[runtime] Filter out non-JSObject prototypes when eliding iteration.

We assumed that every JSArray would have a JSObject as a prototype, but it could be null, in which case we bail out to slow path. Also rename spread_array variable here, because this fast-path isn't just used by spreads anymore. Bug: chromium:707675 Change-Id: I8045d83977735dd00c3ebde2e0704f6b04afdedd Reviewed-on: https://chromium-review.googlesource.com/472907Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#44531}

[runtime] Filter out non-JSObject prototypes when eliding iteration.
We assumed that every JSArray would have a JSObject as a prototype, but it could be null, in which case we bail out to slow path. Also rename spread_array variable here, because this fast-path isn't just used by spreads anymore. Bug: chromium:707675 Change-Id: I8045d83977735dd00c3ebde2e0704f6b04afdedd Reviewed-on: https://chromium-review.googlesource.com/472907Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#44531}
e00dd8eb · Peter Marshall · Commit Bot · 751e8935 · e00dd8eb · e00dd8eb
Commit e00dd8eb authored Apr 10, 2017 by Peter Marshall Committed by Commit Bot Apr 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 4 deletions

objects.cc src/objects.cc +5 -4

regress-707675.js test/mjsunit/regress/regress-707675.js +8 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2360,11 +2360,12 @@ MUST_USE_RESULT MaybeHandle<Object> Object::SpeciesConstructor(
 bool Object::IterationHasObservableEffects() {
  // Check that this object is an array.
  if (!IsJSArray()) return true;
-  JSArray* spread_array = JSArray::cast(this);
-  Isolate* isolate = spread_array->GetIsolate();
+  JSArray* array = JSArray::cast(this);
+  Isolate* isolate = array->GetIsolate();

  // Check that we have the original ArrayPrototype.
-  JSObject* array_proto = JSObject::cast(spread_array->map()->prototype());
+  if (!array->map()->prototype()->IsJSObject()) return true;
+  JSObject* array_proto = JSObject::cast(array->map()->prototype());
  if (!isolate->is_initial_array_prototype(array_proto)) return true;

  // Check that the ArrayPrototype hasn't been modified in a way that would
@@ -2379,7 +2380,7 @@ bool Object::IterationHasObservableEffects() {

  // For FastPacked kinds, iteration will have the same effect as simply
  // accessing each property in order.
-  ElementsKind array_kind = spread_array->GetElementsKind();
+  ElementsKind array_kind = array->GetElementsKind();
  if (IsFastPackedElementsKind(array_kind)) return false;

  // For FastHoley kinds, an element access on a hole would cause a lookup on

--- a/test/mjsunit/regress/regress-707675.js
+++ b/test/mjsunit/regress/regress-707675.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+Array.prototype.__proto__ = null;
+new Uint8Array(Array.prototype);