Chromium Code Reviews Chromium Code Reviews
Issue 1510753005:
Fix Function subclassing. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| Index: src/objects.cc |
| diff --git a/src/objects.cc b/src/objects.cc |
| index cb87347d8633eac1c9a2767e9148435b4e1f8dc9..0bb1d3228eb43d817ab9a2380deaa3c70cc76b0b 100644 |
| --- a/src/objects.cc |
| +++ b/src/objects.cc |
| @@ -8919,9 +8919,18 @@ Handle<Map> Map::CopyInitialMap(Handle<Map> map, int instance_size, |
| int in_object_properties, |
| int unused_property_fields) { |
| #ifdef DEBUG |
| - Object* constructor = map->GetConstructor(); |
| - DCHECK(constructor->IsJSFunction()); |
| - DCHECK_EQ(*map, JSFunction::cast(constructor)->initial_map()); |
| + Isolate* isolate = map->GetIsolate(); |
| + if (*isolate->strict_function_map() != *map && |
| + *isolate->strong_function_map() != *map && |
| + *isolate->strict_generator_function_map() != *map && |
| + *isolate->strong_generator_function_map() != *map) { |
| + // Strict and strong function maps have Function as a constructor but the |
| + // Function's initial map is a sloppy function map. Same holds for |
| + // GeneratorFunction and its initial map. |
| + Object* constructor = map->GetConstructor(); |
| + DCHECK(constructor->IsJSFunction()); |
| + DCHECK_EQ(*map, JSFunction::cast(constructor)->initial_map()); |
|
Toon Verwaest
2015/12/09 21:40:03
so initial_map == map || map == strict_function_ma
Igor Sheludko
2015/12/10 10:50:41
Done.
|
| + } |
| #endif |
| // Initial maps must always own their descriptors and it's descriptor array |
| // does not contain descriptors that do not belong to the map. |
| @@ -9186,6 +9195,54 @@ Handle<Map> Map::CopyAsElementsKind(Handle<Map> map, ElementsKind kind, |
| } |
| +Handle<Map> Map::AsLanguageMode(Handle<Map> initial_map, |
| + LanguageMode language_mode, FunctionKind kind) { |
| + DCHECK_EQ(JS_FUNCTION_TYPE, initial_map->instance_type()); |
| + // Initial map for sloppy mode function is stored in the function |
| + // constructor. Initial maps for strict and strong modes are cached as |
| + // special transitions using |strict_function_transition_symbol| and |
| + // |strong_function_transition_symbol| respectively as a key. |
| + if (language_mode == SLOPPY) return initial_map; |
| + Isolate* isolate = initial_map->GetIsolate(); |
| + Factory* factory = isolate->factory(); |
| + Handle<Symbol> transition_symbol; |
| + |
| + int map_index = Context::FunctionMapIndex(language_mode, kind); |
| + Handle<Map> function_map( |
| + Map::cast(isolate->native_context()->get(map_index))); |
| + |
| + switch (language_mode) { |
| + case STRICT: |
| + transition_symbol = factory->strict_function_transition_symbol(); |
| + break; |
| + case STRONG: |
| + transition_symbol = factory->strong_function_transition_symbol(); |
| + break; |
| + default: |
| + UNREACHABLE(); |
| + break; |
| + } |
| + Map* maybe_transition = |
| + TransitionArray::SearchSpecial(*initial_map, *transition_symbol); |
| + if (maybe_transition != NULL) { |
| + return handle(maybe_transition, isolate); |
| + } |
| + |
| + // Create new map taking descriptors from the |function_map| and all |
| + // the other details from the |initial_map|. |
| + Handle<Map> map = |
| + Map::CopyInitialMap(function_map, initial_map->instance_size(), |
| + initial_map->GetInObjectProperties(), |
| + initial_map->unused_property_fields()); |
| + map->SetConstructor(initial_map->GetConstructor()); |
| + map->set_prototype(initial_map->prototype()); |
| + |
| + Map::ConnectTransition(initial_map, map, transition_symbol, |
| + SPECIAL_TRANSITION); |
| + return map; |
| +} |
| + |
| + |
| Handle<Map> Map::CopyForObserved(Handle<Map> map) { |
| DCHECK(!map->is_observed()); |
