Home Original page

deps: cherry-pick 6da51b4 from v8's upstream · nodejs/node@6098504

@@ -100,22 +100,37 @@ bool Accessors::IsJSArrayBufferViewFieldAccessor(Handle<Map> map,

100100

Isolate* isolate = name->GetIsolate();

101101102102

switch (map->instance_type()) {

103-

case JS_TYPED_ARRAY_TYPE:

104-

// %TypedArray%.prototype is non-configurable, and so are the following

105-

// named properties on %TypedArray%.prototype, so we can directly inline

106-

// the field-load for typed array maps that still use their

107-

// %TypedArray%.prototype.

108-

if (JSFunction::cast(map->GetConstructor())->prototype() !=

109-

map->prototype()) {

103+

case JS_TYPED_ARRAY_TYPE: {

104+

if (!CheckForName(name, isolate->factory()->length_string(),

105+

JSTypedArray::kLengthOffset, object_offset) &&

106+

!CheckForName(name, isolate->factory()->byte_length_string(),

107+

JSTypedArray::kByteLengthOffset, object_offset) &&

108+

!CheckForName(name, isolate->factory()->byte_offset_string(),

109+

JSTypedArray::kByteOffsetOffset, object_offset)) {

110110

return false;

111111

}

112-

return CheckForName(name, isolate->factory()->length_string(),

113-

JSTypedArray::kLengthOffset, object_offset) ||

114-

CheckForName(name, isolate->factory()->byte_length_string(),

115-

JSTypedArray::kByteLengthOffset, object_offset) ||

116-

CheckForName(name, isolate->factory()->byte_offset_string(),

117-

JSTypedArray::kByteOffsetOffset, object_offset);

118112113+

if (map->is_dictionary_map()) return false;

114+115+

// Check if the property is overridden on the instance.

116+

DescriptorArray* descriptors = map->instance_descriptors();

117+

int descriptor = descriptors->SearchWithCache(*name, *map);

118+

if (descriptor != DescriptorArray::kNotFound) return false;

119+120+

Handle<Object> proto = Handle<Object>(map->prototype(), isolate);

121+

if (!proto->IsJSReceiver()) return false;

122+123+

// Check if the property is defined in the prototype chain.

124+

LookupIterator it(proto, name);

125+

if (!it.IsFound()) return false;

126+127+

Object* original_proto =

128+

JSFunction::cast(map->GetConstructor())->prototype();

129+130+

// Property is not configurable. It is enough to verify that

131+

// the holder is the same.

132+

return *it.GetHolder<Object>() == original_proto;

133+

}

119134

case JS_DATA_VIEW_TYPE:

120135

return CheckForName(name, isolate->factory()->byte_length_string(),

121136

JSDataView::kByteLengthOffset, object_offset) ||