src/runtime/runtime-object.cc - Issue 1427483002: [es6] Better support for built-ins subclassing.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/runtime/runtime-object.cc

Issue 1427483002: [es6] Better support for built-ins subclassing. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Avoid crashes in case of Function subclassing Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/runtime/runtime-object.cc

diff --git a/src/runtime/runtime-object.cc b/src/runtime/runtime-object.cc

index 28726cba56672788e404fa8a0e72af92cd48ec54..43b74bf8383a2140447b7fc47f6ed1d8a4883021 100644

--- a/src/runtime/runtime-object.cc

+++ b/src/runtime/runtime-object.cc

@@ -992,7 +992,7 @@ static Object* Runtime_NewObjectHelper(Isolate* isolate,

// Handle stepping into constructors if step into is active.

if (debug->StepInActive()) debug->HandleStepIn(function, true);

- if (function->has_initial_map()) {

+ if (function->has_initial_map() && original_function->has_initial_map()) {

Toon Verwaest 2015/10/29 12:54:46 Do we still need this additional special case now

Igor Sheludko 2015/10/29 15:26:22 Done.

if (function->initial_map()->instance_type() == JS_FUNCTION_TYPE) {

// The 'Function' function ignores the receiver object when

// called using 'new' and creates a new JSFunction object that

@@ -1013,26 +1013,17 @@ static Object* Runtime_NewObjectHelper(Isolate* isolate,

// available.

Compiler::Compile(function, CLEAR_EXCEPTION);

- Handle<JSObject> result;

- if (site.is_null()) {

- result = isolate->factory()->NewJSObject(function);

- } else {

- result = isolate->factory()->NewJSObjectWithMemento(function, site);

- }

+ JSFunction::EnsureHasInitialMap(function);

+ Handle<Map> initial_map =

+ JSFunction::EnsureDerivedHasInitialMap(original_function, function);

- // Set up the prototoype using original function.

- // TODO(dslomov): instead of setting the __proto__,

- // use and cache the correct map.

- if (*original_function != *function) {

- if (original_function->has_instance_prototype()) {

- Handle<Object> prototype =

- handle(original_function->instance_prototype(), isolate);

- MAYBE_RETURN(JSObject::SetPrototype(result, prototype, false,

- Object::THROW_ON_ERROR),

- isolate->heap()->exception());

- }

+ if (initial_map->instance_type() == JS_FUNCTION_TYPE) {

+ return isolate->global_proxy();

}

+ Handle<JSObject> result =

+ isolate->factory()->NewJSObjectFromMap(initial_map, NOT_TENURED, site);

isolate->counters()->constructed_objects()->Increment();

isolate->counters()->constructed_objects_runtime()->Increment();

« no previous file with comments | « src/objects-printer.cc ('k') | src/runtime/runtime-typedarray.cc » ('j') | no next file with comments »