Plumb Isolate through SetPrototype

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I4d2c9f5d4d7bc50b3aeb515eb78c08eb1b2a6824
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440902Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78960}

src/api/api.cc

@@ -4591,14 +4591,16 @@ Maybe<bool> v8::Object::SetPrototype(Local<Context> context,
     // We do not allow exceptions thrown while setting the prototype
     // to propagate outside.
     TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
-    auto result = i::JSProxy::SetPrototype(i::Handle<i::JSProxy>::cast(self),
-                                           value_obj, false, i::kThrowOnError);
+    auto result =
+        i::JSProxy::SetPrototype(isolate, i::Handle<i::JSProxy>::cast(self),
+                                 value_obj, false, i::kThrowOnError);
     has_pending_exception = result.IsNothing();
     RETURN_ON_FAILED_EXECUTION_PRIMITIVE(bool);
   } else {
     ENTER_V8_NO_SCRIPT_NO_EXCEPTION(isolate);
-    auto result = i::JSObject::SetPrototype(i::Handle<i::JSObject>::cast(self),
-                                            value_obj, false, i::kThrowOnError);
+    auto result =
+        i::JSObject::SetPrototype(isolate, i::Handle<i::JSObject>::cast(self),
+                                  value_obj, false, i::kThrowOnError);
     if (result.IsNothing()) {
       isolate->clear_pending_exception();
       return Nothing<bool>();

src/builtins/builtins-object.cc

@@ -260,8 +260,9 @@ BUILTIN(ObjectPrototypeSetProto) {
 
   // 4. Let status be ? O.[[SetPrototypeOf]](proto).
   // 5. If status is false, throw a TypeError exception.
-  MAYBE_RETURN(JSReceiver::SetPrototype(receiver, proto, true, kThrowOnError),
-               ReadOnlyRoots(isolate).exception());
+  MAYBE_RETURN(
+      JSReceiver::SetPrototype(isolate, receiver, proto, true, kThrowOnError),
+      ReadOnlyRoots(isolate).exception());
 
   // Return undefined.
   return ReadOnlyRoots(isolate).undefined_value();

src/debug/debug-wasm-objects.cc

@@ -649,7 +649,8 @@ class ContextProxy {
         GetOrCreateInstanceProxy<FunctionsProxy>(isolate, instance);
     JSObject::AddProperty(isolate, object, "functions", functions, FROZEN);
     Handle<JSObject> prototype = ContextProxyPrototype::Create(isolate);
-    JSObject::SetPrototype(object, prototype, false, kDontThrow).Check();
+    JSObject::SetPrototype(isolate, object, prototype, false, kDontThrow)
+        .Check();
     return object;
   }
 };
@@ -1151,8 +1152,8 @@ Handle<ArrayList> AddWasmTableObjectInternalProperties(
   }
   Handle<JSArray> final_entries = isolate->factory()->NewJSArrayWithElements(
       entries, i::PACKED_ELEMENTS, length);
-  JSObject::SetPrototype(final_entries, isolate->factory()->null_value(), false,
-                         kDontThrow)
+  JSObject::SetPrototype(isolate, final_entries,
+                         isolate->factory()->null_value(), false, kDontThrow)
       .Check();
   Handle<String> entries_string =
       isolate->factory()->NewStringFromStaticChars("[[Entries]]");

src/init/bootstrapper.cc

@@ -1438,10 +1438,10 @@ static void InstallError(Isolate* isolate, Handle<JSObject> global,
       isolate->native_context()->set_initial_error_prototype(*prototype);
     } else {
       Handle<JSFunction> global_error = isolate->error_function();
-      CHECK(JSReceiver::SetPrototype(error_fun, global_error, false,
+      CHECK(JSReceiver::SetPrototype(isolate, error_fun, global_error, false,
                                      kThrowOnError)
                 .FromMaybe(false));
-      CHECK(JSReceiver::SetPrototype(prototype,
+      CHECK(JSReceiver::SetPrototype(isolate, prototype,
                                      handle(global_error->prototype(), isolate),
                                      false, kThrowOnError)
                 .FromMaybe(false));
@@ -4057,7 +4057,8 @@ Handle<JSFunction> Genesis::InstallTypedArray(const char* name,
   result->shared().DontAdaptArguments();
   result->shared().set_length(3);
 
-  CHECK(JSObject::SetPrototype(result, typed_array_function, false, kDontThrow)
+  CHECK(JSObject::SetPrototype(isolate(), result, typed_array_function, false,
+                               kDontThrow)
             .FromJust());
 
   Handle<Smi> bytes_per_element(
@@ -4074,8 +4075,8 @@ Handle<JSFunction> Genesis::InstallTypedArray(const char* name,
   DCHECK(result->prototype().IsJSObject());
   Handle<JSObject> prototype(JSObject::cast(result->prototype()), isolate());
 
