Commit 7bf6d477 authored by Sathya Gunasekaran's avatar Sathya Gunasekaran Committed by Commit Bot

[runtime] Use instance type checks in LookupIterator::UpdateProtector

Instead of looking up the specific maps in every native context, just
check against the instance type.

Bug: v8:11256
Change-Id: Ib50d599c014c95b03ba3260014dfcbd9ec82982c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2593337Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71802}
parent 67ac2a7d
...@@ -240,12 +240,10 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate, ...@@ -240,12 +240,10 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate,
isolate->CountUsage( isolate->CountUsage(
v8::Isolate::UseCounterFeature::kArrayPrototypeConstructorModified); v8::Isolate::UseCounterFeature::kArrayPrototypeConstructorModified);
Protectors::InvalidateArraySpeciesLookupChain(isolate); Protectors::InvalidateArraySpeciesLookupChain(isolate);
} else if (isolate->IsInAnyContext(*receiver, } else if (receiver->IsJSPromisePrototype()) {
Context::PROMISE_PROTOTYPE_INDEX)) {
if (!Protectors::IsPromiseSpeciesLookupChainIntact(isolate)) return; if (!Protectors::IsPromiseSpeciesLookupChainIntact(isolate)) return;
Protectors::InvalidatePromiseSpeciesLookupChain(isolate); Protectors::InvalidatePromiseSpeciesLookupChain(isolate);
} else if (isolate->IsInAnyContext(*receiver, } else if (receiver->IsJSRegExpPrototype()) {
Context::REGEXP_PROTOTYPE_INDEX)) {
if (!Protectors::IsRegExpSpeciesLookupChainIntact(isolate)) return; if (!Protectors::IsRegExpSpeciesLookupChainIntact(isolate)) return;
Protectors::InvalidateRegExpSpeciesLookupChain(isolate); Protectors::InvalidateRegExpSpeciesLookupChain(isolate);
} else if (receiver->IsJSTypedArrayPrototype()) { } else if (receiver->IsJSTypedArrayPrototype()) {
...@@ -255,26 +253,21 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate, ...@@ -255,26 +253,21 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate,
} }
} else if (*name == roots.next_string()) { } else if (*name == roots.next_string()) {
if (receiver->IsJSArrayIterator() || if (receiver->IsJSArrayIterator() ||
isolate->IsInAnyContext( receiver->IsJSArrayIteratorPrototype()) {
*receiver, Context::INITIAL_ARRAY_ITERATOR_PROTOTYPE_INDEX)) {
// Setting the next property of %ArrayIteratorPrototype% also needs to // Setting the next property of %ArrayIteratorPrototype% also needs to
// invalidate the array iterator protector. // invalidate the array iterator protector.
if (!Protectors::IsArrayIteratorLookupChainIntact(isolate)) return; if (!Protectors::IsArrayIteratorLookupChainIntact(isolate)) return;
Protectors::InvalidateArrayIteratorLookupChain(isolate); Protectors::InvalidateArrayIteratorLookupChain(isolate);
} else if (receiver->IsJSMapIterator() || } else if (receiver->IsJSMapIterator() ||
isolate->IsInAnyContext( receiver->IsJSMapIteratorPrototype()) {
*receiver, Context::INITIAL_MAP_ITERATOR_PROTOTYPE_INDEX)) {
if (!Protectors::IsMapIteratorLookupChainIntact(isolate)) return; if (!Protectors::IsMapIteratorLookupChainIntact(isolate)) return;
Protectors::InvalidateMapIteratorLookupChain(isolate); Protectors::InvalidateMapIteratorLookupChain(isolate);
} else if (receiver->IsJSSetIterator() || } else if (receiver->IsJSSetIterator() ||
isolate->IsInAnyContext( receiver->IsJSSetIteratorPrototype()) {
*receiver, Context::INITIAL_SET_ITERATOR_PROTOTYPE_INDEX)) {
if (!Protectors::IsSetIteratorLookupChainIntact(isolate)) return; if (!Protectors::IsSetIteratorLookupChainIntact(isolate)) return;
Protectors::InvalidateSetIteratorLookupChain(isolate); Protectors::InvalidateSetIteratorLookupChain(isolate);
} else if (receiver->IsJSStringIterator() || } else if (receiver->IsJSStringIterator() ||
isolate->IsInAnyContext( receiver->IsJSStringIteratorPrototype()) {
*receiver,
Context::INITIAL_STRING_ITERATOR_PROTOTYPE_INDEX)) {
// Setting the next property of %StringIteratorPrototype% invalidates the // Setting the next property of %StringIteratorPrototype% invalidates the
// string iterator protector. // string iterator protector.
