1 // Copyright 2016 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "src/builtins/builtins-utils-inl.h"
6 #include "src/builtins/builtins.h"
7 #include "src/code-factory.h"
8 #include "src/code-stub-assembler.h"
9 #include "src/contexts.h"
10 #include "src/counters.h"
11 #include "src/debug/debug.h"
12 #include "src/elements-inl.h"
13 #include "src/global-handles.h"
14 #include "src/isolate.h"
15 #include "src/lookup.h"
16 #include "src/objects-inl.h"
17 #include "src/objects/hash-table-inl.h"
18 #include "src/objects/js-array-inl.h"
19 #include "src/prototype.h"
20
21 namespace v8 {
22 namespace internal {
23
24 namespace {
25
ClampedToInteger(Isolate * isolate,Object * object,int * out)26 inline bool ClampedToInteger(Isolate* isolate, Object* object, int* out) {
27 // This is an extended version of ECMA-262 7.1.11 handling signed values
28 // Try to convert object to a number and clamp values to [kMinInt, kMaxInt]
29 if (object->IsSmi()) {
30 *out = Smi::ToInt(object);
31 return true;
32 } else if (object->IsHeapNumber()) {
33 double value = HeapNumber::cast(object)->value();
34 if (std::isnan(value)) {
35 *out = 0;
36 } else if (value > kMaxInt) {
37 *out = kMaxInt;
38 } else if (value < kMinInt) {
39 *out = kMinInt;
40 } else {
41 *out = static_cast<int>(value);
42 }
43 return true;
44 } else if (object->IsNullOrUndefined(isolate)) {
45 *out = 0;
46 return true;
47 } else if (object->IsBoolean()) {
48 *out = object->IsTrue(isolate);
49 return true;
50 }
51 return false;
52 }
53
IsJSArrayFastElementMovingAllowed(Isolate * isolate,JSArray * receiver)54 inline bool IsJSArrayFastElementMovingAllowed(Isolate* isolate,
55 JSArray* receiver) {
56 return JSObject::PrototypeHasNoElements(isolate, receiver);
57 }
58
HasSimpleElements(JSObject * current)59 inline bool HasSimpleElements(JSObject* current) {
60 return !current->map()->IsCustomElementsReceiverMap() &&
61 !current->GetElementsAccessor()->HasAccessors(current);
62 }
63
HasOnlySimpleReceiverElements(Isolate * isolate,JSObject * receiver)64 inline bool HasOnlySimpleReceiverElements(Isolate* isolate,
65 JSObject* receiver) {
66 // Check that we have no accessors on the receiver's elements.
67 if (!HasSimpleElements(receiver)) return false;
68 return JSObject::PrototypeHasNoElements(isolate, receiver);
69 }
70
HasOnlySimpleElements(Isolate * isolate,JSReceiver * receiver)71 inline bool HasOnlySimpleElements(Isolate* isolate, JSReceiver* receiver) {
72 DisallowHeapAllocation no_gc;
73 PrototypeIterator iter(isolate, receiver, kStartAtReceiver);
74 for (; !iter.IsAtEnd(); iter.Advance()) {
75 if (iter.GetCurrent()->IsJSProxy()) return false;
76 JSObject* current = iter.GetCurrent<JSObject>();
77 if (!HasSimpleElements(current)) return false;
78 }
79 return true;
80 }
81
82 // Returns |false| if not applicable.
83 // TODO(szuend): Refactor this function because it is getting hard to
84 // understand what each call-site actually checks.
85 V8_WARN_UNUSED_RESULT
EnsureJSArrayWithWritableFastElements(Isolate * isolate,Handle<Object> receiver,BuiltinArguments * args,int first_arg_index,int num_arguments)86 inline bool EnsureJSArrayWithWritableFastElements(Isolate* isolate,
87 Handle<Object> receiver,
88 BuiltinArguments* args,
89 int first_arg_index,
90 int num_arguments) {
91 if (!receiver->IsJSArray()) return false;
92 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
93 ElementsKind origin_kind = array->GetElementsKind();
94 if (IsDictionaryElementsKind(origin_kind)) return false;
95 if (!array->map()->is_extensible()) return false;
96 if (args == nullptr) return true;
97
98 // If there may be elements accessors in the prototype chain, the fast path
99 // cannot be used if there arguments to add to the array.
100 if (!IsJSArrayFastElementMovingAllowed(isolate, *array)) return false;
101
102 // Adding elements to the array prototype would break code that makes sure
103 // it has no elements. Handle that elsewhere.
104 if (isolate->IsAnyInitialArrayPrototype(array)) return false;
105
106 // Need to ensure that the arguments passed in args can be contained in
107 // the array.
108 int args_length = args->length();
109 if (first_arg_index >= args_length) return true;
110
111 if (IsObjectElementsKind(origin_kind)) return true;
112 ElementsKind target_kind = origin_kind;
113 {
114 DisallowHeapAllocation no_gc;
115 int last_arg_index = std::min(first_arg_index + num_arguments, args_length);
116 for (int i = first_arg_index; i < last_arg_index; i++) {
117 Object* arg = (*args)[i];
118 if (arg->IsHeapObject()) {
119 if (arg->IsHeapNumber()) {
120 target_kind = PACKED_DOUBLE_ELEMENTS;
121 } else {
122 target_kind = PACKED_ELEMENTS;
123 break;
124 }
125 }
126 }
127 }
128 if (target_kind != origin_kind) {
129 // Use a short-lived HandleScope to avoid creating several copies of the
130 // elements handle which would cause issues when left-trimming later-on.
131 HandleScope scope(isolate);
132 JSObject::TransitionElementsKind(array, target_kind);
133 }
134 return true;
135 }
136
CallJsIntrinsic(Isolate * isolate,Handle<JSFunction> function,BuiltinArguments args)137 V8_WARN_UNUSED_RESULT static Object* CallJsIntrinsic(
138 Isolate* isolate, Handle<JSFunction> function, BuiltinArguments args) {
139 HandleScope handleScope(isolate);
140 int argc = args.length() - 1;
141 ScopedVector<Handle<Object>> argv(argc);
142 for (int i = 0; i < argc; ++i) {
143 argv[i] = args.at(i + 1);
144 }
145 RETURN_RESULT_OR_FAILURE(
146 isolate,
147 Execution::Call(isolate, function, args.receiver(), argc, argv.start()));
148 }
149
150 // If |index| is Undefined, returns init_if_undefined.
151 // If |index| is negative, returns length + index.
152 // If |index| is positive, returns index.
153 // Returned value is guaranteed to be in the interval of [0, length].
GetRelativeIndex(Isolate * isolate,double length,Handle<Object> index,double init_if_undefined)154 V8_WARN_UNUSED_RESULT Maybe<double> GetRelativeIndex(Isolate* isolate,
155 double length,
156 Handle<Object> index,
157 double init_if_undefined) {
158 double relative_index = init_if_undefined;
159 if (!index->IsUndefined()) {
160 Handle<Object> relative_index_obj;
161 ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, relative_index_obj,
162 Object::ToInteger(isolate, index),
163 Nothing<double>());
164 relative_index = relative_index_obj->Number();
165 }
166
167 if (relative_index < 0) {
168 return Just(std::max(length + relative_index, 0.0));
169 }
170
171 return Just(std::min(relative_index, length));
172 }
173
174 // Returns "length", has "fast-path" for JSArrays.