-  CHECK(JSObject::SetPrototype(prototype, typed_array_prototype, false,
-                               kDontThrow)
+  CHECK(JSObject::SetPrototype(isolate(), prototype, typed_array_prototype,
+                               false, kDontThrow)
             .FromJust());
 
   CHECK_NE(prototype->map().ptr(),

src/objects/js-objects.cc

@@ -2153,14 +2153,15 @@ MaybeHandle<FixedArray> JSReceiver::GetOwnEntries(Handle<JSReceiver> object,
                                try_fast_path, true);
 }
 
-Maybe<bool> JSReceiver::SetPrototype(Handle<JSReceiver> object,
+Maybe<bool> JSReceiver::SetPrototype(Isolate* isolate,
+                                     Handle<JSReceiver> object,
                                      Handle<Object> value, bool from_javascript,
                                      ShouldThrow should_throw) {
   if (object->IsJSProxy()) {
-    return JSProxy::SetPrototype(Handle<JSProxy>::cast(object), value,
+    return JSProxy::SetPrototype(isolate, Handle<JSProxy>::cast(object), value,
                                  from_javascript, should_throw);
   }
-  return JSObject::SetPrototype(Handle<JSObject>::cast(object), value,
+  return JSObject::SetPrototype(isolate, Handle<JSObject>::cast(object), value,
                                 from_javascript, should_throw);
 }
 
@@ -4846,11 +4847,9 @@ void JSObject::InvalidatePrototypeValidityCell(JSGlobalObject global) {
   InvalidateOnePrototypeValidityCellInternal(global.map());
 }
 
-Maybe<bool> JSObject::SetPrototype(Handle<JSObject> object,
+Maybe<bool> JSObject::SetPrototype(Isolate* isolate, Handle<JSObject> object,
                                    Handle<Object> value, bool from_javascript,
                                    ShouldThrow should_throw) {
-  Isolate* isolate = object->GetIsolate();
-
 #ifdef DEBUG
   int size = object->Size();
 #endif

src/objects/js-objects.h

@@ -254,8 +254,8 @@ class JSReceiver : public TorqueGeneratedJSReceiver<JSReceiver, HeapObject> {
 
   // Set the object's prototype (only JSReceiver and null are allowed values).
   V8_EXPORT_PRIVATE V8_WARN_UNUSED_RESULT static Maybe<bool> SetPrototype(
-      Handle<JSReceiver> object, Handle<Object> value, bool from_javascript,
-      ShouldThrow should_throw);
+      Isolate* isolate, Handle<JSReceiver> object, Handle<Object> value,
+      bool from_javascript, ShouldThrow should_throw);
 
   inline static Handle<Object> GetDataProperty(Handle<JSReceiver> object,
                                                Handle<Name> name);
@@ -702,8 +702,8 @@ class JSObject : public TorqueGeneratedJSObject<JSObject, JSReceiver> {
 
   // Set the object's prototype (only JSReceiver and null are allowed values).
   V8_WARN_UNUSED_RESULT static Maybe<bool> SetPrototype(
-      Handle<JSObject> object, Handle<Object> value, bool from_javascript,
-      ShouldThrow should_throw);
+      Isolate* isolate, Handle<JSObject> object, Handle<Object> value,
+      bool from_javascript, ShouldThrow should_throw);
 
   // Makes the object prototype immutable
   // Never called from JavaScript

src/objects/js-proxy.h

@@ -31,8 +31,8 @@ class JSProxy : public TorqueGeneratedJSProxy<JSProxy, JSReceiver> {
 
   // ES6 9.5.2
   V8_WARN_UNUSED_RESULT static Maybe<bool> SetPrototype(
-      Handle<JSProxy> proxy, Handle<Object> value, bool from_javascript,
-      ShouldThrow should_throw);
+      Isolate* isolate, Handle<JSProxy> proxy, Handle<Object> value,
+      bool from_javascript, ShouldThrow should_throw);
   // ES6 9.5.3
   V8_WARN_UNUSED_RESULT static Maybe<bool> IsExtensible(Handle<JSProxy> proxy);
 

src/objects/objects.cc

@@ -5123,10 +5123,9 @@ Maybe<bool> JSArray::SetLength(Handle<JSArray> array, uint32_t new_length) {
 