if (!Protectors::IsStringIteratorLookupChainIntact(isolate)) return; if (!Protectors::IsStringIteratorLookupChainIntact(isolate)) return;
...@@ -314,21 +307,17 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate, ...@@ -314,21 +307,17 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate,
if (!Protectors::IsArrayIteratorLookupChainIntact(isolate)) return; if (!Protectors::IsArrayIteratorLookupChainIntact(isolate)) return;
Protectors::InvalidateArrayIteratorLookupChain(isolate); Protectors::InvalidateArrayIteratorLookupChain(isolate);
} else if (receiver->IsJSSet(isolate) || receiver->IsJSSetIterator() || } else if (receiver->IsJSSet(isolate) || receiver->IsJSSetIterator() ||
isolate->IsInAnyContext( receiver->IsJSSetIteratorPrototype() ||
*receiver, Context::INITIAL_SET_ITERATOR_PROTOTYPE_INDEX) || receiver->IsJSSetPrototype()) {
isolate->IsInAnyContext(*receiver,
Context::INITIAL_SET_PROTOTYPE_INDEX)) {
if (Protectors::IsSetIteratorLookupChainIntact(isolate)) { if (Protectors::IsSetIteratorLookupChainIntact(isolate)) {
Protectors::InvalidateSetIteratorLookupChain(isolate); Protectors::InvalidateSetIteratorLookupChain(isolate);
} }
} else if (receiver->IsJSMapIterator() || } else if (receiver->IsJSMapIterator() ||
isolate->IsInAnyContext( receiver->IsJSMapIteratorPrototype()) {
*receiver, Context::INITIAL_MAP_ITERATOR_PROTOTYPE_INDEX)) {
if (Protectors::IsMapIteratorLookupChainIntact(isolate)) { if (Protectors::IsMapIteratorLookupChainIntact(isolate)) {
Protectors::InvalidateMapIteratorLookupChain(isolate); Protectors::InvalidateMapIteratorLookupChain(isolate);
} }
} else if (isolate->IsInAnyContext( } else if (receiver->IsJSIteratorPrototype()) {
*receiver, Context::INITIAL_ITERATOR_PROTOTYPE_INDEX)) {
if (Protectors::IsMapIteratorLookupChainIntact(isolate)) { if (Protectors::IsMapIteratorLookupChainIntact(isolate)) {
Protectors::InvalidateMapIteratorLookupChain(isolate); Protectors::InvalidateMapIteratorLookupChain(isolate);
} }
...@@ -360,10 +349,8 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate, ...@@ -360,10 +349,8 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate,
// to guard the fast-path in AsyncGeneratorResolve, where we can skip // to guard the fast-path in AsyncGeneratorResolve, where we can skip
// the ResolvePromise step and go directly to FulfillPromise if we // the ResolvePromise step and go directly to FulfillPromise if we
// know that the Object.prototype doesn't contain a "then" method. // know that the Object.prototype doesn't contain a "then" method.
if (receiver->IsJSPromise(isolate) || if (receiver->IsJSPromise(isolate) || receiver->IsJSObjectPrototype() ||
isolate->IsInAnyContext(*receiver, receiver->IsJSPromisePrototype()) {
Context::INITIAL_OBJECT_PROTOTYPE_INDEX) ||
isolate->IsInAnyContext(*receiver, Context::PROMISE_PROTOTYPE_INDEX)) {
Protectors::InvalidatePromiseThenLookupChain(isolate); Protectors::InvalidatePromiseThenLookupChain(isolate);
} }
} }
......