GetLengthProperty(Isolate * isolate,Handle<JSReceiver> receiver)175 V8_WARN_UNUSED_RESULT Maybe<double> GetLengthProperty(
176 Isolate* isolate, Handle<JSReceiver> receiver) {
177 if (receiver->IsJSArray()) {
178 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
179 double length = array->length()->Number();
180 DCHECK(0 <= length && length <= kMaxSafeInteger);
181
182 return Just(length);
183 }
184
185 Handle<Object> raw_length_number;
186 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
187 isolate, raw_length_number,
188 Object::GetLengthFromArrayLike(isolate, receiver), Nothing<double>());
189 return Just(raw_length_number->Number());
190 }
191
GenericArrayFill(Isolate * isolate,Handle<JSReceiver> receiver,Handle<Object> value,double start,double end)192 V8_WARN_UNUSED_RESULT Object* GenericArrayFill(Isolate* isolate,
193 Handle<JSReceiver> receiver,
194 Handle<Object> value,
195 double start, double end) {
196 // 7. Repeat, while k < final.
197 while (start < end) {
198 // a. Let Pk be ! ToString(k).
199 Handle<String> index = isolate->factory()->NumberToString(
200 isolate->factory()->NewNumber(start));
201
202 // b. Perform ? Set(O, Pk, value, true).
203 RETURN_FAILURE_ON_EXCEPTION(
204 isolate, Object::SetPropertyOrElement(isolate, receiver, index, value,
205 LanguageMode::kStrict));
206
207 // c. Increase k by 1.
208 ++start;
209 }
210
211 // 8. Return O.
212 return *receiver;
213 }
214
TryFastArrayFill(Isolate * isolate,BuiltinArguments * args,Handle<JSReceiver> receiver,Handle<Object> value,double start_index,double end_index)215 V8_WARN_UNUSED_RESULT bool TryFastArrayFill(
216 Isolate* isolate, BuiltinArguments* args, Handle<JSReceiver> receiver,
217 Handle<Object> value, double start_index, double end_index) {
218 // If indices are too large, use generic path since they are stored as
219 // properties, not in the element backing store.
220 if (end_index > kMaxUInt32) return false;
221 if (!receiver->IsJSObject()) return false;
222
223 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, args, 1, 1)) {
224 return false;
225 }
226
227 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
228
229 // If no argument was provided, we fill the array with 'undefined'.
230 // EnsureJSArrayWith... does not handle that case so we do it here.
231 // TODO(szuend): Pass target elements kind to EnsureJSArrayWith... when
232 // it gets refactored.
233 if (args->length() == 1 && array->GetElementsKind() != PACKED_ELEMENTS) {
234 // Use a short-lived HandleScope to avoid creating several copies of the
235 // elements handle which would cause issues when left-trimming later-on.
236 HandleScope scope(isolate);
237 JSObject::TransitionElementsKind(array, PACKED_ELEMENTS);
238 }
239
240 DCHECK_LE(start_index, kMaxUInt32);
241 DCHECK_LE(end_index, kMaxUInt32);
242
243 uint32_t start, end;
244 CHECK(DoubleToUint32IfEqualToSelf(start_index, &start));
245 CHECK(DoubleToUint32IfEqualToSelf(end_index, &end));
246
247 ElementsAccessor* accessor = array->GetElementsAccessor();
248 accessor->Fill(array, value, start, end);
249 return true;
250 }
251 } // namespace
252
BUILTIN(ArrayPrototypeFill)253 BUILTIN(ArrayPrototypeFill) {
254 HandleScope scope(isolate);
255
256 if (isolate->debug_execution_mode() == DebugInfo::kSideEffects) {
257 if (!isolate->debug()->PerformSideEffectCheckForObject(args.receiver())) {
258 return ReadOnlyRoots(isolate).exception();
259 }
260 }
261
262 // 1. Let O be ? ToObject(this value).
263 Handle<JSReceiver> receiver;
264 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
265 isolate, receiver, Object::ToObject(isolate, args.receiver()));
266
267 // 2. Let len be ? ToLength(? Get(O, "length")).
268 double length;
269 MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
270 isolate, length, GetLengthProperty(isolate, receiver));
271
272 // 3. Let relativeStart be ? ToInteger(start).
273 // 4. If relativeStart < 0, let k be max((len + relativeStart), 0);
274 // else let k be min(relativeStart, len).
275 Handle<Object> start = args.atOrUndefined(isolate, 2);
276
277 double start_index;
278 MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
279 isolate, start_index, GetRelativeIndex(isolate, length, start, 0));
280
281 // 5. If end is undefined, let relativeEnd be len;
282 // else let relativeEnd be ? ToInteger(end).
283 // 6. If relativeEnd < 0, let final be max((len + relativeEnd), 0);
284 // else let final be min(relativeEnd, len).
285 Handle<Object> end = args.atOrUndefined(isolate, 3);
286
287 double end_index;
288 MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
289 isolate, end_index, GetRelativeIndex(isolate, length, end, length));
290
291 if (start_index >= end_index) return *receiver;
292
293 // Ensure indexes are within array bounds
294 DCHECK_LE(0, start_index);
295 DCHECK_LE(start_index, end_index);
296 DCHECK_LE(end_index, length);
297
298 Handle<Object> value = args.atOrUndefined(isolate, 1);
299
300 if (TryFastArrayFill(isolate, &args, receiver, value, start_index,
301 end_index)) {
302 return *receiver;
303 }
304 return GenericArrayFill(isolate, receiver, value, start_index, end_index);
305 }
306
307 namespace {
GenericArrayPush(Isolate * isolate,BuiltinArguments * args)308 V8_WARN_UNUSED_RESULT Object* GenericArrayPush(Isolate* isolate,
309 BuiltinArguments* args) {
310 // 1. Let O be ? ToObject(this value).
311 Handle<JSReceiver> receiver;
312 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
313 isolate, receiver, Object::ToObject(isolate, args->receiver()));
314
315 // 2. Let len be ? ToLength(? Get(O, "length")).
316 Handle<Object> raw_length_number;
317 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
318 isolate, raw_length_number,
319 Object::GetLengthFromArrayLike(isolate, receiver));
320
321 // 3. Let args be a List whose elements are, in left to right order,
322 // the arguments that were passed to this function invocation.
323 // 4. Let arg_count be the number of elements in args.
324 int arg_count = args->length() - 1;
325
326 // 5. If len + arg_count > 2^53-1, throw a TypeError exception.
327 double length = raw_length_number->Number();
328 if (arg_count > kMaxSafeInteger - length) {
329 THROW_NEW_ERROR_RETURN_FAILURE(
330 isolate, NewTypeError(MessageTemplate::kPushPastSafeLength,
331 isolate->factory()->NewNumberFromInt(arg_count),
332 raw_length_number));
333 }
334
335 // 6. Repeat, while args is not empty.
336 for (int i = 0; i < arg_count; ++i) {
337 // a. Remove the first element from args and let E be the value of the
338 // element.
339 Handle<Object> element = args->at(i + 1);
340
341 // b. Perform ? Set(O, ! ToString(len), E, true).
342 if (length <= static_cast<double>(JSArray::kMaxArrayIndex)) {
343 RETURN_FAILURE_ON_EXCEPTION(
344 isolate, Object::SetElement(isolate, receiver, length, element,
345 LanguageMode::kStrict));
346 } else {
347 bool success;
348 LookupIterator it = LookupIterator::PropertyOrElement(
349 isolate, receiver, isolate->factory()->NewNumber(length), &success);
350 // Must succeed since we always pass a valid key.
351 DCHECK(success);
352 MAYBE_RETURN(Object::SetProperty(&it, element, LanguageMode::kStrict,
353 Object::MAY_BE_STORE_FROM_KEYED),
354 ReadOnlyRoots(isolate).exception());
355 }
356
357 // c. Let len be len+1.
358 ++length;
359 }
360
361 // 7. Perform ? Set(O, "length", len, true).
