Ensure slow properties for simple {__proto__:null} literals.

src/factory.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/factory.h"
 
 #include "src/accessors.h"
 #include "src/allocation-site-scopes.h"
 #include "src/ast/ast.h"
 #include "src/base/bits.h"
@@ skipping 1815 matching lines @@
     Handle<AllocationSite> allocation_site) {
   CALL_HEAP_FUNCTION(
       isolate(),
       isolate()->heap()->AllocateJSObjectFromMap(
           *map,
           pretenure,
           allocation_site.is_null() ? NULL : *allocation_site),
       JSObject);
 }
 
+Handle<JSObject> Factory::NewSlowJSObjectFromMap(Handle<Map> map, int capacity,
+                                                 PretenureFlag pretenure) {
+  DCHECK(map->is_dictionary_map());
+  Handle<FixedArray> object_properties =
+      NameDictionary::New(isolate(), capacity);
+  Handle<JSObject> js_object = NewJSObjectFromMap(map, pretenure);
+  js_object->set_properties(*object_properties);
+  return js_object;
+}
 
 Handle<JSArray> Factory::NewJSArray(ElementsKind elements_kind,
                                     PretenureFlag pretenure) {
   Map* map = isolate()->get_initial_js_array_map(elements_kind);
   if (map == nullptr) {
     Context* native_context = isolate()->context()->native_context();
     JSFunction* array_function = native_context->array_function();
     map = array_function->initial_map();
   }
   return Handle<JSArray>::cast(NewJSObjectFromMap(handle(map), pretenure));
@@ skipping 749 matching lines @@
 
 
 Handle<JSWeakMap> Factory::NewJSWeakMap() {
   // TODO(adamk): Currently the map is only created three times per
   // isolate. If it's created more often, the map should be moved into the
   // strong root list.
   Handle<Map> map = NewMap(JS_WEAK_MAP_TYPE, JSWeakMap::kSize);
   return Handle<JSWeakMap>::cast(NewJSObjectFromMap(map));
 }
 
-
 Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<Context> context,

[Toon Verwaest, 2017/03/14 13:27:47]

Isn't this the native context?

[Camillo Bruni, 2017/03/17 16:40:55]

yup, changed.

                                                int number_of_properties,
+                                               bool has_null_prototype,
                                                bool* is_result_from_cache) {
   const int kMapCacheSize = 128;
 
+  // Ignoring number_of_properties for force dictionary map with __proto__:null.
+  if (has_null_prototype) {
+    *is_result_from_cache = true;
+    return handle(context->slow_object_with_null_prototype_map(), isolate());
+  }
   // We do not cache maps for too many properties or when running builtin code.
   if (number_of_properties > kMapCacheSize ||
       isolate()->bootstrapper()->IsActive()) {
     *is_result_from_cache = false;
     Handle<Map> map = Map::Create(isolate(), number_of_properties);
     return map;
   }
   *is_result_from_cache = true;
   if (number_of_properties == 0) {
     // Reuse the initial map of the Object function if the literal has no
@@ skipping 253 matching lines @@
     Handle<AccessorInfo> prototype =
         Accessors::FunctionPrototypeInfo(isolate(), rw_attribs);
     Descriptor d = Descriptor::AccessorConstant(
         Handle<Name>(Name::cast(prototype->name())), prototype, rw_attribs);
     map->AppendDescriptor(&d);
   }
 }
 
 }  // namespace internal
 }  // namespace v8