Allow JSArray fast moving elements even if the array's proto isn't...

Allow JSArray fast moving elements even if the array's proto isn't Array.prototype in original state
Otherwise array builtins don't work on internal arrays.

BUG=v8:3681
LOG=n
R=machenbach@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/706703005

Cr-Commit-Position: refs/heads/master@{#25190}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25190 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/builtins.cc

@@ -182,23 +182,16 @@ static void MoveDoubleElements(FixedDoubleArray* dst, int dst_index,
 }
 
 
-static bool ArrayPrototypeHasNoElements(Heap* heap,
-                                        Context* native_context,
-                                        JSObject* array_proto) {
+static bool ArrayPrototypeHasNoElements(Heap* heap, PrototypeIterator* iter) {
   DisallowHeapAllocation no_gc;
-  // This method depends on non writability of Object and Array prototype
-  // fields.
-  if (array_proto->elements() != heap->empty_fixed_array()) return false;
-  // Object.prototype
-  PrototypeIterator iter(heap->isolate(), array_proto);
-  if (iter.IsAtEnd()) {
-    return false;
+  for (; !iter->IsAtEnd(); iter->Advance()) {
+    if (iter->GetCurrent()->IsJSProxy()) return false;
+    if (JSObject::cast(iter->GetCurrent())->elements() !=
+        heap->empty_fixed_array()) {
+      return false;
+    }
   }
-  array_proto = JSObject::cast(iter.GetCurrent());
-  if (array_proto != native_context->initial_object_prototype()) return false;
-  if (array_proto->elements() != heap->empty_fixed_array()) return false;
-  iter.Advance();
-  return iter.IsAtEnd();
+  return true;
 }
 
 
@@ -206,12 +199,8 @@ static inline bool IsJSArrayFastElementMovingAllowed(Heap* heap,
                                                      JSArray* receiver) {
   if (!FLAG_clever_optimizations) return false;
   DisallowHeapAllocation no_gc;
-  Context* native_context = heap->isolate()->context()->native_context();
-  JSObject* array_proto =
-      JSObject::cast(native_context->array_function()->prototype());
   PrototypeIterator iter(heap->isolate(), receiver);
-  return iter.GetCurrent() == array_proto &&
-         ArrayPrototypeHasNoElements(heap, native_context, array_proto);
+  return ArrayPrototypeHasNoElements(heap, &iter);
 }
 
 
@@ -920,9 +909,10 @@ BUILTIN(ArrayConcat) {
     DisallowHeapAllocation no_gc;
     Heap* heap = isolate->heap();
     Context* native_context = isolate->context()->native_context();
-    JSObject* array_proto =
-        JSObject::cast(native_context->array_function()->prototype());
-    if (!ArrayPrototypeHasNoElements(heap, native_context, array_proto)) {
+    Object* array_proto = native_context->array_function()->prototype();
+    PrototypeIterator iter(isolate, array_proto,
+                           PrototypeIterator::START_AT_RECEIVER);
+    if (!ArrayPrototypeHasNoElements(heap, &iter)) {
       AllowHeapAllocation allow_allocation;
       return CallJsBuiltin(isolate, "ArrayConcatJS", args);
     }

test/mjsunit/mjsunit.status

@@ -74,16 +74,13 @@
 
   # Some tests are just too slow to run for now.
   'bit-not': [PASS, NO_VARIANTS],
+  'json2': [PASS, NO_VARIANTS],
   'packed-elements': [PASS, NO_VARIANTS],
   'unbox-double-arrays': [PASS, NO_VARIANTS],
   'whitespaces': [PASS, NO_VARIANTS],
   'compiler/osr-assert': [PASS, NO_VARIANTS],
   'regress/regress-2185-2': [PASS, NO_VARIANTS],
 
-  # BUG(3681). Skipping in 64 bits debug is part of the bug report.
-  # Running no variants was the default.
-  'json2': [PASS, NO_VARIANTS, ['mode == debug and (arch == x64 or arch == arm64 or arch == android_arm64 or arch == mips64el)', SKIP]],
-
   # Issue 3660: Replacing activated TurboFan frames by unoptimized code does
   # not work, but we expect it to not crash.
   'debug-step-turbofan': [PASS, FAIL],