362 Handle<Object> final_length = isolate->factory()->NewNumber(length);
363 RETURN_FAILURE_ON_EXCEPTION(
364 isolate, Object::SetProperty(isolate, receiver,
365 isolate->factory()->length_string(),
366 final_length, LanguageMode::kStrict));
367
368 // 8. Return len.
369 return *final_length;
370 }
371 } // namespace
372
BUILTIN(ArrayPush)373 BUILTIN(ArrayPush) {
374 HandleScope scope(isolate);
375 Handle<Object> receiver = args.receiver();
376 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 1,
377 args.length() - 1)) {
378 return GenericArrayPush(isolate, &args);
379 }
380
381 // Fast Elements Path
382 int to_add = args.length() - 1;
383 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
384 uint32_t len = static_cast<uint32_t>(array->length()->Number());
385 if (to_add == 0) return *isolate->factory()->NewNumberFromUint(len);
386
387 // Currently fixed arrays cannot grow too big, so we should never hit this.
388 DCHECK_LE(to_add, Smi::kMaxValue - Smi::ToInt(array->length()));
389
390 if (JSArray::HasReadOnlyLength(array)) {
391 return GenericArrayPush(isolate, &args);
392 }
393
394 ElementsAccessor* accessor = array->GetElementsAccessor();
395 uint32_t new_length = accessor->Push(array, &args, to_add);
396 return *isolate->factory()->NewNumberFromUint((new_length));
397 }
398
399 namespace {
400
GenericArrayPop(Isolate * isolate,BuiltinArguments * args)401 V8_WARN_UNUSED_RESULT Object* GenericArrayPop(Isolate* isolate,
402 BuiltinArguments* args) {
403 // 1. Let O be ? ToObject(this value).
404 Handle<JSReceiver> receiver;
405 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
406 isolate, receiver, Object::ToObject(isolate, args->receiver()));
407
408 // 2. Let len be ? ToLength(? Get(O, "length")).
409 Handle<Object> raw_length_number;
410 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
411 isolate, raw_length_number,
412 Object::GetLengthFromArrayLike(isolate, receiver));
413 double length = raw_length_number->Number();
414
415 // 3. If len is zero, then.
416 if (length == 0) {
417 // a. Perform ? Set(O, "length", 0, true).
418 RETURN_FAILURE_ON_EXCEPTION(
419 isolate, Object::SetProperty(
420 isolate, receiver, isolate->factory()->length_string(),
421 Handle<Smi>(Smi::kZero, isolate), LanguageMode::kStrict));
422
423 // b. Return undefined.
424 return ReadOnlyRoots(isolate).undefined_value();
425 }
426
427 // 4. Else len > 0.
428 // a. Let new_len be len-1.
429 Handle<Object> new_length = isolate->factory()->NewNumber(length - 1);
430
431 // b. Let index be ! ToString(newLen).
432 Handle<String> index = isolate->factory()->NumberToString(new_length);
433
434 // c. Let element be ? Get(O, index).
435 Handle<Object> element;
436 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
437 isolate, element,
438 JSReceiver::GetPropertyOrElement(isolate, receiver, index));
439
440 // d. Perform ? DeletePropertyOrThrow(O, index).
441 MAYBE_RETURN(JSReceiver::DeletePropertyOrElement(receiver, index,
442 LanguageMode::kStrict),
443 ReadOnlyRoots(isolate).exception());
444
445 // e. Perform ? Set(O, "length", newLen, true).
446 RETURN_FAILURE_ON_EXCEPTION(
447 isolate, Object::SetProperty(isolate, receiver,
448 isolate->factory()->length_string(),
449 new_length, LanguageMode::kStrict));
450
451 // f. Return element.
452 return *element;
453 }
454
455 } // namespace
456
BUILTIN(ArrayPop)457 BUILTIN(ArrayPop) {
458 HandleScope scope(isolate);
459 Handle<Object> receiver = args.receiver();
460 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, nullptr, 0,
461 0)) {
462 return GenericArrayPop(isolate, &args);
463 }
464 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
465
466 uint32_t len = static_cast<uint32_t>(array->length()->Number());
467 if (len == 0) return ReadOnlyRoots(isolate).undefined_value();
468
469 if (JSArray::HasReadOnlyLength(array)) {
470 return GenericArrayPop(isolate, &args);
471 }
472
473 Handle<Object> result;
474 if (IsJSArrayFastElementMovingAllowed(isolate, JSArray::cast(*receiver))) {
475 // Fast Elements Path
476 result = array->GetElementsAccessor()->Pop(array);
477 } else {
478 // Use Slow Lookup otherwise
479 uint32_t new_length = len - 1;
480 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
481 isolate, result, JSReceiver::GetElement(isolate, array, new_length));
482 JSArray::SetLength(array, new_length);
483 }
484
485 return *result;
486 }
487
BUILTIN(ArrayShift)488 BUILTIN(ArrayShift) {
489 HandleScope scope(isolate);
490 Heap* heap = isolate->heap();
491 Handle<Object> receiver = args.receiver();
492 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, nullptr, 0,
493 0) ||
494 !IsJSArrayFastElementMovingAllowed(isolate, JSArray::cast(*receiver))) {
495 return CallJsIntrinsic(isolate, isolate->array_shift(), args);
496 }
497 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
498
499 int len = Smi::ToInt(array->length());
500 if (len == 0) return ReadOnlyRoots(heap).undefined_value();
501
502 if (JSArray::HasReadOnlyLength(array)) {
503 return CallJsIntrinsic(isolate, isolate->array_shift(), args);
504 }
505
506 Handle<Object> first = array->GetElementsAccessor()->Shift(array);
507 return *first;
508 }
509
BUILTIN(ArrayUnshift)510 BUILTIN(ArrayUnshift) {
511 HandleScope scope(isolate);
512 Handle<Object> receiver = args.receiver();
513 if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 1,
514 args.length() - 1)) {
515 return CallJsIntrinsic(isolate, isolate->array_unshift(), args);
516 }
517 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
518 int to_add = args.length() - 1;
519 if (to_add == 0) return array->length();
520
521 // Currently fixed arrays cannot grow too big, so we should never hit this.
522 DCHECK_LE(to_add, Smi::kMaxValue - Smi::ToInt(array->length()));
523
524 if (JSArray::HasReadOnlyLength(array)) {
525 return CallJsIntrinsic(isolate, isolate->array_unshift(), args);
526 }
527
528 ElementsAccessor* accessor = array->GetElementsAccessor();
529 int new_length = accessor->Unshift(array, &args, to_add);
530 return Smi::FromInt(new_length);
531 }
532
BUILTIN(ArraySplice)533 BUILTIN(ArraySplice) {
534 HandleScope scope(isolate);
535 Handle<Object> receiver = args.receiver();
536 if (V8_UNLIKELY(
537 !EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 3,
538 args.length() - 3) ||
539 // If this is a subclass of Array, then call out to JS.
540 !Handle<JSArray>::cast(receiver)->HasArrayPrototype(isolate) ||
541 // If anything with @@species has been messed with, call out to JS.
542 !isolate->IsArraySpeciesLookupChainIntact())) {
543 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
544 }
545 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
546
547 int argument_count = args.length() - 1;
548 int relative_start = 0;
549 if (argument_count > 0) {
550 DisallowHeapAllocation no_gc;
551 if (!ClampedToInteger(isolate, args[1], &relative_start)) {
552 AllowHeapAllocation allow_allocation;
553 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
554 }
555 }
556 int len = Smi::ToInt(array->length());
557 // clip relative start to [0, len]
558 int actual_start = (relative_start < 0) ? Max(len + relative_start, 0)
559 : Min(relative_start, len);
560
561 int actual_delete_count;
562 if (argument_count == 1) {
563 // SpiderMonkey, TraceMonkey and JSC treat the case where no delete count is
564 // given as a request to delete all the elements from the start.
