[v8-dev] Empty Array prototype elements protection needs to alert on length change. (issue 1099453007 by [email protected])

Thu, 23 Apr 2015 08:07:21 -0700 

Reviewers: Jakob,

Message:
Hi Jakob,
I missed a case in the array_protector work of yesterday:

Array.prototype.length = 5;

Thanks for the look,
--Michael

Description:
Empty Array prototype elements protection needs to alert on length change.

If the length of the array prototype is changed, be sure to turn off the
guarantee that it's elements are empty.

This case was missed in https://codereview.chromium.org/1092043002
("Protect the emptiness of Array prototype elements with a PropertyCell")

[email protected]
BUG=479781
LOG=N

Please review this at https://codereview.chromium.org/1099453007/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+15, -5 lines):
  M src/isolate.h
  M src/isolate.cc
  M src/objects.cc
  M test/cctest/test-api.cc


Index: src/isolate.cc
diff --git a/src/isolate.cc b/src/isolate.cc
index f7a2740ef5a4ab7f3a19be4733950c7ca75cfcba..6263ccb36a31b911b17c55d46261842d11735a2b 100644 
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -2374,16 +2374,18 @@ bool Isolate::use_crankshaft() const {


 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() {
-  Handle<PropertyCell> no_elements_cell =
-      handle(heap()->array_protector(), this);
+  PropertyCell* no_elements_cell = heap()->array_protector();
   bool cell_reports_intact = no_elements_cell->value()->IsSmi() &&
Smi::cast(no_elements_cell->value())->value() == 1; 

 #ifdef DEBUG
   Map* root_array_map =
       get_initial_js_array_map(GetInitialFastElementsKind());
- JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype()); - JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype()); 
+  Context* native_context = context()->native_context();
+  JSObject* initial_array_proto = JSObject::cast(
+      native_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX));
+  JSObject* initial_object_proto = JSObject::cast(
+      native_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX));
if (root_array_map == NULL || initial_array_proto == initial_object_proto) { 
     // We are in the bootstrapping process, and the entire check sequence
Index: src/isolate.h
diff --git a/src/isolate.h b/src/isolate.h
index fb4e069ad4f029a04378283f2029befa469e50be..d10e64b6d129382ccdaf775f5c69b75387bab823 100644 
--- a/src/isolate.h
+++ b/src/isolate.h
@@ -1021,6 +1021,9 @@ class Isolate {
   // object prototype. Also ensure that changes to prototype chain between
   // Array and Object fire notifications.
   void UpdateArrayProtectorOnSetElement(Handle<JSObject> object);
+  void UpdateArrayProtectorOnSetLength(Handle<JSObject> object) {
+    UpdateArrayProtectorOnSetElement(object);
+  }
   void UpdateArrayProtectorOnSetPrototype(Handle<JSObject> object) {
     UpdateArrayProtectorOnSetElement(object);
   }
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 76e97b1b2268193b7eb0da7788e271fb734182c8..e958400f9a278ea670a35c819eb55febc6732bc8 100644 
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11898,8 +11898,11 @@ Handle<FixedArray> JSObject::SetFastElementsCapacityAndLength( 
   DCHECK(!object->HasExternalArrayElements());

   // Allocate a new fast elements backing store.
+  Isolate* isolate = object->GetIsolate();
   Handle<FixedArray> new_elements =
- object->GetIsolate()->factory()->NewUninitializedFixedArray(capacity); 
+      isolate->factory()->NewUninitializedFixedArray(capacity);
+
+  isolate->UpdateArrayProtectorOnSetLength(object);

   ElementsKind elements_kind = object->GetElementsKind();
   ElementsKind new_elements_kind;
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index 7954598c60b14782bb45bd3ffb805b8c284e5c35..32420d1fa4507bc1413ee425df2dde84cc3ff5f1 100644 
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -16684,6 +16684,8 @@ TEST(VerifyArrayPrototypeGuarantees) {
   BreakArrayGuarantees("Object.prototype[3] = 'three';");
   BreakArrayGuarantees("Array.prototype.push(1);");
   BreakArrayGuarantees("Array.prototype.unshift(1);");
+  // Break fast array hole handling by changing length.
+  BreakArrayGuarantees("Array.prototype.length = 30;");
   // Break fast array hole handling by prototype structure changes.
   BreakArrayGuarantees("[].__proto__.__proto__ = { funny: true };");
   // By sending elements to dictionary mode.


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to