Fix Function subclassing.

src/objects.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/objects.h"
 
 #include <cmath>
 #include <iomanip>
 #include <sstream>
 
@@ skipping 8901 matching lines @@
 #endif
 
   return result;
 }
 
 
 Handle<Map> Map::CopyInitialMap(Handle<Map> map, int instance_size,
                                 int in_object_properties,
                                 int unused_property_fields) {
 #ifdef DEBUG
-  Object* constructor = map->GetConstructor();
-  DCHECK(constructor->IsJSFunction());
-  DCHECK_EQ(*map, JSFunction::cast(constructor)->initial_map());
+  if (map->instance_type() != JS_FUNCTION_TYPE) {
+    // Function initial maps does not have a constructor.
+    Object* constructor = map->GetConstructor();
+    DCHECK(constructor->IsJSFunction());
+    DCHECK_EQ(*map, JSFunction::cast(constructor)->initial_map());
+  }
 #endif
   // Initial maps must always own their descriptors and it's descriptor array
   // does not contain descriptors that do not belong to the map.
   DCHECK(map->owns_descriptors());
   DCHECK_EQ(map->NumberOfOwnDescriptors(),
             map->instance_descriptors()->number_of_descriptors());
 
   Handle<Map> result = RawCopy(map, instance_size);
 
   // Please note instance_type and instance_size are set when allocated.
@@ skipping 244 matching lines @@
     return new_map;
   }
 
   // Create a new free-floating map only if we are not allowed to store it.
   Handle<Map> new_map = Copy(map, "CopyAsElementsKind");
   new_map->set_elements_kind(kind);
   return new_map;
 }
 
 
+Handle<Map> Map::AsLanguageMode(Handle<Map> initial_map,
+                                LanguageMode language_mode) {
+  DCHECK_EQ(JS_FUNCTION_TYPE, initial_map->instance_type());
+  Isolate* isolate = initial_map->GetIsolate();
+  Factory* factory = isolate->factory();
+  Handle<Symbol> transition_symbol;
+  Handle<Map> function_map;
+
+  switch (language_mode) {
+    case SLOPPY:
+      transition_symbol = factory->sloppy_function_symbol();
+      function_map = isolate->sloppy_function_map();

[Toon Verwaest, 2015/12/08 20:01:08]

What about making the initial map be the sloppy map? Isn't that already the
case? If we do that, we probably don't need to transition in most cases.

[Igor Sheludko, 2015/12/10 10:50:41]

Done.

+      break;
+    case STRICT:
+      transition_symbol = factory->strict_function_symbol();
+      function_map = isolate->strict_function_map();
+      break;
+    case STRONG:
+      transition_symbol = factory->strong_function_symbol();
+      function_map = isolate->strong_function_map();
+      break;
+    default:
+      UNREACHABLE();
+      break;
+  }
+  Map* maybe_transition =
+      TransitionArray::SearchSpecial(*initial_map, *transition_symbol);
+  if (maybe_transition != NULL) {
+    return handle(maybe_transition, isolate);
+  }
+
+  Handle<Map> map =
+      Map::CopyInitialMap(function_map, initial_map->instance_size(),
+                          initial_map->GetInObjectProperties(),
+                          initial_map->unused_property_fields());
+  // We set |function_map|'s descriptor array to |map|, so clear the ownership
+  // flag to prevent |function_map|'s descriptors corruption.
+  map->set_owns_descriptors(false);

[Toon Verwaest, 2015/12/08 20:01:08]

I don't immediately understand this ...
If we share the descriptor array, the initial map should lose ownership, not the
target map.

[Igor Sheludko, 2015/12/10 10:50:41]

Done.

+  // Take constructor and prototype values from |initial_map|.
+  map->SetConstructor(initial_map->GetConstructor());
+  map->set_prototype(initial_map->prototype());

[Toon Verwaest, 2015/12/08 20:01:08]

Is this correct for strong-mode?...

+
+  Map::ConnectTransition(initial_map, map, transition_symbol,
+                         SPECIAL_TRANSITION);
+  return map;
+}
+
+
 Handle<Map> Map::CopyForObserved(Handle<Map> map) {
   DCHECK(!map->is_observed());
 
   Isolate* isolate = map->GetIsolate();
 
   bool insert_transition =
       TransitionArray::CanHaveMoreTransitions(map) && !map->is_prototype_map();
 
   if (insert_transition) {
     Handle<Map> new_map = CopyForTransition(map, "CopyForObserved");
@@ skipping 9895 matching lines @@
   if (cell->value() != *new_value) {
     cell->set_value(*new_value);
     Isolate* isolate = cell->GetIsolate();
     cell->dependent_code()->DeoptimizeDependentCodeGroup(
         isolate, DependentCode::kPropertyCellChangedGroup);
   }
 }
 
 }  // namespace internal
 }  // namespace v8