Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(7)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/factory.cc

Issue 1158023003: Mark proxy map as unstable during fixing freezing, sealing or preventing extensions). (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-493568.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/factory.h" 5 #include "src/factory.h"
6 6
7 #include "src/allocation-site-scopes.h" 7 #include "src/allocation-site-scopes.h"
8 #include "src/base/bits.h" 8 #include "src/base/bits.h"
9 #include "src/bootstrapper.h" 9 #include "src/bootstrapper.h"
10 #include "src/conversions.h" 10 #include "src/conversions.h"
(...skipping 1966 matching lines...) Expand 10 before | Expand all | Expand 10 after
1977 } 1977 }
1978 1978
1979 1979
1980 Handle<JSProxy> Factory::NewJSProxy(Handle<Object> handler, 1980 Handle<JSProxy> Factory::NewJSProxy(Handle<Object> handler,
1981 Handle<Object> prototype) { 1981 Handle<Object> prototype) {
1982 // Allocate map. 1982 // Allocate map.
1983 // TODO(rossberg): Once we optimize proxies, think about a scheme to share 1983 // TODO(rossberg): Once we optimize proxies, think about a scheme to share
1984 // maps. Will probably depend on the identity of the handler object, too. 1984 // maps. Will probably depend on the identity of the handler object, too.
1985 Handle<Map> map = NewMap(JS_PROXY_TYPE, JSProxy::kSize); 1985 Handle<Map> map = NewMap(JS_PROXY_TYPE, JSProxy::kSize);
1986 Map::SetPrototype(map, prototype); 1986 Map::SetPrototype(map, prototype);
1987 // Do not treat proxy maps as stable since a proxy object may silently turn
1988 // into a JSObject by freezing, sealing or preventing extensions.
1989 map->mark_unstable();
Toon Verwaest 2015/05/29 14:12:52 Why not make it unstable in those places?
1987 1990
1988 // Allocate the proxy object. 1991 // Allocate the proxy object.
1989 Handle<JSProxy> result = New<JSProxy>(map, NEW_SPACE); 1992 Handle<JSProxy> result = New<JSProxy>(map, NEW_SPACE);
1990 result->InitializeBody(map->instance_size(), Smi::FromInt(0)); 1993 result->InitializeBody(map->instance_size(), Smi::FromInt(0));
1991 result->set_handler(*handler); 1994 result->set_handler(*handler);
1992 result->set_hash(*undefined_value(), SKIP_WRITE_BARRIER); 1995 result->set_hash(*undefined_value(), SKIP_WRITE_BARRIER);
1993 return result; 1996 return result;
1994 } 1997 }
1995 1998
1996 1999
(...skipping 467 matching lines...) Expand 10 before | Expand all | Expand 10 after
2464 return Handle<Object>::null(); 2467 return Handle<Object>::null();
2465 } 2468 }
2466 2469
2467 2470
2468 Handle<Object> Factory::ToBoolean(bool value) { 2471 Handle<Object> Factory::ToBoolean(bool value) {
2469 return value ? true_value() : false_value(); 2472 return value ? true_value() : false_value();
2470 } 2473 }
2471 2474
2472 2475
2473 } } // namespace v8::internal 2476 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-493568.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698