Chromium Code Reviews Chromium Code Reviews
Issue 505303004:
Ensure that JSProxy::Fix gives the generated JSObject map a constructor (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge| Index: src/factory.cc |
| diff --git a/src/factory.cc b/src/factory.cc |
| index 643329cab211bd9bfd3ee46f35c5295d02484e17..5a0770853efe04fe5558c955a839e5feb980b856 100644 |
| --- a/src/factory.cc |
| +++ b/src/factory.cc |
| @@ -1777,20 +1777,19 @@ Handle<JSProxy> Factory::NewJSFunctionProxy(Handle<Object> handler, |
| } |
| -void Factory::ReinitializeJSReceiver(Handle<JSReceiver> object, |
| - InstanceType type, |
| - int size) { |
| - DCHECK(type >= FIRST_JS_OBJECT_TYPE); |
| +void Factory::ReinitializeJSProxy(Handle<JSProxy> proxy, InstanceType type, |
| + int size) { |
| + DCHECK(type == JS_OBJECT_TYPE || type == JS_FUNCTION_TYPE); |
| // Allocate fresh map. |
| // TODO(rossberg): Once we optimize proxies, cache these maps. |
| Handle<Map> map = NewMap(type, size); |
| // Check that the receiver has at least the size of the fresh object. |
| - int size_difference = object->map()->instance_size() - map->instance_size(); |
| + int size_difference = proxy->map()->instance_size() - map->instance_size(); |
| DCHECK(size_difference >= 0); |
| - map->set_prototype(object->map()->prototype()); |
| + map->set_prototype(proxy->map()->prototype()); |
| // Allocate the backing storage for the properties. |
| int prop_size = map->InitialPropertiesLength(); |
| @@ -1811,24 +1810,31 @@ void Factory::ReinitializeJSReceiver(Handle<JSReceiver> object, |
| // Put in filler if the new object is smaller than the old. |
| if (size_difference > 0) { |
| - Address address = object->address(); |
| + Address address = proxy->address(); |
| heap->CreateFillerObjectAt(address + map->instance_size(), size_difference); |
| heap->AdjustLiveBytes(address, -size_difference, Heap::FROM_MUTATOR); |
| } |
| // Reset the map for the object. |
| - object->synchronized_set_map(*map); |
| - Handle<JSObject> jsobj = Handle<JSObject>::cast(object); |
| + proxy->synchronized_set_map(*map); |
| + Handle<JSObject> jsobj = Handle<JSObject>::cast(proxy); |
| // Reinitialize the object from the constructor map. |
| heap->InitializeJSObjectFromMap(*jsobj, *properties, *map); |
| + // The current native context is used to set up certain bits. |
| + // TODO(adamk): Using the current context seems wrong, it should be whatever |
| + // context the JSProxy originated in. But that context isn't stored anywhere. |
|
Toon Verwaest
2014/08/27 09:54:34
And I think shouldn't be stored anywhere...
|
| + Handle<Context> context(isolate()->native_context()); |
| + |
| // Functions require some minimal initialization. |
| if (type == JS_FUNCTION_TYPE) { |
| map->set_function_with_prototype(true); |
| - Handle<JSFunction> js_function = Handle<JSFunction>::cast(object); |
| - Handle<Context> context(isolate()->native_context()); |
| + Handle<JSFunction> js_function = Handle<JSFunction>::cast(proxy); |
| InitializeFunction(js_function, shared.ToHandleChecked(), context); |
| + } else { |
| + // Provide JSObjects with a constructor. |
| + map->set_constructor(context->object_function()); |
| } |
| } |
| @@ -1866,13 +1872,13 @@ void Factory::ReinitializeJSGlobalProxy(Handle<JSGlobalProxy> object, |
| } |
| -void Factory::BecomeJSObject(Handle<JSReceiver> object) { |
| - ReinitializeJSReceiver(object, JS_OBJECT_TYPE, JSObject::kHeaderSize); |
| +void Factory::BecomeJSObject(Handle<JSProxy> proxy) { |
| + ReinitializeJSProxy(proxy, JS_OBJECT_TYPE, JSObject::kHeaderSize); |
| } |
| -void Factory::BecomeJSFunction(Handle<JSReceiver> object) { |
| - ReinitializeJSReceiver(object, JS_FUNCTION_TYPE, JSFunction::kSize); |
| +void Factory::BecomeJSFunction(Handle<JSProxy> proxy) { |
| + ReinitializeJSProxy(proxy, JS_FUNCTION_TYPE, JSFunction::kSize); |
| } |