565 // And it differs from the case of undefined delete count.
566 // This does not follow ECMA-262, but we do the same for compatibility.
567 DCHECK_GE(len - actual_start, 0);
568 actual_delete_count = len - actual_start;
569 } else {
570 int delete_count = 0;
571 DisallowHeapAllocation no_gc;
572 if (argument_count > 1) {
573 if (!ClampedToInteger(isolate, args[2], &delete_count)) {
574 AllowHeapAllocation allow_allocation;
575 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
576 }
577 }
578 actual_delete_count = Min(Max(delete_count, 0), len - actual_start);
579 }
580
581 int add_count = (argument_count > 1) ? (argument_count - 2) : 0;
582 int new_length = len - actual_delete_count + add_count;
583
584 if (new_length != len && JSArray::HasReadOnlyLength(array)) {
585 AllowHeapAllocation allow_allocation;
586 return CallJsIntrinsic(isolate, isolate->array_splice(), args);
587 }
588 ElementsAccessor* accessor = array->GetElementsAccessor();
589 Handle<JSArray> result_array = accessor->Splice(
590 array, actual_start, actual_delete_count, &args, add_count);
591 return *result_array;
592 }
593
594 // Array Concat -------------------------------------------------------------
595
596 namespace {
597
598 /**
599 * A simple visitor visits every element of Array's.
600 * The backend storage can be a fixed array for fast elements case,
601 * or a dictionary for sparse array. Since Dictionary is a subtype
602 * of FixedArray, the class can be used by both fast and slow cases.
603 * The second parameter of the constructor, fast_elements, specifies
604 * whether the storage is a FixedArray or Dictionary.
605 *
606 * An index limit is used to deal with the situation that a result array
607 * length overflows 32-bit non-negative integer.
608 */
609 class ArrayConcatVisitor {
610 public:
ArrayConcatVisitor(Isolate * isolate,Handle<HeapObject> storage,bool fast_elements)611 ArrayConcatVisitor(Isolate* isolate, Handle<HeapObject> storage,
612 bool fast_elements)
613 : isolate_(isolate),
614 storage_(isolate->global_handles()->Create(*storage)),
615 index_offset_(0u),
616 bit_field_(FastElementsField::encode(fast_elements) |
617 ExceedsLimitField::encode(false) |
618 IsFixedArrayField::encode(storage->IsFixedArray()) |
619 HasSimpleElementsField::encode(
620 storage->IsFixedArray() ||
621 !storage->map()->IsCustomElementsReceiverMap())) {
622 DCHECK(!(this->fast_elements() && !is_fixed_array()));
623 }
624
~ArrayConcatVisitor()625 ~ArrayConcatVisitor() { clear_storage(); }
626
visit(uint32_t i,Handle<Object> elm)627 V8_WARN_UNUSED_RESULT bool visit(uint32_t i, Handle<Object> elm) {
628 uint32_t index = index_offset_ + i;
629
630 if (i >= JSObject::kMaxElementCount - index_offset_) {
631 set_exceeds_array_limit(true);
632 // Exception hasn't been thrown at this point. Return true to
633 // break out, and caller will throw. !visit would imply that
634 // there is already a pending exception.
635 return true;
636 }
637
638 if (!is_fixed_array()) {
639 LookupIterator it(isolate_, storage_, index, LookupIterator::OWN);
640 MAYBE_RETURN(JSReceiver::CreateDataProperty(&it, elm, kThrowOnError),
641 false);
642 return true;
643 }
644
645 if (fast_elements()) {
646 if (index < static_cast<uint32_t>(storage_fixed_array()->length())) {
647 storage_fixed_array()->set(index, *elm);
648 return true;
649 }
650 // Our initial estimate of length was foiled, possibly by
651 // getters on the arrays increasing the length of later arrays
652 // during iteration.
653 // This shouldn't happen in anything but pathological cases.
654 SetDictionaryMode();
655 // Fall-through to dictionary mode.
656 }
657 DCHECK(!fast_elements());
658 Handle<NumberDictionary> dict(NumberDictionary::cast(*storage_), isolate_);
659 // The object holding this backing store has just been allocated, so
660 // it cannot yet be used as a prototype.
661 Handle<JSObject> not_a_prototype_holder;
662 Handle<NumberDictionary> result = NumberDictionary::Set(
663 isolate_, dict, index, elm, not_a_prototype_holder);
664 if (!result.is_identical_to(dict)) {
665 // Dictionary needed to grow.
666 clear_storage();
667 set_storage(*result);
668 }
669 return true;
670 }
671
index_offset() const672 uint32_t index_offset() const { return index_offset_; }
673
increase_index_offset(uint32_t delta)674 void increase_index_offset(uint32_t delta) {
675 if (JSObject::kMaxElementCount - index_offset_ < delta) {
676 index_offset_ = JSObject::kMaxElementCount;
677 } else {
678 index_offset_ += delta;
679 }
680 // If the initial length estimate was off (see special case in visit()),
681 // but the array blowing the limit didn't contain elements beyond the
682 // provided-for index range, go to dictionary mode now.
683 if (fast_elements() &&
684 index_offset_ >
685 static_cast<uint32_t>(FixedArrayBase::cast(*storage_)->length())) {
686 SetDictionaryMode();
687 }
688 }
689
exceeds_array_limit() const690 bool exceeds_array_limit() const {
691 return ExceedsLimitField::decode(bit_field_);
692 }
693
ToArray()694 Handle<JSArray> ToArray() {
695 DCHECK(is_fixed_array());
696 Handle<JSArray> array = isolate_->factory()->NewJSArray(0);
697 Handle<Object> length =
698 isolate_->factory()->NewNumber(static_cast<double>(index_offset_));
699 Handle<Map> map = JSObject::GetElementsTransitionMap(
700 array, fast_elements() ? HOLEY_ELEMENTS : DICTIONARY_ELEMENTS);
701 array->set_length(*length);
702 array->set_elements(*storage_fixed_array());
703 array->synchronized_set_map(*map);
704 return array;
705 }
706
ToJSReceiver()707 V8_WARN_UNUSED_RESULT MaybeHandle<JSReceiver> ToJSReceiver() {
708 DCHECK(!is_fixed_array());
709 Handle<JSReceiver> result = Handle<JSReceiver>::cast(storage_);
710 Handle<Object> length =
711 isolate_->factory()->NewNumber(static_cast<double>(index_offset_));
712 RETURN_ON_EXCEPTION(
713 isolate_,
714 JSReceiver::SetProperty(isolate_, result,
715 isolate_->factory()->length_string(), length,
716 LanguageMode::kStrict),
717 JSReceiver);
718 return result;
719 }
has_simple_elements() const720 bool has_simple_elements() const {
721 return HasSimpleElementsField::decode(bit_field_);
722 }
723
724 private:
725 // Convert storage to dictionary mode.
SetDictionaryMode()726 void SetDictionaryMode() {
727 DCHECK(fast_elements() && is_fixed_array());
728 Handle<FixedArray> current_storage = storage_fixed_array();
729 Handle<NumberDictionary> slow_storage(
730 NumberDictionary::New(isolate_, current_storage->length()));
731 uint32_t current_length = static_cast<uint32_t>(current_storage->length());
732 FOR_WITH_HANDLE_SCOPE(
733 isolate_, uint32_t, i = 0, i, i < current_length, i++, {
734 Handle<Object> element(current_storage->get(i), isolate_);
735 if (!element->IsTheHole(isolate_)) {
736 // The object holding this backing store has just been allocated, so
737 // it cannot yet be used as a prototype.
