Implement Function.prototype.toMethod.

src/heap/heap.cc

Index: src/heap/heap.cc
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index fd08c8292f812c8c3084fb699eb9f65dcc98b4a7..6881be085e73df5d23a7055e27302663d0cbc537 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2877,6 +2877,7 @@ void Heap::CreateInitialObjects() {
   set_observed_symbol(*factory->NewPrivateSymbol());
   set_stack_trace_symbol(*factory->NewPrivateSymbol());
   set_uninitialized_symbol(*factory->NewPrivateSymbol());
+  set_home_object_symbol(*factory->NewPrivateOwnSymbol());
 
   Handle<SeededNumberDictionary> slow_element_dictionary =
       SeededNumberDictionary::New(isolate(), 0, TENURED);
@@ -3679,10 +3680,6 @@ AllocationResult Heap::AllocateJSObject(JSFunction* constructor,
 
 
 AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite* site) {
-  // Never used to copy functions.  If functions need to be copied we
-  // have to be careful to clear the literals array.
-  SLOW_DCHECK(!source->IsJSFunction());
-
   // Make the clone.
   Map* map = source->map();
   int object_size = map->instance_size();
@@ -3756,6 +3753,29 @@ AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite* site) {
     }
     JSObject::cast(clone)->set_properties(prop, wb_mode);
   }
+
+  // Clean up literals array.
+  if (source->IsJSFunction()) {

[Toon Verwaest, 2014/08/18 14:15:35]

Are you sure this works? What code object does this get? What if it's optimized?
If we also become optimized, will we get notified in case the function
deoptimizes?

Can you just make a specialized JSFunction::Copy(), that preferably uses
NewFunctionFromSharedFunctionInfo, but additionally copies over properties and
prototype?

[Dmitry Lomov (no reviews), 2014/08/19 13:47:42]

You are quite right, it is easy to write a test that crashes. JSFunction::Copy
is a way to go I guess. Another way would be to properly wire up the
JSFunction's clone into the functions' list etc. but that would break whenever
that logic changes because people will forget to update the cloning logic
(people will forget to update JSFunction::Copy logic as well that that might
just be a less frequent change)

+    SLOW_DCHECK(clone->IsJSFunction());
+    JSFunction* source_fun = JSFunction::cast(source);
+    JSFunction* clone_fun = JSFunction::cast(clone);
+    SharedFunctionInfo* info = source_fun->shared();
+    if (!info->bound()) {
+      int num_literals = info->num_literals();
+      HeapObject* obj;
+      {
+        AllocationResult allocation = AllocateFixedArrayWithFiller(
+            num_literals, NOT_TENURED, undefined_value());
+        if (!allocation.To(&obj)) return allocation;
+      }
+      FixedArray* new_literals = FixedArray::cast(obj);
+      if (num_literals > 0) {
+        new_literals->set(JSFunction::kLiteralNativeContextIndex,
+            JSFunction::NativeContextFromLiterals(source_fun->literals()));
+      }
+      clone_fun->set_literals(new_literals);
+    }
+  }
   // Return the new clone.
   return clone;
 }