...@@ -1338,6 +1338,34 @@ TYPED_ARRAYS(FIXED_TYPED_ARRAYS_CHECK_RUNTIME_FUNCTION) ...@@ -1338,6 +1338,34 @@ TYPED_ARRAYS(FIXED_TYPED_ARRAYS_CHECK_RUNTIME_FUNCTION)
#undef FIXED_TYPED_ARRAYS_CHECK_RUNTIME_FUNCTION #undef FIXED_TYPED_ARRAYS_CHECK_RUNTIME_FUNCTION
RUNTIME_FUNCTION(Runtime_IsConcatSpreadableProtector) {
SealHandleScope shs(isolate);
DCHECK_EQ(0, args.length());
return isolate->heap()->ToBoolean(
Protectors::IsIsConcatSpreadableLookupChainIntact(isolate));
}
RUNTIME_FUNCTION(Runtime_TypedArraySpeciesProtector) {
SealHandleScope shs(isolate);
DCHECK_EQ(0, args.length());
return isolate->heap()->ToBoolean(
Protectors::IsTypedArraySpeciesLookupChainIntact(isolate));
}
RUNTIME_FUNCTION(Runtime_RegExpSpeciesProtector) {
SealHandleScope shs(isolate);
DCHECK_EQ(0, args.length());
return isolate->heap()->ToBoolean(
Protectors::IsRegExpSpeciesLookupChainIntact(isolate));
}
RUNTIME_FUNCTION(Runtime_PromiseSpeciesProtector) {
SealHandleScope shs(isolate);
DCHECK_EQ(0, args.length());
return isolate->heap()->ToBoolean(
Protectors::IsPromiseSpeciesLookupChainIntact(isolate));
}
RUNTIME_FUNCTION(Runtime_ArraySpeciesProtector) { RUNTIME_FUNCTION(Runtime_ArraySpeciesProtector) {
SealHandleScope shs(isolate); SealHandleScope shs(isolate);
DCHECK_EQ(0, args.length()); DCHECK_EQ(0, args.length());
...@@ -1366,6 +1394,12 @@ RUNTIME_FUNCTION(Runtime_StringIteratorProtector) { ...@@ -1366,6 +1394,12 @@ RUNTIME_FUNCTION(Runtime_StringIteratorProtector) {
Protectors::IsStringIteratorLookupChainIntact(isolate)); Protectors::IsStringIteratorLookupChainIntact(isolate));
} }
RUNTIME_FUNCTION(Runtime_ArrayIteratorProtector) {
SealHandleScope shs(isolate);
DCHECK_EQ(0, args.length());
return isolate->heap()->ToBoolean(
Protectors::IsArrayIteratorLookupChainIntact(isolate));
}
// For use by tests and fuzzers. It // For use by tests and fuzzers. It
// //
// 1. serializes a snapshot of the current isolate, // 1. serializes a snapshot of the current isolate,
......
