[v8-dev] Install the constructor property on custom prototype before optimizing it as a prototype (issue 725593002 by verwaest@chromium.org)

[verwaest]

Reviewers: Igor Sheludko,

Message:
PTAL
Description:
Install the constructor property on custom prototype before optimizing it  
as a
prototype

BUG=

Please review this at https://codereview.chromium.org/725593002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+22, -25 lines):
  M src/factory.h
  M src/factory.cc


Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index  
26be6afac0b9cff4f09dda945501f49595c837cb..969973c3251cd0a300d5122e2c9b64eaefeead47  
100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1308,12 +1308,11 @@ Handle<JSFunction>  
Factory::NewFunction(Handle<String> name,
 }


-Handle<JSFunction> Factory::NewFunction(Handle<String> name,
-                                        Handle<Code> code,
+Handle<JSFunction> Factory::NewFunction(Handle<String> name, Handle<Code>  
code,
                                         Handle<Object> prototype,
-                                        InstanceType type,
-                                        int instance_size,
-                                        bool read_only_prototype) {
+                                        InstanceType type, int  
instance_size,
+                                        bool read_only_prototype,
+                                        bool install_constructor) {
   // Allocate the function
   Handle<JSFunction> function = NewFunction(
       name, code, prototype, read_only_prototype);
@@ -1321,8 +1320,13 @@ Handle<JSFunction>  
Factory::NewFunction(Handle<String> name,
   ElementsKind elements_kind =
       type == JS_ARRAY_TYPE ? FAST_SMI_ELEMENTS : FAST_HOLEY_SMI_ELEMENTS;
   Handle<Map> initial_map = NewMap(type, instance_size, elements_kind);
-  if (prototype->IsTheHole() && !function->shared()->is_generator()) {
-    prototype = NewFunctionPrototype(function);
+  if (!function->shared()->is_generator()) {
+    if (prototype->IsTheHole()) {
+      prototype = NewFunctionPrototype(function);
+    } else if (install_constructor) {
+      JSObject::AddProperty(Handle<JSObject>::cast(prototype),
+                            constructor_string(), function, DONT_ENUM);
+    }
   }

   JSFunction::SetInitialMap(function, initial_map,
@@ -2278,8 +2282,8 @@ Handle<JSFunction> Factory::CreateApiFunction(
         break;
     }

-    result = NewFunction(empty_string(), code, prototype, type,
-                         instance_size, obj->read_only_prototype());
+    result = NewFunction(empty_string(), code, prototype, type,  
instance_size,
+                         obj->read_only_prototype(), true);
   }

   result->shared()->set_length(obj->length());
@@ -2299,19 +2303,13 @@ Handle<JSFunction> Factory::CreateApiFunction(
     return result;
   }

-  if (prototype->IsTheHole()) {
 #ifdef DEBUG
-    LookupIterator it(handle(JSObject::cast(result->prototype())),
-                      constructor_string(),
-                      LookupIterator::OWN_SKIP_INTERCEPTOR);
-    MaybeHandle<Object> maybe_prop = Object::GetProperty(&it);
-    DCHECK(it.IsFound());
-    DCHECK(maybe_prop.ToHandleChecked().is_identical_to(result));
+  LookupIterator it(handle(JSObject::cast(result->prototype())),
+                    constructor_string(),  
LookupIterator::OWN_SKIP_INTERCEPTOR);
+  MaybeHandle<Object> maybe_prop = Object::GetProperty(&it);
+  DCHECK(it.IsFound());
+  DCHECK(maybe_prop.ToHandleChecked().is_identical_to(result));
 #endif
-  } else {
-    JSObject::AddProperty(handle(JSObject::cast(result->prototype())),
-                          constructor_string(), result, DONT_ENUM);
-  }

   // Down from here is only valid for API functions that can be used as a
   // constructor (don't set the "remove prototype" flag).
Index: src/factory.h
diff --git a/src/factory.h b/src/factory.h
index  
14158232916c16a1f2cbc5b73f119246f2684886..a87f78b617dfbd9316c1a9c040413f98496a1737  
100644
--- a/src/factory.h
+++ b/src/factory.h
@@ -485,12 +485,11 @@ class Factory FINAL {
       Handle<Context> context,
       PretenureFlag pretenure = TENURED);

-  Handle<JSFunction> NewFunction(Handle<String> name,
-                                 Handle<Code> code,
-                                 Handle<Object> prototype,
-                                 InstanceType type,
+  Handle<JSFunction> NewFunction(Handle<String> name, Handle<Code> code,
+                                 Handle<Object> prototype, InstanceType  
type,
                                  int instance_size,
-                                 bool read_only_prototype = false);
+                                 bool read_only_prototype = false,
+                                 bool install_constructor = false);
   Handle<JSFunction> NewFunction(Handle<String> name,
                                  Handle<Code> code,
                                  InstanceType type,


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.