738 Handle<JSObject> not_a_prototype_holder;
739 Handle<NumberDictionary> new_storage = NumberDictionary::Set(
740 isolate_, slow_storage, i, element, not_a_prototype_holder);
741 if (!new_storage.is_identical_to(slow_storage)) {
742 slow_storage = loop_scope.CloseAndEscape(new_storage);
743 }
744 }
745 });
746 clear_storage();
747 set_storage(*slow_storage);
748 set_fast_elements(false);
749 }
750
clear_storage()751 inline void clear_storage() { GlobalHandles::Destroy(storage_.location()); }
752
set_storage(FixedArray * storage)753 inline void set_storage(FixedArray* storage) {
754 DCHECK(is_fixed_array());
755 DCHECK(has_simple_elements());
756 storage_ = isolate_->global_handles()->Create(storage);
757 }
758
759 class FastElementsField : public BitField<bool, 0, 1> {};
760 class ExceedsLimitField : public BitField<bool, 1, 1> {};
761 class IsFixedArrayField : public BitField<bool, 2, 1> {};
762 class HasSimpleElementsField : public BitField<bool, 3, 1> {};
763
fast_elements() const764 bool fast_elements() const { return FastElementsField::decode(bit_field_); }
set_fast_elements(bool fast)765 void set_fast_elements(bool fast) {
766 bit_field_ = FastElementsField::update(bit_field_, fast);
767 }
set_exceeds_array_limit(bool exceeds)768 void set_exceeds_array_limit(bool exceeds) {
769 bit_field_ = ExceedsLimitField::update(bit_field_, exceeds);
770 }
is_fixed_array() const771 bool is_fixed_array() const { return IsFixedArrayField::decode(bit_field_); }
storage_fixed_array()772 Handle<FixedArray> storage_fixed_array() {
773 DCHECK(is_fixed_array());
774 DCHECK(has_simple_elements());
775 return Handle<FixedArray>::cast(storage_);
776 }
777
778 Isolate* isolate_;
779 Handle<Object> storage_; // Always a global handle.
780 // Index after last seen index. Always less than or equal to
781 // JSObject::kMaxElementCount.
782 uint32_t index_offset_;
783 uint32_t bit_field_;
784 };
785
EstimateElementCount(Isolate * isolate,Handle<JSArray> array)786 uint32_t EstimateElementCount(Isolate* isolate, Handle<JSArray> array) {
787 DisallowHeapAllocation no_gc;
788 uint32_t length = static_cast<uint32_t>(array->length()->Number());
789 int element_count = 0;
790 switch (array->GetElementsKind()) {
791 case PACKED_SMI_ELEMENTS:
792 case HOLEY_SMI_ELEMENTS:
793 case PACKED_ELEMENTS:
794 case HOLEY_ELEMENTS: {
795 // Fast elements can't have lengths that are not representable by
796 // a 32-bit signed integer.
797 DCHECK_GE(static_cast<int32_t>(FixedArray::kMaxLength), 0);
798 int fast_length = static_cast<int>(length);
799 FixedArray* elements = FixedArray::cast(array->elements());
800 for (int i = 0; i < fast_length; i++) {
801 if (!elements->get(i)->IsTheHole(isolate)) element_count++;
802 }
803 break;
804 }
805 case PACKED_DOUBLE_ELEMENTS:
806 case HOLEY_DOUBLE_ELEMENTS: {
807 // Fast elements can't have lengths that are not representable by
808 // a 32-bit signed integer.
809 DCHECK_GE(static_cast<int32_t>(FixedDoubleArray::kMaxLength), 0);
810 int fast_length = static_cast<int>(length);
811 if (array->elements()->IsFixedArray()) {
812 DCHECK_EQ(FixedArray::cast(array->elements())->length(), 0);
813 break;
814 }
815 FixedDoubleArray* elements = FixedDoubleArray::cast(array->elements());
816 for (int i = 0; i < fast_length; i++) {
817 if (!elements->is_the_hole(i)) element_count++;
818 }
819 break;
820 }
821 case DICTIONARY_ELEMENTS: {
822 NumberDictionary* dictionary = NumberDictionary::cast(array->elements());
823 int capacity = dictionary->Capacity();
824 ReadOnlyRoots roots(isolate);
825 for (int i = 0; i < capacity; i++) {
826 Object* key = dictionary->KeyAt(i);
827 if (dictionary->IsKey(roots, key)) {
828 element_count++;
829 }
830 }
831 break;
832 }
833 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS:
834
835 TYPED_ARRAYS(TYPED_ARRAY_CASE)
836 #undef TYPED_ARRAY_CASE
837 // External arrays are always dense.
838 return length;
839 case NO_ELEMENTS:
840 return 0;
841 case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
842 case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
843 case FAST_STRING_WRAPPER_ELEMENTS:
844 case SLOW_STRING_WRAPPER_ELEMENTS:
845 UNREACHABLE();
846 }
847 // As an estimate, we assume that the prototype doesn't contain any
848 // inherited elements.
849 return element_count;
850 }
851
CollectElementIndices(Isolate * isolate,Handle<JSObject> object,uint32_t range,std::vector<uint32_t> * indices)852 void CollectElementIndices(Isolate* isolate, Handle<JSObject> object,
853 uint32_t range, std::vector<uint32_t>* indices) {
854 ElementsKind kind = object->GetElementsKind();
855 switch (kind) {
856 case PACKED_SMI_ELEMENTS:
857 case PACKED_ELEMENTS:
858 case HOLEY_SMI_ELEMENTS:
859 case HOLEY_ELEMENTS: {
860 DisallowHeapAllocation no_gc;
861 FixedArray* elements = FixedArray::cast(object->elements());
862 uint32_t length = static_cast<uint32_t>(elements->length());
863 if (range < length) length = range;
864 for (uint32_t i = 0; i < length; i++) {
865 if (!elements->get(i)->IsTheHole(isolate)) {
866 indices->push_back(i);
867 }
868 }
869 break;
870 }
871 case HOLEY_DOUBLE_ELEMENTS:
872 case PACKED_DOUBLE_ELEMENTS: {
873 if (object->elements()->IsFixedArray()) {
874 DCHECK_EQ(object->elements()->length(), 0);
875 break;
876 }
877 Handle<FixedDoubleArray> elements(
878 FixedDoubleArray::cast(object->elements()), isolate);
879 uint32_t length = static_cast<uint32_t>(elements->length());
880 if (range < length) length = range;
881 for (uint32_t i = 0; i < length; i++) {
882 if (!elements->is_the_hole(i)) {
883 indices->push_back(i);
884 }
885 }
886 break;
887 }
888 case DICTIONARY_ELEMENTS: {
889 DisallowHeapAllocation no_gc;
890 NumberDictionary* dict = NumberDictionary::cast(object->elements());
891 uint32_t capacity = dict->Capacity();
892 ReadOnlyRoots roots(isolate);
893 FOR_WITH_HANDLE_SCOPE(isolate, uint32_t, j = 0, j, j < capacity, j++, {
894 Object* k = dict->KeyAt(j);
895 if (!dict->IsKey(roots, k)) continue;
896 DCHECK(k->IsNumber());
897 uint32_t index = static_cast<uint32_t>(k->Number());
898 if (index < range) {
899 indices->push_back(index);
900 }
901 });
902 break;
903 }
904 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS:
905
906 TYPED_ARRAYS(TYPED_ARRAY_CASE)
907 #undef TYPED_ARRAY_CASE
908 {
909 uint32_t length = static_cast<uint32_t>(
910 FixedArrayBase::cast(object->elements())->length());
911 if (range <= length) {
912 length = range;
913 // We will add all indices, so we might as well clear it first
914 // and avoid duplicates.