...@@ -520,6 +520,7 @@ namespace internal { ...@@ -520,6 +520,7 @@ namespace internal {
F(RegexpTypeTag, 1, 1) \ F(RegexpTypeTag, 1, 1) \
F(RegexpIsUnmodified, 1, 1) \ F(RegexpIsUnmodified, 1, 1) \
F(MapIteratorProtector, 0, 1) \ F(MapIteratorProtector, 0, 1) \
F(ArrayIteratorProtector, 0, 1) \
F(NeverOptimizeFunction, 1, 1) \ F(NeverOptimizeFunction, 1, 1) \
F(NotifyContextDisposed, 0, 1) \ F(NotifyContextDisposed, 0, 1) \
F(OptimizeFunctionOnNextCall, -1, 1) \ F(OptimizeFunctionOnNextCall, -1, 1) \
...@@ -544,6 +545,7 @@ namespace internal { ...@@ -544,6 +545,7 @@ namespace internal {
F(TraceEnter, 0, 1) \ F(TraceEnter, 0, 1) \
F(TraceExit, 1, 1) \ F(TraceExit, 1, 1) \
F(TurbofanStaticAssert, 1, 1) \ F(TurbofanStaticAssert, 1, 1) \
F(TypedArraySpeciesProtector, 0, 1) \
F(UnblockConcurrentRecompilation, 0, 1) \ F(UnblockConcurrentRecompilation, 0, 1) \
F(WasmGetNumberOfInstances, 1, 1) \ F(WasmGetNumberOfInstances, 1, 1) \
F(WasmNumCodeSpaces, 1, 1) \ F(WasmNumCodeSpaces, 1, 1) \
...@@ -553,7 +555,10 @@ namespace internal { ...@@ -553,7 +555,10 @@ namespace internal {
F(WasmTraceEnter, 0, 1) \ F(WasmTraceEnter, 0, 1) \
F(WasmTraceExit, 1, 1) \ F(WasmTraceExit, 1, 1) \
F(WasmTraceMemory, 1, 1) \ F(WasmTraceMemory, 1, 1) \
I(DeoptimizeNow, 0, 1) I(DeoptimizeNow, 0, 1) \
F(PromiseSpeciesProtector, 0, 1) \
F(IsConcatSpreadableProtector, 0, 1) \
F(RegExpSpeciesProtector, 0, 1)
#define FOR_EACH_INTRINSIC_TYPEDARRAY(F, I) \ #define FOR_EACH_INTRINSIC_TYPEDARRAY(F, I) \
F(ArrayBufferDetach, 1, 1) \ F(ArrayBufferDetach, 1, 1) \
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty([], "constructor", { value: {} });
assertFalse(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Array.prototype, "constructor", { value: {} });
assertFalse(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
Object.defineProperty([], Symbol.iterator, { value: {} });
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertFalse(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
Object.defineProperty(Array.prototype, Symbol.iterator, { value: {} });
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertFalse(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
Object.defineProperty([].values(), "next", { value: {}})
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertFalse(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const arrayIteratorPrototype = Object.getPrototypeOf([].values());
Object.defineProperty(arrayIteratorPrototype, "next", { value: {}})
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertFalse(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyBigInt64Array extends BigInt64Array { }
Object.defineProperty(BigInt64Array, Symbol.species, { value: MyBigInt64Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyBigUint64Array extends BigUint64Array { }
Object.defineProperty(BigUint64Array, Symbol.species, { value: MyBigUint64Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%IsConcatSpreadableProtector());
Object.defineProperty(Array, Symbol.isConcatSpreadable, { value: false });
assertFalse(%IsConcatSpreadableProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyFloat32Array extends Float32Array { }
Object.defineProperty(Float32Array, Symbol.species, { value: MyFloat32Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyFloat64Array extends Float64Array { }
Object.defineProperty(Float64Array, Symbol.species, { value: MyFloat64Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyInt16Array extends Int16Array { }
Object.defineProperty(Int16Array, Symbol.species, { value: MyInt16Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyInt32Array extends Int32Array { }
Object.defineProperty(Int32Array, Symbol.species, { value: MyInt32Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyInt8Array extends Int8Array { }
Object.defineProperty(Int8Array, Symbol.species, { value: MyInt8Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const iteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]()))
Object.defineProperty(iteratorPrototype, Symbol.iterator, { value: {} });
assertFalse(%SetIteratorProtector());
assertFalse(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const mapIterator = new Map().values();
Object.defineProperty(mapIterator, Symbol.iterator, { value: {} });
assertTrue(%SetIteratorProtector());
assertFalse(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const mapIteratorProto = Object.getPrototypeOf(new Map().values());
Object.defineProperty(mapIteratorProto, Symbol.iterator, { value: {} });
assertTrue(%SetIteratorProtector());
assertFalse(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const mapIterator = new Map().values();
Object.defineProperty(mapIterator, "next", { value: {} });
assertTrue(%SetIteratorProtector());
assertFalse(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const mapIteratorPrototype = Object.getPrototypeOf(new Map().values());
Object.defineProperty(mapIteratorPrototype, "next", { value: {} });
