Plumb Isolate through FastPropertyAt

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I1cd23b18b5b841c5b4339f52adecf1b86f3253dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441398Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78964}

src/init/bootstrapper.cc

@@ -5959,8 +5959,8 @@ void Genesis::TransferNamedProperties(Handle<JSObject> from,
           // If the property is already there we skip it.
           if (PropertyAlreadyExists(isolate(), to, key)) continue;
           FieldIndex index = FieldIndex::ForDescriptor(from->map(), i);
-          Handle<Object> value =
-              JSObject::FastPropertyAt(from, details.representation(), index);
+          Handle<Object> value = JSObject::FastPropertyAt(
+              isolate(), from, details.representation(), index);
           JSObject::AddProperty(isolate(), to, key, value,
                                 details.attributes());
         } else {

src/json/json-stringifier.cc

@@ -845,8 +845,8 @@ JsonStringifier::Result JsonStringifier::SerializeJSObject(
         *map == object->map(cage_base)) {
       DCHECK_EQ(PropertyKind::kData, details.kind());
       FieldIndex field_index = FieldIndex::ForDescriptor(*map, i);
-      property = JSObject::FastPropertyAt(object, details.representation(),
-                                          field_index);
+      property = JSObject::FastPropertyAt(
+          isolate_, object, details.representation(), field_index);
     } else {
       ASSIGN_RETURN_ON_EXCEPTION_VALUE(
           isolate_, property,

src/objects/js-objects.cc

@@ -291,7 +291,8 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastAssign(
             Representation representation = details.representation();
             FieldIndex index = FieldIndex::ForPropertyIndex(
                 *map, details.field_index(), representation);
-            prop_value = JSObject::FastPropertyAt(from, representation, index);
+            prop_value =
+                JSObject::FastPropertyAt(isolate, from, representation, index);
           }
         } else {
           LookupIterator it(isolate, from, next_key,
@@ -2042,8 +2043,8 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastGetOwnValuesOrEntries(
           Representation representation = details.representation();
           FieldIndex field_index = FieldIndex::ForPropertyIndex(
               *map, details.field_index(), representation);
-          prop_value =
-              JSObject::FastPropertyAt(object, representation, field_index);
+          prop_value = JSObject::FastPropertyAt(isolate, object, representation,
+                                                field_index);
         }
       } else {
         LookupIterator it(isolate, object, next_key,
@@ -4301,10 +4302,10 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
   return Just(true);
 }
 
-Handle<Object> JSObject::FastPropertyAt(Handle<JSObject> object,
+Handle<Object> JSObject::FastPropertyAt(Isolate* isolate,
+                                        Handle<JSObject> object,
                                         Representation representation,
                                         FieldIndex index) {
-  Isolate* isolate = object->GetIsolate();
   Handle<Object> raw_value(object->RawFastPropertyAt(index), isolate);
   return Object::WrapForRead(isolate, raw_value, representation);
 }

src/objects/js-objects.h

@@ -675,7 +675,8 @@ class JSObject : public TorqueGeneratedJSObject<JSObject, JSReceiver> {
                                                      Heap* heap);
 
   // Access fast-case object properties at index.
-  static Handle<Object> FastPropertyAt(Handle<JSObject> object,
+  static Handle<Object> FastPropertyAt(Isolate* isolate,
+                                       Handle<JSObject> object,
                                        Representation representation,
                                        FieldIndex index);
   inline Object RawFastPropertyAt(FieldIndex index) const;

src/objects/lookup.cc

@@ -926,8 +926,8 @@ Handle<Object> LookupIterator::FetchValue(
         field_index.is_inobject() && field_index.is_double()) {
       return isolate_->factory()->undefined_value();
     }
-    return JSObject::FastPropertyAt(holder, property_details_.representation(),
-                                    field_index);
+    return JSObject::FastPropertyAt(
+        isolate_, holder, property_details_.representation(), field_index);
   } else {
     result =
         holder_->map(isolate_).instance_descriptors(isolate_).GetStrongValue(

src/objects/property-descriptor.cc

@@ -63,7 +63,7 @@ bool ToPropertyDescriptorFastPath(Isolate* isolate, Handle<JSReceiver> obj,
     Handle<Object> value;
     if (details.location() == PropertyLocation::kField) {
       if (details.kind() == PropertyKind::kData) {
-        value = JSObject::FastPropertyAt(Handle<JSObject>::cast(obj),
+        value = JSObject::FastPropertyAt(isolate, Handle<JSObject>::cast(obj),
                                          details.representation(),
                                          FieldIndex::ForDescriptor(*map, i));
       } else {

src/objects/value-serializer.cc

@@ -635,8 +635,8 @@ Maybe<bool> ValueSerializer::WriteJSObject(Handle<JSObject> object) {
                   details.location() == PropertyLocation::kField)) {
       DCHECK_EQ(PropertyKind::kData, details.kind());
       FieldIndex field_index = FieldIndex::ForDescriptor(*map, i);
-      value = JSObject::FastPropertyAt(object, details.representation(),
-                                       field_index);
+      value = JSObject::FastPropertyAt(isolate_, object,
+                                       details.representation(), field_index);
     } else {
       // This logic should essentially match WriteJSObjectPropertiesSlow.
       // If the property is no longer found, do not serialize it.

src/web-snapshot/web-snapshot.cc

@@ -763,8 +763,8 @@ void WebSnapshotSerializer::DiscoverObject(Handle<JSObject> object) {
     PropertyDetails details =
         map->instance_descriptors(kRelaxedLoad).GetDetails(i);
     FieldIndex field_index = FieldIndex::ForDescriptor(*map, i);
-    Handle<Object> value =
-        JSObject::FastPropertyAt(object, details.representation(), field_index);
+    Handle<Object> value = JSObject::FastPropertyAt(
+        isolate_, object, details.representation(), field_index);
     discovery_queue_.push(value);
   }
 }
@@ -860,8 +860,8 @@ void WebSnapshotSerializer::SerializeObject(Handle<JSObject> object) {
     PropertyDetails details =
         map->instance_descriptors(kRelaxedLoad).GetDetails(i);
     FieldIndex field_index = FieldIndex::ForDescriptor(*map, i);
-    Handle<Object> value =
-        JSObject::FastPropertyAt(object, details.representation(), field_index);
+    Handle<Object> value = JSObject::FastPropertyAt(
+        isolate_, object, details.representation(), field_index);
     WriteValue(value, object_serializer_);
   }
 }