[ddc] Add get and set proto inlined helpers

The helper methods make it easier to call the JS version of
`Object.getPrototypeOf()` and `Object.getPrototypeOf()` from the
SDK libraries. The body gets inlined directly to avoid extra method 
calls in potentially hot code paths.

Start using the setter when setting base and extension classes.

Issue:#52372
Change-Id: I6ca70cbf1936f76f24c8843e51c1c47e9bfe659c
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/303009
Reviewed-by: Sigmund Cherem <sigmund@google.com>
Commit-Queue: Nicholas Shahan <nshahan@google.com>

Author: nshahan

pkg/_js_interop_checks/lib/js_interop_checks.dart

@@ -90,6 +90,7 @@ class JsInteropChecks extends RecursiveVisitor {
     '_interceptors', // for ddc JS string
     '_native_typed_data',
     '_runtime', // for ddc types at runtime
+    '_js_helper', // for ddc inlined helper methods
     'async',
     'core', // for environment constructors
     'html',

pkg/dev_compiler/lib/src/kernel/compiler.dart

@@ -594,6 +594,9 @@ class ProgramCompiler extends ComputeOnceConstantVisitor<js_ast.Expression>
   /// True when [library] is the sdk internal library 'dart:_internal'.
   bool _isDartInternal(Library library) => isDartLibrary(library, '_internal');
 
+  /// True when [library] is the sdk internal library 'dart:_js_helper'.
+  bool _isDartJsHelper(Library library) => isDartLibrary(library, '_js_helper');
+
   /// True when [library] is the sdk internal library 'dart:_internal'.
   bool _isDartForeignHelper(Library library) =>
       isDartLibrary(library, '_foreign_helper');
@@ -6069,6 +6072,19 @@ class ProgramCompiler extends ComputeOnceConstantVisitor<js_ast.Expression>
         }
       }
     }
+    if (_isDartJsHelper(enclosingLibrary)) {
+      var name = target.name.text;
+      if (name == 'jsObjectGetPrototypeOf') {
+        var obj = node.arguments.positional.single;
+        return js.call('Object.getPrototypeOf(#)', _visitExpression(obj));
+      }
+      if (name == 'jsObjectSetPrototypeOf') {
+        var obj = node.arguments.positional.first;
+        var prototype = node.arguments.positional.last;
+        return js.call('Object.setPrototypeOf(#, #)',
+            [_visitExpression(obj), _visitExpression(prototype)]);
+      }
+    }
     if (target.isExternal &&
         target.isInlineClassMember &&
         hasObjectLiteralAnnotation(target)) {

sdk/lib/_internal/js_dev_runtime/private/ddc_runtime/classes.dart

@@ -598,18 +598,19 @@ definePrimitiveHashCode(proto) {
 }
 
 /// Link the extension to the type it's extending as a base class.
-setBaseClass(derived, base) {
-  JS('', '#.prototype.__proto__ = #.prototype', derived, base);
+void setBaseClass(@notNull Object derived, @notNull Object base) {
+  jsObjectSetPrototypeOf(
+      JS('', '#.prototype', derived), JS('', '#.prototype', base));
   // We use __proto__ to track the superclass hierarchy (see isSubtypeOf).
-  JS('', '#.__proto__ = #', derived, base);
+  jsObjectSetPrototypeOf(derived, base);
 }
 
 /// Like [setBaseClass], but for generic extension types such as `JSArray<E>`.
-setExtensionBaseClass(dartType, jsType) {
+void setExtensionBaseClass(@notNull Object dartType, @notNull Object jsType) {
   // Mark the generic type as an extension type and link the prototype objects.
-  var dartProto = JS('', '#.prototype', dartType);
+  var dartProto = JS<Object>('!', '#.prototype', dartType);
   JS('', '#[#] = #', dartProto, _extensionType, dartType);
-  JS('', '#.__proto__ = #.prototype', dartProto, jsType);
+  jsObjectSetPrototypeOf(dartProto, JS('', '#.prototype', jsType));
 }
 
 /// Adds type test predicates to a class/interface type [ctor], using the

sdk/lib/_internal/js_dev_runtime/private/ddc_runtime/runtime.dart

@@ -39,6 +39,7 @@ import 'dart:_js_helper'
         DeferredNotLoadedError,
         TypeErrorImpl,
         JsLinkedHashMap,
+        jsObjectSetPrototypeOf,
         ImmutableMap,
         Primitives,
         PrivateSymbol,

sdk/lib/_internal/js_dev_runtime/private/js_helper.dart

@@ -945,3 +945,35 @@ rti.Rti getRtiForRecord(Object? record) {
 // TODO(48585): Move this class back to the dart:_rti library when old DDC
 // runtime type system has been removed.
 abstract class TrustedGetRuntimeType {}
+
+/// Wraps the JavaScript `Object.getPrototypeOf()` method returning the
+/// `__proto__` of [obj].
+///
+/// This method is equivalent to:
+///
+///    JS<Object?>('', 'Object.getPrototypeOf(#)', obj);
+///
+/// but the code is generated by the compiler directly (a low-tech way of
+/// inlining).
+///
+/// This helper should always be used in place of `JS('', '#.__proto__', obj)`
+/// to avoid prototype pollution issues.
+/// See: https://github.com/tc39/proposal-symbol-proto
+external Object? jsObjectGetPrototypeOf(@notNull Object obj);
+
+/// Wraps the JavaScript `Object.setPrototypeOf()` method setting the
+/// `__proto__` of [obj] to [prototype] and returning [obj].
+///
+/// This method is equivalent to:
+///
+///    JS<Object>('!', 'Object.setPrototypeOf(#, #)', obj, prototype);
+///
+/// but the code is generated by the compiler directly (a low-tech way of
+/// inlining).
+///
+/// This helper should always be used in place of
+/// `JS('', '#.__proto__ = #', obj, prototype)` to avoid prototype
+/// pollution issues.
+/// See: https://github.com/tc39/proposal-symbol-proto
+@notNull
+external Object jsObjectSetPrototypeOf(@notNull Object obj, Object? prototype);