Empty Array prototype elements protection needs to alert on length change.

If the length of the array prototype is changed, be sure to turn off the guarantee that it's elements are empty. This case was missed in https://codereview.chromium.org/1092043002 ("Protect the emptiness of Array prototype elements with a PropertyCell") R=jkummerow@chromium.org BUG=479781 LOG=N Review URL: https://codereview.chromium.org/1099453007 Cr-Commit-Position: refs/heads/master@{#28033}

Empty Array prototype elements protection needs to alert on length change.
If the length of the array prototype is changed, be sure to turn off the guarantee that it's elements are empty. This case was missed in https://codereview.chromium.org/1092043002 ("Protect the emptiness of Array prototype elements with a PropertyCell") R=jkummerow@chromium.org BUG=479781 LOG=N Review URL: https://codereview.chromium.org/1099453007 Cr-Commit-Position: refs/heads/master@{#28033}
df7e09da · mvstanton · Commit bot · ddd3f318 · df7e09da · df7e09da
Commit df7e09da authored Apr 23, 2015 by mvstanton Committed by Commit bot Apr 23, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 7 deletions

isolate.cc src/isolate.cc +7 -6

isolate.h src/isolate.h +3 -0

objects.cc src/objects.cc +4 -1

test-api.cc test/cctest/test-api.cc +2 -0

No files found.
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -2374,16 +2374,18 @@ bool Isolate::use_crankshaft() const {


 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {
-  Handle<PropertyCell> no_elements_cell =
-      handle(heap()->array_protector(), this);
+  PropertyCell* no_elements_cell = heap()->array_protector();
  bool cell_reports_intact = no_elements_cell->value()->IsSmi() &&
                             Smi::cast(no_elements_cell->value())->value() == 1;

 #ifdef DEBUG
  Map* root_array_map =
      get_initial_js_array_map(GetInitialFastElementsKind());
-  JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype());
-  JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype());
+  Context* native_context = context()->native_context();
+  JSObject* initial_array_proto = JSObject::cast(
+      native_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX));
+  JSObject* initial_object_proto = JSObject::cast(
+      native_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX));

  if (root_array_map == NULL || initial_array_proto == initial_object_proto) {
    // We are in the bootstrapping process, and the entire check sequence
@@ -2426,7 +2428,6 @@ bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {


 void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
-  Handle<PropertyCell> array_protector = factory()->array_protector();
  if (IsFastArrayConstructorPrototypeChainIntact() &&
      object->map()->is_prototype_map()) {
    Object* context = heap()->native_contexts_list();
@@ -2436,7 +2437,7 @@ void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) {
              *object ||
          current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) ==
              *object) {
-        PropertyCell::SetValueWithInvalidation(array_protector,
+        PropertyCell::SetValueWithInvalidation(factory()->array_protector(),
                                               handle(Smi::FromInt(0), this));
        break;
      }

--- a/src/isolate.h
+++ b/src/isolate.h
@@ -1021,6 +1021,9 @@ class Isolate {
  // object prototype. Also ensure that changes to prototype chain between
  // Array and Object fire notifications.
  void UpdateArrayProtectorOnSetElement(Handle<JSObject> object);
+  void UpdateArrayProtectorOnSetLength(Handle<JSObject> object) {
+    UpdateArrayProtectorOnSetElement(object);
+  }
  void UpdateArrayProtectorOnSetPrototype(Handle<JSObject> object) {
    UpdateArrayProtectorOnSetElement(object);
  }

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11911,8 +11911,11 @@ Handle<FixedArray> JSObject::SetFastElementsCapacityAndLength(
  DCHECK(!object->HasExternalArrayElements());

  // Allocate a new fast elements backing store.
+  Isolate* isolate = object->GetIsolate();
  Handle<FixedArray> new_elements =
-      object->GetIsolate()->factory()->NewUninitializedFixedArray(capacity);
+      isolate->factory()->NewUninitializedFixedArray(capacity);
+
+  isolate->UpdateArrayProtectorOnSetLength(object);

  ElementsKind elements_kind = object->GetElementsKind();
  ElementsKind new_elements_kind;

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -16682,6 +16682,8 @@ TEST(VerifyArrayPrototypeGuarantees) {
  BreakArrayGuarantees("Object.prototype[3] = 'three';");
  BreakArrayGuarantees("Array.prototype.push(1);");
  BreakArrayGuarantees("Array.prototype.unshift(1);");
+  // Break fast array hole handling by changing length.
+  BreakArrayGuarantees("Array.prototype.length = 30;");
  // Break fast array hole handling by prototype structure changes.
  BreakArrayGuarantees("[].__proto__.__proto__ = { funny: true };");
  // By sending elements to dictionary mode.