Make frozen/sealed elements kinds disablable

Bug: chromium:972921 Change-Id: Ieb13c2f18714abc60aeb4a6a77c1e43b88681f43 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1667005Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#62280}

Make frozen/sealed elements kinds disablable
Bug: chromium:972921 Change-Id: Ieb13c2f18714abc60aeb4a6a77c1e43b88681f43 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1667005Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#62280}
de6382df · Igor Sheludko · Commit Bot · 7325d4ae · de6382df · de6382df
Commit de6382df authored Jun 19, 2019 by Igor Sheludko Committed by Commit Bot Jun 19, 2019
4 changed files
--- a/src/builtins/builtins-handler-gen.cc
+++ b/src/builtins/builtins-handler-gen.cc
@@ -303,11 +303,17 @@ void HandlerBuiltinsAssembler::DispatchByElementsKind(
  Switch(elements_kind, &if_unknown_type, elements_kinds, elements_kind_labels,
         arraysize(elements_kinds));

-#define ELEMENTS_KINDS_CASE(KIND) \
-  BIND(&if_##KIND);               \
-  {                               \
-    case_function(KIND);          \
-    Goto(&next);                  \
+#define ELEMENTS_KINDS_CASE(KIND)                                \
+  BIND(&if_##KIND);                                              \
+  {                                                              \
+    if (!FLAG_enable_sealed_frozen_elements_kind &&              \
+        IsFrozenOrSealedElementsKindUnchecked(KIND)) {           \
+      /* Disable support for frozen or sealed elements kinds. */ \
+      Unreachable();                                             \
+    } else {                                                     \
+      case_function(KIND);                                       \
+      Goto(&next);                                               \
+    }                                                            \
  }
  ELEMENTS_KINDS(ELEMENTS_KINDS_CASE)
 #undef ELEMENTS_KINDS_CASE

--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@@ -358,8 +358,8 @@ DEFINE_BOOL(enable_one_shot_optimization, true,
            "only be executed once")

 // Flag for sealed, frozen elements kind instead of dictionary elements kind
-DEFINE_BOOL(enable_sealed_frozen_elements_kind, true,
-            "Enable sealed, frozen elements kind")
+DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, true,
+                     "Enable sealed, frozen elements kind")

 // Flags for data representation optimizations
 DEFINE_BOOL(unbox_double_arrays, true, "automatically unbox arrays of doubles")

--- a/src/objects/elements-kind.h
+++ b/src/objects/elements-kind.h
@@ -155,10 +155,15 @@ inline bool IsDoubleOrFloatElementsKind(ElementsKind kind) {
  return IsDoubleElementsKind(kind) || IsFixedFloatElementsKind(kind);
 }

+// This predicate is used for disabling respective functionality in builtins.
+inline bool IsFrozenOrSealedElementsKindUnchecked(ElementsKind kind) {
+  return IsInRange(kind, PACKED_SEALED_ELEMENTS, HOLEY_FROZEN_ELEMENTS);
+}
+
 inline bool IsFrozenOrSealedElementsKind(ElementsKind kind) {
-  DCHECK_IMPLIES(IsInRange(kind, PACKED_SEALED_ELEMENTS, HOLEY_FROZEN_ELEMENTS),
+  DCHECK_IMPLIES(IsFrozenOrSealedElementsKindUnchecked(kind),
                 FLAG_enable_sealed_frozen_elements_kind);
-  return IsInRange(kind, PACKED_SEALED_ELEMENTS, HOLEY_FROZEN_ELEMENTS);
+  return IsFrozenOrSealedElementsKindUnchecked(kind);
 }

 inline bool IsSealedElementsKind(ElementsKind kind) {

--- a/test/cctest/test-field-type-tracking.cc
+++ b/test/cctest/test-field-type-tracking.cc
@@ -2249,8 +2249,12 @@ TEST(ElementsKindTransitionFromMapOwningDescriptor) {
  };
  Factory* factory = isolate->factory();
  TestConfig configs[] = {
-      {FROZEN, factory->frozen_symbol(), HOLEY_FROZEN_ELEMENTS},
-      {SEALED, factory->sealed_symbol(), HOLEY_SEALED_ELEMENTS},
+      {FROZEN, factory->frozen_symbol(),
+       FLAG_enable_sealed_frozen_elements_kind ? HOLEY_FROZEN_ELEMENTS
+                                               : DICTIONARY_ELEMENTS},
+      {SEALED, factory->sealed_symbol(),
+       FLAG_enable_sealed_frozen_elements_kind ? HOLEY_SEALED_ELEMENTS
+                                               : DICTIONARY_ELEMENTS},
      {NONE, factory->nonextensible_symbol(), DICTIONARY_ELEMENTS}};
  for (size_t i = 0; i < arraysize(configs); i++) {
    TestGeneralizeFieldWithSpecialTransition(
@@ -2311,8 +2315,12 @@ TEST(ElementsKindTransitionFromMapNotOwningDescriptor) {
  };
  Factory* factory = isolate->factory();
  TestConfig configs[] = {
-      {FROZEN, factory->frozen_symbol(), HOLEY_FROZEN_ELEMENTS},
-      {SEALED, factory->sealed_symbol(), HOLEY_SEALED_ELEMENTS},
+      {FROZEN, factory->frozen_symbol(),
+       FLAG_enable_sealed_frozen_elements_kind ? HOLEY_FROZEN_ELEMENTS
+                                               : DICTIONARY_ELEMENTS},
+      {SEALED, factory->sealed_symbol(),
+       FLAG_enable_sealed_frozen_elements_kind ? HOLEY_SEALED_ELEMENTS
+                                               : DICTIONARY_ELEMENTS},
      {NONE, factory->nonextensible_symbol(), DICTIONARY_ELEMENTS}};
  for (size_t i = 0; i < arraysize(configs); i++) {
    TestGeneralizeFieldWithSpecialTransition(