915 indices->clear();
916 }
917 for (uint32_t i = 0; i < length; i++) {
918 indices->push_back(i);
919 }
920 if (length == range) return; // All indices accounted for already.
921 break;
922 }
923 case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
924 case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: {
925 DisallowHeapAllocation no_gc;
926 FixedArrayBase* elements = object->elements();
927 JSObject* raw_object = *object;
928 ElementsAccessor* accessor = object->GetElementsAccessor();
929 for (uint32_t i = 0; i < range; i++) {
930 if (accessor->HasElement(raw_object, i, elements)) {
931 indices->push_back(i);
932 }
933 }
934 break;
935 }
936 case FAST_STRING_WRAPPER_ELEMENTS:
937 case SLOW_STRING_WRAPPER_ELEMENTS: {
938 DCHECK(object->IsJSValue());
939 Handle<JSValue> js_value = Handle<JSValue>::cast(object);
940 DCHECK(js_value->value()->IsString());
941 Handle<String> string(String::cast(js_value->value()), isolate);
942 uint32_t length = static_cast<uint32_t>(string->length());
943 uint32_t i = 0;
944 uint32_t limit = Min(length, range);
945 for (; i < limit; i++) {
946 indices->push_back(i);
947 }
948 ElementsAccessor* accessor = object->GetElementsAccessor();
949 for (; i < range; i++) {
950 if (accessor->HasElement(*object, i)) {
951 indices->push_back(i);
952 }
953 }
954 break;
955 }
956 case NO_ELEMENTS:
957 break;
958 }
959
960 PrototypeIterator iter(isolate, object);
961 if (!iter.IsAtEnd()) {
962 // The prototype will usually have no inherited element indices,
963 // but we have to check.
964 CollectElementIndices(
965 isolate, PrototypeIterator::GetCurrent<JSObject>(iter), range, indices);
966 }
967 }
968
IterateElementsSlow(Isolate * isolate,Handle<JSReceiver> receiver,uint32_t length,ArrayConcatVisitor * visitor)969 bool IterateElementsSlow(Isolate* isolate, Handle<JSReceiver> receiver,
970 uint32_t length, ArrayConcatVisitor* visitor) {
971 FOR_WITH_HANDLE_SCOPE(isolate, uint32_t, i = 0, i, i < length, ++i, {
972 Maybe<bool> maybe = JSReceiver::HasElement(receiver, i);
973 if (maybe.IsNothing()) return false;
974 if (maybe.FromJust()) {
975 Handle<Object> element_value;
976 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
977 isolate, element_value, JSReceiver::GetElement(isolate, receiver, i),
978 false);
979 if (!visitor->visit(i, element_value)) return false;
980 }
981 });
982 visitor->increase_index_offset(length);
983 return true;
984 }
985 /**
986 * A helper function that visits "array" elements of a JSReceiver in numerical
987 * order.
988 *
989 * The visitor argument called for each existing element in the array
990 * with the element index and the element's value.
991 * Afterwards it increments the base-index of the visitor by the array
992 * length.
993 * Returns false if any access threw an exception, otherwise true.
994 */
IterateElements(Isolate * isolate,Handle<JSReceiver> receiver,ArrayConcatVisitor * visitor)995 bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
996 ArrayConcatVisitor* visitor) {
997 uint32_t length = 0;
998
999 if (receiver->IsJSArray()) {
1000 Handle<JSArray> array = Handle<JSArray>::cast(receiver);
1001 length = static_cast<uint32_t>(array->length()->Number());
1002 } else {
1003 Handle<Object> val;
1004 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1005 isolate, val, Object::GetLengthFromArrayLike(isolate, receiver), false);
1006 if (visitor->index_offset() + val->Number() > kMaxSafeInteger) {
1007 isolate->Throw(*isolate->factory()->NewTypeError(
1008 MessageTemplate::kInvalidArrayLength));
1009 return false;
1010 }
1011 // TODO(caitp): Support larger element indexes (up to 2^53-1).
1012 if (!val->ToUint32(&length)) {
1013 length = 0;
1014 }
1015 // TODO(cbruni): handle other element kind as well
1016 return IterateElementsSlow(isolate, receiver, length, visitor);
1017 }
1018
1019 if (!HasOnlySimpleElements(isolate, *receiver) ||
1020 !visitor->has_simple_elements()) {
1021 return IterateElementsSlow(isolate, receiver, length, visitor);
1022 }
1023 Handle<JSObject> array = Handle<JSObject>::cast(receiver);
1024
1025 switch (array->GetElementsKind()) {
1026 case PACKED_SMI_ELEMENTS:
1027 case PACKED_ELEMENTS:
1028 case HOLEY_SMI_ELEMENTS:
1029 case HOLEY_ELEMENTS: {
1030 // Run through the elements FixedArray and use HasElement and GetElement
1031 // to check the prototype for missing elements.
1032 Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
1033 int fast_length = static_cast<int>(length);
1034 DCHECK(fast_length <= elements->length());
1035 FOR_WITH_HANDLE_SCOPE(isolate, int, j = 0, j, j < fast_length, j++, {
1036 Handle<Object> element_value(elements->get(j), isolate);
1037 if (!element_value->IsTheHole(isolate)) {
1038 if (!visitor->visit(j, element_value)) return false;
1039 } else {
1040 Maybe<bool> maybe = JSReceiver::HasElement(array, j);
1041 if (maybe.IsNothing()) return false;
1042 if (maybe.FromJust()) {
1043 // Call GetElement on array, not its prototype, or getters won't
1044 // have the correct receiver.
1045 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1046 isolate, element_value,
1047 JSReceiver::GetElement(isolate, array, j), false);
1048 if (!visitor->visit(j, element_value)) return false;
1049 }
1050 }
1051 });
1052 break;
1053 }
1054 case HOLEY_DOUBLE_ELEMENTS:
1055 case PACKED_DOUBLE_ELEMENTS: {
1056 // Empty array is FixedArray but not FixedDoubleArray.
1057 if (length == 0) break;
1058 // Run through the elements FixedArray and use HasElement and GetElement
1059 // to check the prototype for missing elements.
1060 if (array->elements()->IsFixedArray()) {
1061 DCHECK_EQ(array->elements()->length(), 0);
1062 break;
1063 }
1064 Handle<FixedDoubleArray> elements(
1065 FixedDoubleArray::cast(array->elements()), isolate);
1066 int fast_length = static_cast<int>(length);
1067 DCHECK(fast_length <= elements->length());
1068 FOR_WITH_HANDLE_SCOPE(isolate, int, j = 0, j, j < fast_length, j++, {
1069 if (!elements->is_the_hole(j)) {
1070 double double_value = elements->get_scalar(j);
1071 Handle<Object> element_value =
1072 isolate->factory()->NewNumber(double_value);
1073 if (!visitor->visit(j, element_value)) return false;
1074 } else {
1075 Maybe<bool> maybe = JSReceiver::HasElement(array, j);
1076 if (maybe.IsNothing()) return false;
1077 if (maybe.FromJust()) {
1078 // Call GetElement on array, not its prototype, or getters won't
1079 // have the correct receiver.
1080 Handle<Object> element_value;
1081 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1082 isolate, element_value,
1083 JSReceiver::GetElement(isolate, array, j), false);
1084 if (!visitor->visit(j, element_value)) return false;
1085 }
1086 }
1087 });
1088 break;
1089 }
1090
1091 case DICTIONARY_ELEMENTS: {
1092 Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
1093 std::vector<uint32_t> indices;
1094 indices.reserve(dict->Capacity() / 2);
1095
1096 // Collect all indices in the object and the prototypes less
1097 // than length. This might introduce duplicates in the indices list.
