Ensure slow properties for simple {__proto__:null} literals.

src/factory.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/factory.h"
 
 #include "src/accessors.h"
 #include "src/allocation-site-scopes.h"
 #include "src/ast/ast.h"
 #include "src/base/bits.h"
@@ skipping 1845 matching lines @@
     Handle<AllocationSite> allocation_site) {
   CALL_HEAP_FUNCTION(
       isolate(),
       isolate()->heap()->AllocateJSObjectFromMap(
           *map,
           pretenure,
           allocation_site.is_null() ? NULL : *allocation_site),
       JSObject);
 }
 
+Handle<JSObject> Factory::NewSlowJSObjectFromMap(Handle<Map> map, int capacity,
+                                                 PretenureFlag pretenure) {
+  DCHECK(map->is_dictionary_map());
+  Handle<FixedArray> object_properties =
+      NameDictionary::New(isolate(), capacity);
+  Handle<JSObject> js_object = NewJSObjectFromMap(map, pretenure);
+  js_object->set_properties(*object_properties);
+  return js_object;
+}
 
 Handle<JSArray> Factory::NewJSArray(ElementsKind elements_kind,
                                     PretenureFlag pretenure) {
   Map* map = isolate()->get_initial_js_array_map(elements_kind);
   if (map == nullptr) {
     Context* native_context = isolate()->context()->native_context();
     JSFunction* array_function = native_context->array_function();
     map = array_function->initial_map();
   }
   return Handle<JSArray>::cast(NewJSObjectFromMap(handle(map), pretenure));
@@ skipping 780 matching lines @@
 
 
 Handle<JSWeakMap> Factory::NewJSWeakMap() {
   // TODO(adamk): Currently the map is only created three times per
   // isolate. If it's created more often, the map should be moved into the
   // strong root list.
   Handle<Map> map = NewMap(JS_WEAK_MAP_TYPE, JSWeakMap::kSize);
   return Handle<JSWeakMap>::cast(NewJSObjectFromMap(map));
 }
 
-
-Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<Context> context,
+Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<Context> native_context,
                                                int number_of_properties,
-                                               bool* is_result_from_cache) {
+                                               bool has_null_prototype) {
+  DCHECK(native_context->IsNativeContext());
   const int kMapCacheSize = 128;
 
+  // Ignoring number_of_properties for force dictionary map with __proto__:null.

[Toon Verwaest, 2017/04/26 12:28:15]

It's kinda silly to pass has_null_prototype through here if we're just returning
something from the native context. What about moving this branch outside and
only calling ObjectLiteralMapFromCache if we're retrieving it from the cache?

[Camillo Bruni, 2017/04/27 09:39:41]

you're right, pulled check up and removed args.

+  if (has_null_prototype) {
+    return handle(native_context->slow_object_with_null_prototype_map(),
+                  isolate());
+  }
   // We do not cache maps for too many properties or when running builtin code.
-  if (number_of_properties > kMapCacheSize ||
-      isolate()->bootstrapper()->IsActive()) {
-    *is_result_from_cache = false;
-    Handle<Map> map = Map::Create(isolate(), number_of_properties);
-    return map;
+  if (isolate()->bootstrapper()->IsActive()) {
+    return Map::Create(isolate(), number_of_properties);
   }
-  *is_result_from_cache = true;
+  // Use initial slow object proto map for too many properties.
+  if (number_of_properties > kMapCacheSize) {
+    return handle(native_context->slow_object_with_object_prototype_map(),
+                  isolate());
+  }
   if (number_of_properties == 0) {
     // Reuse the initial map of the Object function if the literal has no
     // predeclared properties.
-    return handle(context->object_function()->initial_map(), isolate());
+    return handle(native_context->object_function()->initial_map(), isolate());
   }
 
   int cache_index = number_of_properties - 1;
-  Handle<Object> maybe_cache(context->map_cache(), isolate());
+  Handle<Object> maybe_cache(native_context->map_cache(), isolate());
   if (maybe_cache->IsUndefined(isolate())) {
     // Allocate the new map cache for the native context.
     maybe_cache = NewFixedArray(kMapCacheSize, TENURED);
-    context->set_map_cache(*maybe_cache);
+    native_context->set_map_cache(*maybe_cache);
   } else {
     // Check to see whether there is a matching element in the cache.
     Handle<FixedArray> cache = Handle<FixedArray>::cast(maybe_cache);
     Object* result = cache->get(cache_index);
     if (result->IsWeakCell()) {
       WeakCell* cell = WeakCell::cast(result);
       if (!cell->cleared()) {
-        return handle(Map::cast(cell->value()), isolate());
+        Map* map = Map::cast(cell->value());
+        DCHECK(!map->is_dictionary_map());
+        return handle(map, isolate());
       }
     }
   }
   // Create a new map and add it to the cache.
   Handle<FixedArray> cache = Handle<FixedArray>::cast(maybe_cache);
   Handle<Map> map = Map::Create(isolate(), number_of_properties);
+  DCHECK(!map->is_dictionary_map());
   Handle<WeakCell> cell = NewWeakCell(map);
   cache->set(cache_index, *cell);
   return map;
 }
 
 
 void Factory::SetRegExpAtomData(Handle<JSRegExp> regexp,
                                 JSRegExp::Type type,
                                 Handle<String> source,
                                 JSRegExp::Flags flags,
@@ skipping 219 matching lines @@
     Handle<AccessorInfo> prototype =
         Accessors::FunctionPrototypeInfo(isolate(), rw_attribs);
     Descriptor d = Descriptor::AccessorConstant(
         Handle<Name>(Name::cast(prototype->name())), prototype, rw_attribs);
     map->AppendDescriptor(&d);
   }
 }
 
 }  // namespace internal
 }  // namespace v8