 // ES6: 9.5.2 [[SetPrototypeOf]] (V)
 // static
-Maybe<bool> JSProxy::SetPrototype(Handle<JSProxy> proxy, Handle<Object> value,
-                                  bool from_javascript,
+Maybe<bool> JSProxy::SetPrototype(Isolate* isolate, Handle<JSProxy> proxy,
+                                  Handle<Object> value, bool from_javascript,
                                   ShouldThrow should_throw) {
-  Isolate* isolate = proxy->GetIsolate();
   STACK_CHECK(isolate, Nothing<bool>());
   Handle<Name> trap_name = isolate->factory()->setPrototypeOf_string();
   // 1. Assert: Either Type(V) is Object or Type(V) is Null.
@@ -5150,7 +5149,7 @@ Maybe<bool> JSProxy::SetPrototype(Handle<JSProxy> proxy, Handle<Object> value,
       Nothing<bool>());
   // 7. If trap is undefined, then return target.[[SetPrototypeOf]]().
   if (trap->IsUndefined(isolate)) {
-    return JSReceiver::SetPrototype(target, value, from_javascript,
+    return JSReceiver::SetPrototype(isolate, target, value, from_javascript,
                                     should_throw);
   }
   // 8. Let booleanTrapResult be ToBoolean(? Call(trap, handler, «target, V»)).

src/runtime/runtime-object.cc

@@ -589,8 +589,9 @@ RUNTIME_FUNCTION(Runtime_InternalSetPrototype) {
   DCHECK_EQ(2, args.length());
   CONVERT_ARG_HANDLE_CHECKED(JSReceiver, obj, 0);
   CONVERT_ARG_HANDLE_CHECKED(Object, prototype, 1);
-  MAYBE_RETURN(JSReceiver::SetPrototype(obj, prototype, false, kThrowOnError),
-               ReadOnlyRoots(isolate).exception());
+  MAYBE_RETURN(
+      JSReceiver::SetPrototype(isolate, obj, prototype, false, kThrowOnError),
+      ReadOnlyRoots(isolate).exception());
   return *obj;
 }
 
@@ -715,8 +716,9 @@ RUNTIME_FUNCTION(Runtime_JSReceiverSetPrototypeOfThrow) {
   CONVERT_ARG_HANDLE_CHECKED(JSReceiver, object, 0);
   CONVERT_ARG_HANDLE_CHECKED(Object, proto, 1);
 
-  MAYBE_RETURN(JSReceiver::SetPrototype(object, proto, true, kThrowOnError),
-               ReadOnlyRoots(isolate).exception());
+  MAYBE_RETURN(
+      JSReceiver::SetPrototype(isolate, object, proto, true, kThrowOnError),
+      ReadOnlyRoots(isolate).exception());
 
   return *object;
 }
@@ -729,7 +731,7 @@ RUNTIME_FUNCTION(Runtime_JSReceiverSetPrototypeOfDontThrow) {
   CONVERT_ARG_HANDLE_CHECKED(Object, proto, 1);
 
   Maybe<bool> result =
-      JSReceiver::SetPrototype(object, proto, true, kDontThrow);
+      JSReceiver::SetPrototype(isolate, object, proto, true, kDontThrow);
   MAYBE_RETURN(result, ReadOnlyRoots(isolate).exception());
   return *isolate->factory()->ToBoolean(result.FromJust());
 }

src/wasm/wasm-js.cc

@@ -673,9 +673,9 @@ bool TransferPrototype(i::Isolate* isolate, i::Handle<i::JSObject> destination,
       i::JSObject::GetPrototype(isolate, source);
   i::Handle<i::HeapObject> prototype;
   if (maybe_prototype.ToHandle(&prototype)) {
-    Maybe<bool> result = i::JSObject::SetPrototype(destination, prototype,
-                                                   /*from_javascript=*/false,
-                                                   internal::kThrowOnError);
+    Maybe<bool> result = i::JSObject::SetPrototype(
+        isolate, destination, prototype,
+        /*from_javascript=*/false, internal::kThrowOnError);
     if (!result.FromJust()) {
       DCHECK(isolate->has_pending_exception());
       return false;
@@ -2931,7 +2931,7 @@ void WasmJs::Install(Isolate* isolate, bool exposed_on_global_object) {
     Handle<Map> function_map = isolate->factory()->CreateSloppyFunctionMap(
         FUNCTION_WITHOUT_PROTOTYPE, MaybeHandle<JSFunction>());
     CHECK(JSObject::SetPrototype(
-              function_proto,
+              isolate, function_proto,
               handle(context->function_function().prototype(), isolate), false,
               kDontThrow)
               .FromJust());

test/cctest/test-concurrent-prototype.cc

@@ -188,8 +188,9 @@ TEST(ProtoWalkBackground_PrototypeChainWrite) {
   sema_started.Wait();
 
   for (int i = 0; i < 20; ++i) {
-    CHECK(JSReceiver::SetPrototype(
-              js_object, i % 2 == 0 ? new_proto : old_proto, false, kDontThrow)
+    CHECK(JSReceiver::SetPrototype(isolate, js_object,
+                                   i % 2 == 0 ? new_proto : old_proto, false,
+                                   kDontThrow)
               .FromJust());
   }