1098 CollectElementIndices(isolate, array, length, &indices);
1099 std::sort(indices.begin(), indices.end());
1100 size_t n = indices.size();
1101 FOR_WITH_HANDLE_SCOPE(isolate, size_t, j = 0, j, j < n, (void)0, {
1102 uint32_t index = indices[j];
1103 Handle<Object> element;
1104 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1105 isolate, element, JSReceiver::GetElement(isolate, array, index),
1106 false);
1107 if (!visitor->visit(index, element)) return false;
1108 // Skip to next different index (i.e., omit duplicates).
1109 do {
1110 j++;
1111 } while (j < n && indices[j] == index);
1112 });
1113 break;
1114 }
1115 case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
1116 case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: {
1117 FOR_WITH_HANDLE_SCOPE(
1118 isolate, uint32_t, index = 0, index, index < length, index++, {
1119 Handle<Object> element;
1120 ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1121 isolate, element, JSReceiver::GetElement(isolate, array, index),
1122 false);
1123 if (!visitor->visit(index, element)) return false;
1124 });
1125 break;
1126 }
1127 case NO_ELEMENTS:
1128 break;
1129 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS:
1130 TYPED_ARRAYS(TYPED_ARRAY_CASE)
1131 #undef TYPED_ARRAY_CASE
1132 return IterateElementsSlow(isolate, receiver, length, visitor);
1133 case FAST_STRING_WRAPPER_ELEMENTS:
1134 case SLOW_STRING_WRAPPER_ELEMENTS:
1135 // |array| is guaranteed to be an array or typed array.
1136 UNREACHABLE();
1137 break;
1138 }
1139 visitor->increase_index_offset(length);
1140 return true;
1141 }
1142
IsConcatSpreadable(Isolate * isolate,Handle<Object> obj)1143 static Maybe<bool> IsConcatSpreadable(Isolate* isolate, Handle<Object> obj) {
1144 HandleScope handle_scope(isolate);
1145 if (!obj->IsJSReceiver()) return Just(false);
1146 if (!isolate->IsIsConcatSpreadableLookupChainIntact(JSReceiver::cast(*obj))) {
1147 // Slow path if @@isConcatSpreadable has been used.
1148 Handle<Symbol> key(isolate->factory()->is_concat_spreadable_symbol());
1149 Handle<Object> value;
1150 MaybeHandle<Object> maybeValue =
1151 i::Runtime::GetObjectProperty(isolate, obj, key);
1152 if (!maybeValue.ToHandle(&value)) return Nothing<bool>();
1153 if (!value->IsUndefined(isolate)) return Just(value->BooleanValue(isolate));
1154 }
1155 return Object::IsArray(obj);
1156 }
1157
Slow_ArrayConcat(BuiltinArguments * args,Handle<Object> species,Isolate * isolate)1158 Object* Slow_ArrayConcat(BuiltinArguments* args, Handle<Object> species,
1159 Isolate* isolate) {
1160 int argument_count = args->length();
1161
1162 bool is_array_species = *species == isolate->context()->array_function();
1163
1164 // Pass 1: estimate the length and number of elements of the result.
1165 // The actual length can be larger if any of the arguments have getters
1166 // that mutate other arguments (but will otherwise be precise).
1167 // The number of elements is precise if there are no inherited elements.
1168
1169 ElementsKind kind = PACKED_SMI_ELEMENTS;
1170
1171 uint32_t estimate_result_length = 0;
1172 uint32_t estimate_nof = 0;
1173 FOR_WITH_HANDLE_SCOPE(isolate, int, i = 0, i, i < argument_count, i++, {
1174 Handle<Object> obj((*args)[i], isolate);
1175 uint32_t length_estimate;
1176 uint32_t element_estimate;
1177 if (obj->IsJSArray()) {
1178 Handle<JSArray> array(Handle<JSArray>::cast(obj));
1179 length_estimate = static_cast<uint32_t>(array->length()->Number());
1180 if (length_estimate != 0) {
1181 ElementsKind array_kind =
1182 GetPackedElementsKind(array->GetElementsKind());
1183 kind = GetMoreGeneralElementsKind(kind, array_kind);
1184 }
1185 element_estimate = EstimateElementCount(isolate, array);
1186 } else {
1187 if (obj->IsHeapObject()) {
1188 kind = GetMoreGeneralElementsKind(
1189 kind, obj->IsNumber() ? PACKED_DOUBLE_ELEMENTS : PACKED_ELEMENTS);
1190 }
1191 length_estimate = 1;
1192 element_estimate = 1;
1193 }
1194 // Avoid overflows by capping at kMaxElementCount.
1195 if (JSObject::kMaxElementCount - estimate_result_length < length_estimate) {
1196 estimate_result_length = JSObject::kMaxElementCount;
1197 } else {
1198 estimate_result_length += length_estimate;
1199 }
1200 if (JSObject::kMaxElementCount - estimate_nof < element_estimate) {
1201 estimate_nof = JSObject::kMaxElementCount;
1202 } else {
1203 estimate_nof += element_estimate;
1204 }
1205 });
1206
1207 // If estimated number of elements is more than half of length, a
1208 // fixed array (fast case) is more time and space-efficient than a
1209 // dictionary.
1210 bool fast_case = is_array_species &&
1211 (estimate_nof * 2) >= estimate_result_length &&
1212 isolate->IsIsConcatSpreadableLookupChainIntact();
1213
1214 if (fast_case && kind == PACKED_DOUBLE_ELEMENTS) {
1215 Handle<FixedArrayBase> storage =
1216 isolate->factory()->NewFixedDoubleArray(estimate_result_length);
1217 int j = 0;
1218 bool failure = false;
1219 if (estimate_result_length > 0) {
1220 Handle<FixedDoubleArray> double_storage =
1221 Handle<FixedDoubleArray>::cast(storage);
1222 for (int i = 0; i < argument_count; i++) {
1223 Handle<Object> obj((*args)[i], isolate);
1224 if (obj->IsSmi()) {
1225 double_storage->set(j, Smi::ToInt(*obj));
1226 j++;
1227 } else if (obj->IsNumber()) {
1228 double_storage->set(j, obj->Number());
1229 j++;
1230 } else {
1231 DisallowHeapAllocation no_gc;
1232 JSArray* array = JSArray::cast(*obj);
1233 uint32_t length = static_cast<uint32_t>(array->length()->Number());
1234 switch (array->GetElementsKind()) {
1235 case HOLEY_DOUBLE_ELEMENTS:
1236 case PACKED_DOUBLE_ELEMENTS: {
1237 // Empty array is FixedArray but not FixedDoubleArray.
1238 if (length == 0) break;
1239 FixedDoubleArray* elements =
1240 FixedDoubleArray::cast(array->elements());
1241 for (uint32_t i = 0; i < length; i++) {
1242 if (elements->is_the_hole(i)) {
1243 // TODO(jkummerow/verwaest): We could be a bit more clever
1244 // here: Check if there are no elements/getters on the
1245 // prototype chain, and if so, allow creation of a holey
1246 // result array.
1247 // Same thing below (holey smi case).
