Fix Function subclassing.

src/objects.cc

Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index cb87347d8633eac1c9a2767e9148435b4e1f8dc9..928549e80e59cd923d39e21d88b1e72f32f4d41a 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -8919,9 +8919,12 @@ Handle<Map> Map::CopyInitialMap(Handle<Map> map, int instance_size,
                                 int in_object_properties,
                                 int unused_property_fields) {
 #ifdef DEBUG
-  Object* constructor = map->GetConstructor();
-  DCHECK(constructor->IsJSFunction());
-  DCHECK_EQ(*map, JSFunction::cast(constructor)->initial_map());
+  if (map->instance_type() != JS_FUNCTION_TYPE) {
+    // Function initial maps does not have a constructor.
+    Object* constructor = map->GetConstructor();
+    DCHECK(constructor->IsJSFunction());
+    DCHECK_EQ(*map, JSFunction::cast(constructor)->initial_map());
+  }
 #endif
   // Initial maps must always own their descriptors and it's descriptor array
   // does not contain descriptors that do not belong to the map.
@@ -9186,6 +9189,54 @@ Handle<Map> Map::CopyAsElementsKind(Handle<Map> map, ElementsKind kind,
 }
 
 
+Handle<Map> Map::AsLanguageMode(Handle<Map> initial_map,
+                                LanguageMode language_mode) {
+  DCHECK_EQ(JS_FUNCTION_TYPE, initial_map->instance_type());
+  Isolate* isolate = initial_map->GetIsolate();
+  Factory* factory = isolate->factory();
+  Handle<Symbol> transition_symbol;
+  Handle<Map> function_map;
+
+  switch (language_mode) {
+    case SLOPPY:
+      transition_symbol = factory->sloppy_function_symbol();
+      function_map = isolate->sloppy_function_map();

[Toon Verwaest, 2015/12/08 20:01:08]

What about making the initial map be the sloppy map? Isn't that already the
case? If we do that, we probably don't need to transition in most cases.

[Igor Sheludko, 2015/12/10 10:50:41]

Done.

+      break;
+    case STRICT:
+      transition_symbol = factory->strict_function_symbol();
+      function_map = isolate->strict_function_map();
+      break;
+    case STRONG:
+      transition_symbol = factory->strong_function_symbol();
+      function_map = isolate->strong_function_map();
+      break;
+    default:
+      UNREACHABLE();
+      break;
+  }
+  Map* maybe_transition =
+      TransitionArray::SearchSpecial(*initial_map, *transition_symbol);
+  if (maybe_transition != NULL) {
+    return handle(maybe_transition, isolate);
+  }
+
+  Handle<Map> map =
+      Map::CopyInitialMap(function_map, initial_map->instance_size(),
+                          initial_map->GetInObjectProperties(),
+                          initial_map->unused_property_fields());
+  // We set |function_map|'s descriptor array to |map|, so clear the ownership
+  // flag to prevent |function_map|'s descriptors corruption.
+  map->set_owns_descriptors(false);

[Toon Verwaest, 2015/12/08 20:01:08]

I don't immediately understand this ...
If we share the descriptor array, the initial map should lose ownership, not the
target map.

[Igor Sheludko, 2015/12/10 10:50:41]

Done.

+  // Take constructor and prototype values from |initial_map|.
+  map->SetConstructor(initial_map->GetConstructor());
+  map->set_prototype(initial_map->prototype());

[Toon Verwaest, 2015/12/08 20:01:08]

Is this correct for strong-mode?...

+
+  Map::ConnectTransition(initial_map, map, transition_symbol,
+                         SPECIAL_TRANSITION);
+  return map;
+}
+
+
 Handle<Map> Map::CopyForObserved(Handle<Map> map) {
   DCHECK(!map->is_observed());