat) {
bool has_double = false; bool has_double = false;
{ {
DisallowHeapAllocation no_gc; DisallowHeapAllocation no_gc;
Heap* heap = isolate->heap();
Context* native_context = isolate->context()->native_context(); Context* native_context = isolate->context()->native_context();
Object* array_proto = native_context->array_function()->prototype(); Object* array_proto = native_context->array_function()->prototype();
PrototypeIterator iter(isolate, array_proto, PrototypeIterator iter(isolate, array_proto,
PrototypeIterator::START_AT_RECEIVER); PrototypeIterator::START_AT_RECEIVER);
if (!ArrayPrototypeHasNoElements(heap, &iter)) { if (!ArrayPrototypeHasNoElements(&iter)) {
AllowHeapAllocation allow_allocation; AllowHeapAllocation allow_allocation;
return CallJsBuiltin(isolate, "$arrayConcat", args); return CallJsBuiltin(isolate, "$arrayConcat", args);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment