Ensure slow properties for simple {__proto__:null} literals.

src/factory.cc

Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index e19b331491a7a32735c3dae8e3ca42f21bbebfed..78daabafa20b69e4cf8e00c424f68d1776a0dd88 100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1833,6 +1833,15 @@ Handle<JSObject> Factory::NewJSObjectFromMap(
       JSObject);
 }
 
+Handle<JSObject> Factory::NewSlowJSObjectFromMap(Handle<Map> map, int capacity,
+                                                 PretenureFlag pretenure) {
+  DCHECK(map->is_dictionary_map());
+  Handle<FixedArray> object_properties =
+      NameDictionary::New(isolate(), capacity);
+  Handle<JSObject> js_object = NewJSObjectFromMap(map, pretenure);
+  js_object->set_properties(*object_properties);
+  return js_object;
+}
 
 Handle<JSArray> Factory::NewJSArray(ElementsKind elements_kind,
                                     PretenureFlag pretenure) {
@@ -2602,12 +2611,17 @@ Handle<JSWeakMap> Factory::NewJSWeakMap() {
   return Handle<JSWeakMap>::cast(NewJSObjectFromMap(map));
 }
 
-
 Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<Context> context,

[Toon Verwaest, 2017/03/14 13:27:47]

Isn't this the native context?

[Camillo Bruni, 2017/03/17 16:40:55]

yup, changed.

                                                int number_of_properties,
+                                               bool has_null_prototype,
                                                bool* is_result_from_cache) {
   const int kMapCacheSize = 128;
 
+  // Ignoring number_of_properties for force dictionary map with __proto__:null.
+  if (has_null_prototype) {
+    *is_result_from_cache = true;
+    return handle(context->slow_object_with_null_prototype_map(), isolate());
+  }
   // We do not cache maps for too many properties or when running builtin code.
   if (number_of_properties > kMapCacheSize ||
       isolate()->bootstrapper()->IsActive()) {