1248 failure = true;
1249 break;
1250 }
1251 double double_value = elements->get_scalar(i);
1252 double_storage->set(j, double_value);
1253 j++;
1254 }
1255 break;
1256 }
1257 case HOLEY_SMI_ELEMENTS:
1258 case PACKED_SMI_ELEMENTS: {
1259 Object* the_hole = ReadOnlyRoots(isolate).the_hole_value();
1260 FixedArray* elements(FixedArray::cast(array->elements()));
1261 for (uint32_t i = 0; i < length; i++) {
1262 Object* element = elements->get(i);
1263 if (element == the_hole) {
1264 failure = true;
1265 break;
1266 }
1267 int32_t int_value = Smi::ToInt(element);
1268 double_storage->set(j, int_value);
1269 j++;
1270 }
1271 break;
1272 }
1273 case HOLEY_ELEMENTS:
1274 case PACKED_ELEMENTS:
1275 case DICTIONARY_ELEMENTS:
1276 case NO_ELEMENTS:
1277 DCHECK_EQ(0u, length);
1278 break;
1279 default:
1280 UNREACHABLE();
1281 }
1282 }
1283 if (failure) break;
1284 }
1285 }
1286 if (!failure) {
1287 return *isolate->factory()->NewJSArrayWithElements(storage, kind, j);
1288 }
1289 // In case of failure, fall through.
1290 }
1291
1292 Handle<HeapObject> storage;
1293 if (fast_case) {
1294 // The backing storage array must have non-existing elements to preserve
1295 // holes across concat operations.
1296 storage =
1297 isolate->factory()->NewFixedArrayWithHoles(estimate_result_length);
1298 } else if (is_array_species) {
1299 storage = NumberDictionary::New(isolate, estimate_nof);
1300 } else {
1301 DCHECK(species->IsConstructor());
1302 Handle<Object> length(Smi::kZero, isolate);
1303 Handle<Object> storage_object;
1304 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1305 isolate, storage_object,
1306 Execution::New(isolate, species, species, 1, &length));
1307 storage = Handle<HeapObject>::cast(storage_object);
1308 }
1309
1310 ArrayConcatVisitor visitor(isolate, storage, fast_case);
1311
1312 for (int i = 0; i < argument_count; i++) {
1313 Handle<Object> obj((*args)[i], isolate);
1314 Maybe<bool> spreadable = IsConcatSpreadable(isolate, obj);
1315 MAYBE_RETURN(spreadable, ReadOnlyRoots(isolate).exception());
1316 if (spreadable.FromJust()) {
1317 Handle<JSReceiver> object = Handle<JSReceiver>::cast(obj);
1318 if (!IterateElements(isolate, object, &visitor)) {
1319 return ReadOnlyRoots(isolate).exception();
1320 }
1321 } else {
1322 if (!visitor.visit(0, obj)) return ReadOnlyRoots(isolate).exception();
1323 visitor.increase_index_offset(1);
1324 }
1325 }
1326
1327 if (visitor.exceeds_array_limit()) {
1328 THROW_NEW_ERROR_RETURN_FAILURE(
1329 isolate, NewRangeError(MessageTemplate::kInvalidArrayLength));
1330 }
1331
1332 if (is_array_species) {
1333 return *visitor.ToArray();
1334 } else {
1335 RETURN_RESULT_OR_FAILURE(isolate, visitor.ToJSReceiver());
1336 }
1337 }
1338
IsSimpleArray(Isolate * isolate,Handle<JSArray> obj)1339 bool IsSimpleArray(Isolate* isolate, Handle<JSArray> obj) {
1340 DisallowHeapAllocation no_gc;
1341 Map* map = obj->map();
1342 // If there is only the 'length' property we are fine.
1343 if (map->prototype() ==
1344 isolate->native_context()->initial_array_prototype() &&
1345 map->NumberOfOwnDescriptors() == 1) {
1346 return true;
1347 }
1348 // TODO(cbruni): slower lookup for array subclasses and support slow
1349 // @@IsConcatSpreadable lookup.
1350 return false;
1351 }
1352
Fast_ArrayConcat(Isolate * isolate,BuiltinArguments * args)1353 MaybeHandle<JSArray> Fast_ArrayConcat(Isolate* isolate,
1354 BuiltinArguments* args) {
1355 if (!isolate->IsIsConcatSpreadableLookupChainIntact()) {
1356 return MaybeHandle<JSArray>();
1357 }
1358 // We shouldn't overflow when adding another len.
1359 const int kHalfOfMaxInt = 1 << (kBitsPerInt - 2);
1360 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
1361 STATIC_ASSERT(FixedDoubleArray::kMaxLength < kHalfOfMaxInt);
1362 USE(kHalfOfMaxInt);
1363
1364 int n_arguments = args->length();
1365 int result_len = 0;
1366 {
1367 DisallowHeapAllocation no_gc;
1368 // Iterate through all the arguments performing checks
1369 // and calculating total length.
1370 for (int i = 0; i < n_arguments; i++) {
1371 Object* arg = (*args)[i];
1372 if (!arg->IsJSArray()) return MaybeHandle<JSArray>();
1373 if (!HasOnlySimpleReceiverElements(isolate, JSObject::cast(arg))) {
1374 return MaybeHandle<JSArray>();
1375 }
1376 // TODO(cbruni): support fast concatenation of DICTIONARY_ELEMENTS.
1377 if (!JSObject::cast(arg)->HasFastElements()) {
1378 return MaybeHandle<JSArray>();
1379 }
1380 Handle<JSArray> array(JSArray::cast(arg), isolate);
1381 if (!IsSimpleArray(isolate, array)) {
1382 return MaybeHandle<JSArray>();
1383 }
1384 // The Array length is guaranted to be <= kHalfOfMaxInt thus we won't
1385 // overflow.
1386 result_len += Smi::ToInt(array->length());
1387 DCHECK_GE(result_len, 0);
1388 // Throw an Error if we overflow the FixedArray limits
1389 if (FixedDoubleArray::kMaxLength < result_len ||
1390 FixedArray::kMaxLength < result_len) {
1391 AllowHeapAllocation gc;
1392 THROW_NEW_ERROR(isolate,
1393 NewRangeError(MessageTemplate::kInvalidArrayLength),
1394 JSArray);
1395 }
1396 }
1397 }
1398 return ElementsAccessor::Concat(isolate, args, n_arguments, result_len);
1399 }
1400
1401 } // namespace
1402
1403 // ES6 22.1.3.1 Array.prototype.concat
BUILTIN(ArrayConcat)1404 BUILTIN(ArrayConcat) {
1405 HandleScope scope(isolate);
1406
1407 Handle<Object> receiver = args.receiver();
1408 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1409 isolate, receiver,
1410 Object::ToObject(isolate, args.receiver(), "Array.prototype.concat"));
1411 args[0] = *receiver;
1412
1413 Handle<JSArray> result_array;
1414
1415 // Avoid a real species read to avoid extra lookups to the array constructor
1416 if (V8_LIKELY(receiver->IsJSArray() &&
1417 Handle<JSArray>::cast(receiver)->HasArrayPrototype(isolate) &&
1418 isolate->IsArraySpeciesLookupChainIntact())) {
1419 if (Fast_ArrayConcat(isolate, &args).ToHandle(&result_array)) {
1420 return *result_array;
1421 }
1422 if (isolate->has_pending_exception())
1423 return ReadOnlyRoots(isolate).exception();
1424 }
1425 // Reading @@species happens before anything else with a side effect, so
1426 // we can do it here to determine whether to take the fast path.
1427 Handle<Object> species;
1428 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
1429 isolate, species, Object::ArraySpeciesConstructor(isolate, receiver));
1430 if (*species == *isolate->array_function()) {
1431 if (Fast_ArrayConcat(isolate, &args).ToHandle(&result_array)) {
1432 return *result_array;
1433 }
1434 if (isolate->has_pending_exception())
1435 return ReadOnlyRoots(isolate).exception();
1436 }
1437 return Slow_ArrayConcat(&args, species, isolate);
1438 }
1439
1440 } // namespace internal
1441 } // namespace v8
1442