[protectors] Move ArrayConstructorProtector to Protectors

Also converts ACP from a Cell to a PropertyCell. Bug: v8:9463 Change-Id: I6cd26d4e4fd8869a17bf75f83cc177524f8082d7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1795742Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Joshua Litt <joshualitt@chromium.org> Cr-Commit-Position: refs/heads/master@{#63675}

[protectors] Move ArrayConstructorProtector to Protectors
Also converts ACP from a Cell to a PropertyCell. Bug: v8:9463 Change-Id: I6cd26d4e4fd8869a17bf75f83cc177524f8082d7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1795742Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Joshua Litt <joshualitt@chromium.org> Cr-Commit-Position: refs/heads/master@{#63675}
d7acd6ac · Joshua Litt · Commit Bot · 0f704b10 · d7acd6ac · d7acd6ac
Commit d7acd6ac authored Sep 10, 2019 by Joshua Litt Committed by Commit Bot Sep 11, 2019
10 changed files
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@@ -640,7 +640,7 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) {
    allocation = dependencies()->DependOnPretenureMode(*site_ref);
    dependencies()->DependOnElementsKind(*site_ref);
  } else {
-    CellRef array_constructor_protector(
+    PropertyCellRef array_constructor_protector(
        broker(), factory()->array_constructor_protector());
    can_inline_call =
        array_constructor_protector.value().AsSmi() == Isolate::kProtectorValid;

--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -2517,7 +2517,9 @@ void JSHeapBroker::InitializeAndStartSerializing(
  GetOrCreateData(f->array_buffer_detaching_protector())
      ->AsPropertyCell()
      ->Serialize(this);
-  GetOrCreateData(f->array_constructor_protector())->AsCell()->Serialize(this);
+  GetOrCreateData(f->array_constructor_protector())
+      ->AsPropertyCell()
+      ->Serialize(this);
  GetOrCreateData(f->array_iterator_protector())
      ->AsPropertyCell()
      ->Serialize(this);

--- a/src/execution/isolate-inl.h
+++ b/src/execution/isolate-inl.h
@@ -113,12 +113,6 @@ Isolate::ExceptionScope::~ExceptionScope() {
 NATIVE_CONTEXT_FIELDS(NATIVE_CONTEXT_FIELD_ACCESSOR)
 #undef NATIVE_CONTEXT_FIELD_ACCESSOR

-bool Isolate::IsArrayConstructorIntact() {
-  Cell array_constructor_cell =
-      Cell::cast(root(RootIndex::kArrayConstructorProtector));
-  return array_constructor_cell.value() == Smi::FromInt(kProtectorValid);
-}
-
 bool Isolate::IsStringLengthOverflowIntact() {
  Cell string_length_cell = Cell::cast(root(RootIndex::kStringLengthProtector));
  return string_length_cell.value() == Smi::FromInt(kProtectorValid);

--- a/src/execution/isolate.cc
+++ b/src/execution/isolate.cc
@@ -3989,17 +3989,6 @@ void Isolate::InvalidateIsConcatSpreadableProtector() {
  DCHECK(!IsIsConcatSpreadableLookupChainIntact());
 }

-void Isolate::InvalidateArrayConstructorProtector() {
-  DCHECK(factory()->array_constructor_protector()->value().IsSmi());
-  DCHECK(IsArrayConstructorIntact());
-  if (FLAG_trace_protector_invalidation) {
-    TraceProtectorInvalidation("array_constructor_protector");
-  }
-  factory()->array_constructor_protector()->set_value(
-      Smi::FromInt(kProtectorInvalid));
-  DCHECK(!IsArrayConstructorIntact());
-}
-
 void Isolate::InvalidateStringLengthOverflowProtector() {
  DCHECK(factory()->string_length_protector()->value().IsSmi());
  DCHECK(IsStringLengthOverflowIntact());

--- a/src/execution/isolate.h
+++ b/src/execution/isolate.h
@@ -1166,8 +1166,6 @@ class Isolate final : private HiddenFactory {
  static const int kProtectorValid = 1;
  static const int kProtectorInvalid = 0;

-  inline bool IsArrayConstructorIntact();
-
  // The version with an explicit context parameter can be used when
  // Isolate::context is not set up, e.g. when calling directly into C++ from
  // CSA.

--- a/src/execution/protectors.h
+++ b/src/execution/protectors.h
@@ -18,11 +18,12 @@ class Protectors : public AllStatic {
 #define DECLARED_PROTECTORS_ON_NATIVE_CONTEXT(V) \
  V(RegExpSpeciesLookupChainProtector, regexp_species_protector)

-#define DECLARED_PROTECTORS_ON_ISOLATE(V)                                    \
-  V(ArraySpeciesLookupChain, ArraySpeciesProtector, array_species_protector) \
-  V(PromiseSpeciesLookupChain, PromiseSpeciesProtector,                      \
-    promise_species_protector)                                               \
-  V(TypedArraySpeciesLookupChain, TypedArraySpeciesProtector,                \
+#define DECLARED_PROTECTORS_ON_ISOLATE(V)                                     \
+  V(ArraySpeciesLookupChain, ArraySpeciesProtector, array_species_protector)  \
+  V(ArrayConstructor, ArrayConstructorProtector, array_constructor_protector) \
+  V(PromiseSpeciesLookupChain, PromiseSpeciesProtector,                       \
+    promise_species_protector)                                                \
+  V(TypedArraySpeciesLookupChain, TypedArraySpeciesProtector,                 \
    typed_array_species_protector)

