Revision: 25076
Author: [email protected]
Date: Mon Nov 3 14:05:57 2014 UTC
Log: Don't double-check elements in the prototype chain in array
builtins
BUG=
[email protected]
Review URL: https://codereview.chromium.org/701513002
https://code.google.com/p/v8/source/detail?r=25076
Modified:
/branches/bleeding_edge/src/builtins.cc
/branches/bleeding_edge/test/mjsunit/array-natives-elements.js
=======================================
--- /branches/bleeding_edge/src/builtins.cc Tue Oct 28 13:53:53 2014 UTC
+++ /branches/bleeding_edge/src/builtins.cc Mon Nov 3 14:05:57 2014 UTC
@@ -200,6 +200,19 @@
iter.Advance();
return iter.IsAtEnd();
}
+
+
+static inline bool IsJSArrayFastElementMovingAllowed(Heap* heap,
+ JSArray* receiver) {
+ if (!FLAG_clever_optimizations) return false;
+ DisallowHeapAllocation no_gc;
+ Context* native_context = heap->isolate()->context()->native_context();
+ JSObject* array_proto =
+ JSObject::cast(native_context->array_function()->prototype());
+ PrototypeIterator iter(heap->isolate(), receiver);
+ return iter.GetCurrent() == array_proto &&
+ ArrayPrototypeHasNoElements(heap, native_context, array_proto);
+}
// Returns empty handle if not applicable.
@@ -213,13 +226,13 @@
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
// If there may be elements accessors in the prototype chain, the fast
path
// cannot be used if there arguments to add to the array.
- if (args != NULL &&
array->map()->DictionaryElementsInPrototypeChainOnly()) {
+ Heap* heap = isolate->heap();
+ if (args != NULL && !IsJSArrayFastElementMovingAllowed(heap, *array)) {
return MaybeHandle<FixedArrayBase>();
}
if (array->map()->is_observed()) return MaybeHandle<FixedArrayBase>();
if (!array->map()->is_extensible()) return MaybeHandle<FixedArrayBase>();
Handle<FixedArrayBase> elms(array->elements(), isolate);
- Heap* heap = isolate->heap();
Map* map = elms->map();
if (map == heap->fixed_array_map()) {
if (args == NULL || array->HasFastObjectElements()) return elms;
@@ -262,19 +275,6 @@
}
return elms;
}
-
-
-static inline bool IsJSArrayFastElementMovingAllowed(Heap* heap,
- JSArray* receiver) {
- if (!FLAG_clever_optimizations) return false;
- DisallowHeapAllocation no_gc;
- Context* native_context = heap->isolate()->context()->native_context();
- JSObject* array_proto =
- JSObject::cast(native_context->array_function()->prototype());
- PrototypeIterator iter(heap->isolate(), receiver);
- return iter.GetCurrent() == array_proto &&
- ArrayPrototypeHasNoElements(heap, native_context, array_proto);
-}
MUST_USE_RESULT static Object* CallJsBuiltin(
@@ -453,8 +453,7 @@
EnsureJSArrayWithWritableFastElements(isolate, receiver, NULL, 0);
Handle<FixedArrayBase> elms_obj;
if (!maybe_elms_obj.ToHandle(&elms_obj) ||
- !IsJSArrayFastElementMovingAllowed(heap,
-
*Handle<JSArray>::cast(receiver))) {
+ !IsJSArrayFastElementMovingAllowed(heap, JSArray::cast(*receiver))) {
return CallJsBuiltin(isolate, "ArrayShift", args);
}
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
@@ -499,11 +498,9 @@
Heap* heap = isolate->heap();
Handle<Object> receiver = args.receiver();
MaybeHandle<FixedArrayBase> maybe_elms_obj =
- EnsureJSArrayWithWritableFastElements(isolate, receiver, NULL, 0);
+ EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 1);
Handle<FixedArrayBase> elms_obj;
- if (!maybe_elms_obj.ToHandle(&elms_obj) ||
- !IsJSArrayFastElementMovingAllowed(heap,
-
*Handle<JSArray>::cast(receiver))) {
+ if (!maybe_elms_obj.ToHandle(&elms_obj)) {
return CallJsBuiltin(isolate, "ArrayUnshift", args);
}
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
@@ -524,9 +521,6 @@
Handle<FixedArray> elms = Handle<FixedArray>::cast(elms_obj);
- JSObject::EnsureCanContainElements(array, &args, 1, to_add,
- DONT_ALLOW_DOUBLE_ELEMENTS);
-
if (new_length > elms->length()) {
// New backing storage is needed.
int capacity = new_length + (new_length >> 1) + 16;
@@ -708,9 +702,7 @@
MaybeHandle<FixedArrayBase> maybe_elms_obj =
EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 3);
Handle<FixedArrayBase> elms_obj;
- if (!maybe_elms_obj.ToHandle(&elms_obj) ||
- !IsJSArrayFastElementMovingAllowed(heap,
-
*Handle<JSArray>::cast(receiver))) {
+ if (!maybe_elms_obj.ToHandle(&elms_obj)) {
return CallJsBuiltin(isolate, "ArraySplice", args);
}
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
=======================================
--- /branches/bleeding_edge/test/mjsunit/array-natives-elements.js Thu Oct
23 18:21:50 2014 UTC
+++ /branches/bleeding_edge/test/mjsunit/array-natives-elements.js Mon Nov
3 14:05:57 2014 UTC
@@ -274,9 +274,7 @@
assertEquals([1,1,2,3], a4);
a4 = [1,2,3];
a4.unshift(1.1);
- // TODO(verwaest): We'll want to support double unshifting as well.
- // assertTrue(%HasFastDoubleElements(a4));
- assertTrue(%HasFastObjectElements(a4));
+ assertTrue(%HasFastDoubleElements(a4));
assertEquals([1.1,1,2,3], a4);
a4 = [1.1,2,3];
a4.unshift(1);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
