Ensure slow properties for simple {__proto__:null} literals.

src/runtime/runtime-object.cc

Index: src/runtime/runtime-object.cc
diff --git a/src/runtime/runtime-object.cc b/src/runtime/runtime-object.cc
index 7d301bfa20f96235fd181e96bc00bc7e3143bff9..2b8c553547691b570fdfa98cf99ac8356d386e4a 100644
--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@@ -244,18 +244,12 @@ RUNTIME_FUNCTION(Runtime_ObjectCreate) {
   Handle<Map> map =
       Map::GetObjectCreateMap(Handle<HeapObject>::cast(prototype));
 
-  bool is_dictionary_map = map->is_dictionary_map();
-  Handle<FixedArray> object_properties;
-  if (is_dictionary_map) {
-    // Allocate the actual properties dictionay up front to avoid invalid object
-    // state.
-    object_properties =
-        NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
-  }
   // Actually allocate the object.
-  Handle<JSObject> object = isolate->factory()->NewJSObjectFromMap(map);
-  if (is_dictionary_map) {
-    object->set_properties(*object_properties);
+  Handle<JSObject> object;
+  if (!map->is_dictionary_map()) {

[Toon Verwaest, 2017/03/14 13:27:48]

swap branches and drop ! ;)

[Camillo Bruni, 2017/03/17 16:40:55]

done.

+    object = isolate->factory()->NewJSObjectFromMap(map);
+  } else {
+    object = isolate->factory()->NewSlowJSObjectFromMap(map);
   }
 
   // Define the properties if properties was specified and is not undefined.