Ensure slow properties for simple {__proto__:null} literals.

src/builtins/builtins-constructor-gen.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ast/ast.h"
 #include "src/builtins/builtins-constructor.h"
 #include "src/builtins/builtins-utils-gen.h"
 #include "src/builtins/builtins.h"
 #include "src/code-factory.h"
 #include "src/code-stub-assembler.h"
@@ skipping 626 matching lines @@
 
 Node* ConstructorBuiltinsAssembler::EmitFastCloneShallowObject(
     Label* call_runtime, Node* closure, Node* literals_index,
     Node* properties_count) {
   Node* cell = LoadObjectField(closure, JSFunction::kFeedbackVectorOffset);
   Node* feedback_vector = LoadObjectField(cell, Cell::kValueOffset);
   Node* allocation_site = LoadFixedArrayElement(
       feedback_vector, literals_index, 0, CodeStubAssembler::SMI_PARAMETERS);
   GotoIf(IsUndefined(allocation_site), call_runtime);
 
+  Node* boilerplate =
+      LoadObjectField(allocation_site, AllocationSite::kTransitionInfoOffset);
+  Node* boilerplate_map = LoadMap(boilerplate);
+  Variable properties(this, MachineRepresentation::kTagged,
+                      EmptyFixedArrayConstant());
+  // Directly copy over the property store for dict-mode boilerplates.
+  Label dict_properties(this), allocate_object(this);
+  Branch(IsDictionaryMap(boilerplate_map), &dict_properties, &allocate_object);
+  Bind(&dict_properties);
+  {
+    properties.Bind(
+        CopyNameDictionary(LoadProperties(boilerplate), call_runtime));
+    Goto(&allocate_object);
+  }
+  Bind(&allocate_object);
+
   // Calculate the object and allocation size based on the properties count.
   Node* object_size = IntPtrAdd(WordShl(properties_count, kPointerSizeLog2),
                                 IntPtrConstant(JSObject::kHeaderSize));
   Node* allocation_size = object_size;
   if (FLAG_allocation_site_pretenuring) {
     allocation_size =
         IntPtrAdd(object_size, IntPtrConstant(AllocationMemento::kSize));
   }
-  Node* boilerplate =
-      LoadObjectField(allocation_site, AllocationSite::kTransitionInfoOffset);
-  Node* boilerplate_map = LoadMap(boilerplate);
+
   Node* instance_size = LoadMapInstanceSize(boilerplate_map);
   Node* size_in_words = WordShr(object_size, kPointerSizeLog2);
   GotoIfNot(WordEqual(instance_size, size_in_words), call_runtime);
 
   Node* copy = AllocateInNewSpace(allocation_size);
 
+  StoreObjectFieldNoWriteBarrier(copy, JSObject::kPropertiesOffset,
+                                 properties.value());

[Toon Verwaest, 2017/03/20 14:47:11]

Isn't this field overwritten by the initialization loop below, effectively
sharing the "empty dictionary" between all boilerplate copies?

   // Copy boilerplate elements.
   Variable offset(this, MachineType::PointerRepresentation());
   offset.Bind(IntPtrConstant(-kHeapObjectTag));
   Node* end_offset = IntPtrAdd(object_size, offset.value());
   Label loop_body(this, &offset), loop_check(this, &offset);
   // We should always have an object size greater than zero.
   Goto(&loop_body);
   Bind(&loop_body);
   {
     // The Allocate above guarantees that the copy lies in new space. This
@@ skipping 58 matching lines @@
 SHALLOW_OBJECT_BUILTIN(0);
 SHALLOW_OBJECT_BUILTIN(1);
 SHALLOW_OBJECT_BUILTIN(2);
 SHALLOW_OBJECT_BUILTIN(3);
 SHALLOW_OBJECT_BUILTIN(4);
 SHALLOW_OBJECT_BUILTIN(5);
 SHALLOW_OBJECT_BUILTIN(6);
 
 }  // namespace internal
 }  // namespace v8