 #define DECLARE_PROTECTOR_ON_NATIVE_CONTEXT(name, unused_cell)               \

--- a/src/heap/setup-heap-internal.cc
+++ b/src/heap/setup-heap-internal.cc
@@ -840,9 +840,12 @@ void Heap::CreateInitialObjects() {
  script->set_origin_options(ScriptOriginOptions(true, false));
  set_empty_script(*script);

-  Handle<Cell> array_constructor_cell = factory->NewCell(
-      handle(Smi::FromInt(Isolate::kProtectorValid), isolate()));
-  set_array_constructor_protector(*array_constructor_cell);
+  {
+    Handle<PropertyCell> cell =
+        factory->NewPropertyCell(factory->empty_string());
+    cell->set_value(Smi::FromInt(Isolate::kProtectorValid));
+    set_array_constructor_protector(*cell);
+  }

  Handle<PropertyCell> cell = factory->NewPropertyCell(factory->empty_string());
  cell->set_value(Smi::FromInt(Isolate::kProtectorValid));

--- a/src/roots/roots.h
+++ b/src/roots/roots.h
@@ -216,7 +216,7 @@ class Symbol;
  V(FeedbackCell, many_closures_cell, ManyClosuresCell)                      \
  V(Cell, invalid_prototype_validity_cell, InvalidPrototypeValidityCell)     \
  /* Protectors */                                                           \
-  V(Cell, array_constructor_protector, ArrayConstructorProtector)            \
+  V(PropertyCell, array_constructor_protector, ArrayConstructorProtector)    \
  V(PropertyCell, no_elements_protector, NoElementsProtector)                \
  V(Cell, is_concat_spreadable_protector, IsConcatSpreadableProtector)       \
  V(PropertyCell, array_species_protector, ArraySpeciesProtector)            \

--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -5,6 +5,7 @@
 #include "src/debug/debug.h"
 #include "src/execution/arguments-inl.h"
 #include "src/execution/isolate-inl.h"
+#include "src/execution/protectors-inl.h"
 #include "src/heap/factory.h"
 #include "src/heap/heap-inl.h"  // For ToBoolean. TODO(jkummerow): Drop.
 #include "src/heap/heap-write-barrier-inl.h"
@@ -136,8 +137,8 @@ RUNTIME_FUNCTION(Runtime_NewArray) {
      // just flip the bit on the global protector cell instead.
      // TODO(bmeurer): Find a better way to mark this. Global protectors
      // tend to back-fire over time...
-      if (isolate->IsArrayConstructorIntact()) {
-        isolate->InvalidateArrayConstructorProtector();
+      if (Protectors::IsArrayConstructorIntact(isolate)) {
+        Protectors::InvalidateArrayConstructor(isolate);
      }
    }
  }

--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@@ -404,24 +404,24 @@ KNOWN_OBJECTS = {
  ("old_space", 0x00669): "EmptyScript",
  ("old_space", 0x006e9): "ManyClosuresCell",
  ("old_space", 0x00701): "ArrayConstructorProtector",
-  ("old_space", 0x00711): "NoElementsProtector",
-  ("old_space", 0x00739): "IsConcatSpreadableProtector",
-  ("old_space", 0x00749): "ArraySpeciesProtector",
-  ("old_space", 0x00771): "TypedArraySpeciesProtector",
-  ("old_space", 0x00799): "PromiseSpeciesProtector",
-  ("old_space", 0x007c1): "StringLengthProtector",
-  ("old_space", 0x007d1): "ArrayIteratorProtector",
-  ("old_space", 0x007f9): "ArrayBufferDetachingProtector",
-  ("old_space", 0x00821): "PromiseHookProtector",
-  ("old_space", 0x00849): "PromiseResolveProtector",
-  ("old_space", 0x00859): "MapIteratorProtector",
-  ("old_space", 0x00881): "PromiseThenProtector",
-  ("old_space", 0x008a9): "SetIteratorProtector",
-  ("old_space", 0x008d1): "StringIteratorProtector",
-  ("old_space", 0x008f9): "SingleCharacterStringCache",
-  ("old_space", 0x01109): "StringSplitCache",
-  ("old_space", 0x01919): "RegExpMultipleCache",
-  ("old_space", 0x02129): "BuiltinsConstantsTable",
+  ("old_space", 0x00729): "NoElementsProtector",
+  ("old_space", 0x00751): "IsConcatSpreadableProtector",
+  ("old_space", 0x00761): "ArraySpeciesProtector",
+  ("old_space", 0x00789): "TypedArraySpeciesProtector",
+  ("old_space", 0x007b1): "PromiseSpeciesProtector",
+  ("old_space", 0x007d9): "StringLengthProtector",
+  ("old_space", 0x007e9): "ArrayIteratorProtector",
+  ("old_space", 0x00811): "ArrayBufferDetachingProtector",
+  ("old_space", 0x00839): "PromiseHookProtector",
+  ("old_space", 0x00861): "PromiseResolveProtector",
+  ("old_space", 0x00871): "MapIteratorProtector",
+  ("old_space", 0x00899): "PromiseThenProtector",
+  ("old_space", 0x008c1): "SetIteratorProtector",
+  ("old_space", 0x008e9): "StringIteratorProtector",
+  ("old_space", 0x00911): "SingleCharacterStringCache",
+  ("old_space", 0x01121): "StringSplitCache",
+  ("old_space", 0x01931): "RegExpMultipleCache",
+  ("old_space", 0x02141): "BuiltinsConstantsTable",
 }

 # List of known V8 Frame Markers.