Ensure slow properties for simple {__proto__:null} literals.

src/builtins/builtins-constructor.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/builtins/builtins-constructor.h"
 #include "src/ast/ast.h"
 #include "src/builtins/builtins-utils.h"
 #include "src/builtins/builtins.h"
 #include "src/code-factory.h"
 #include "src/code-stub-assembler.h"
@@ skipping 696 matching lines @@
     Node* field = Load(MachineType::IntPtr(), boilerplate, offset.value());
     StoreNoWriteBarrier(MachineType::PointerRepresentation(), copy,
                         offset.value(), field);
     Goto(&loop_check);
   }
   Bind(&loop_check);
   {
     offset.Bind(IntPtrAdd(offset.value(), IntPtrConstant(kPointerSize)));
     GotoIfNot(IntPtrGreaterThanOrEqual(offset.value(), end_offset), &loop_body);
   }
-
   if (FLAG_allocation_site_pretenuring) {
     Node* memento = InnerAllocate(copy, object_size);
     StoreMapNoWriteBarrier(memento, Heap::kAllocationMementoMapRootIndex);
     StoreObjectFieldNoWriteBarrier(
         memento, AllocationMemento::kAllocationSiteOffset, allocation_site);
     Node* memento_create_count = LoadObjectField(
         allocation_site, AllocationSite::kPretenureCreateCountOffset);
     memento_create_count =
         SmiAdd(memento_create_count, SmiConstant(Smi::FromInt(1)));
     StoreObjectFieldNoWriteBarrier(allocation_site,
                                    AllocationSite::kPretenureCreateCountOffset,
                                    memento_create_count);
   }
 
+  // Directly copy over the property store for dict-mode boilerplates.
+  Label dict_properties(this), done(this);
+  Branch(IsDictionaryMap(boilerplate_map), &dict_properties, &done);
+  Bind(&dict_properties);
+  {
+    Comment("Copy boilderplate property dict");
+    Node* boilerplate_properties = LoadProperties(boilerplate);
+    // TODO(cbruni): Use inner allocate for name dictionary
+    Node* properties = AllocateNameDictionary(
+        SmiUntag(GetCapacity<NameDictionary>(boilerplate_properties)));
+    CopyFixedArrayElements(FAST_ELEMENTS, boilerplate_properties, properties,
+                           LoadFixedArrayBaseLength(boilerplate_properties),
+                           SKIP_WRITE_BARRIER, SMI_PARAMETERS);

[Toon Verwaest, 2017/03/14 13:27:47]

With black allocation I'm not sure this is safe if the array ends up in old
space. AllocateNameDictionary isn't explicitly allocating in new space, and
could be LOS at least.

[Camillo Bruni, 2017/03/17 16:40:55]

Adding separate helper to make the contract clearer, calling to the runtime for
now, probably a very infrequent case, having large-object properties.

+    StoreObjectField(copy, JSObject::kPropertiesOffset, properties);
+    Goto(&done);
+  }
+  Bind(&done);
+
   // TODO(verwaest): Allocate and fill in double boxes.
   return copy;
 }
 
 void ConstructorBuiltinsAssembler::CreateFastCloneShallowObjectBuiltin(
     int properties_count) {
   DCHECK_GE(properties_count, 0);
   DCHECK_LE(properties_count, kMaximumClonedShallowObjectProperties);
   Label call_runtime(this);
   Node* closure = Parameter(0);
@@ skipping 43 matching lines @@
     case 6:
       return FastCloneShallowObject6();
     default:
       UNREACHABLE();
   }
   return Handle<Code>::null();
 }
 
 }  // namespace internal
 }  // namespace v8