assertTrue(%SetIteratorProtector());
assertFalse(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Promise.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertFalse(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Promise(() => { }), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertFalse(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(RegExp.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertFalse(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new RegExp(''), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertFalse(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
Object.defineProperty(new Set(), Symbol.iterator, { value: {} });
assertFalse(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
Object.defineProperty(Set.prototype, Symbol.iterator, { value: {} });
assertFalse(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
Object.defineProperty(new Set().values(), Symbol.iterator, { value: {} });
assertFalse(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const setIteratorPrototype = Object.getPrototypeOf(new Set().values())
Object.defineProperty(new Set(), Symbol.iterator, { value: {} });
assertFalse(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const setIterator = new Set().values();
Object.defineProperty(setIterator, "next", { value: {} });
assertFalse(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
const setIteratorPrototype = Object.getPrototypeOf(new Set().values());
Object.defineProperty(setIteratorPrototype, "next", { value: {} });
assertFalse(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
class MyArray extends Array { }
Object.defineProperty(Array, Symbol.species, { value: MyArray });
assertFalse(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
class MyPromise extends Promise { }
Object.defineProperty(Promise, Symbol.species, { value: MyPromise });
assertFalse(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
class MyRegExp extends RegExp { }
Object.defineProperty(RegExp, Symbol.species, { value: MyRegExp });
assertFalse(%RegExpSpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%StringIteratorProtector());
Object.defineProperty(String.prototype, Symbol.iterator, { value: {} });
assertFalse(%StringIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
var str = 'ott';
var iterator = str[Symbol.iterator]();
iterator.__proto__.next = () => ({value : undefined, done : true});
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertFalse(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertTrue(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
var str = 'ott';
var iterator = str[Symbol.iterator]();
iterator.next = () => ({value : undefined, done : true});
assertTrue(%SetIteratorProtector());
assertTrue(%MapIteratorProtector());
assertFalse(%StringIteratorProtector());
assertTrue(%ArrayIteratorProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Int8Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new BigUint64Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Uint8Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Int16Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Uint16Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Int32Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Uint32Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Float32Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new Float64Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(new BigInt64Array(8), "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Int8Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(BigUint64Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Uint8Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Int16Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Uint16Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Int32Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Uint32Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Float32Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(Float64Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertTrue(%TypedArraySpeciesProtector());
Object.defineProperty(BigInt64Array.prototype, "constructor", { value: {} });
assertTrue(%ArraySpeciesProtector());
assertTrue(%PromiseSpeciesProtector());
assertTrue(%RegExpSpeciesProtector());
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyUint16Array extends Uint16Array { }
Object.defineProperty(Uint16Array, Symbol.species, { value: MyUint16Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyUint32Array extends Uint32Array { }
Object.defineProperty(Uint32Array, Symbol.species, { value: MyUint32Array });
assertFalse(%TypedArraySpeciesProtector());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-stress-opt
assertTrue(%TypedArraySpeciesProtector());
class MyUint8Array extends Uint8Array { }
Object.defineProperty(Uint8Array, Symbol.species, { value: MyUint8Array });
assertFalse(%TypedArraySpeciesProtector());
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment