Skip to content

V
V8
Commit 7a3cb59f authored by Camillo Bruni's avatar Camillo Bruni Committed by Commit Bot
Browse files
Options

Fix Reflect.construct with constructors without a prototype slot 

Bug: chromium:907714
Change-Id: Ie8eacff1b12ec74faa392a1d2c8545f873ab13a1
Reviewed-on: https://chromium-review.googlesource.com/c/1351023Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57866}
parent 3a437ce4
Hide whitespace changes
Inline Side-by-side
Showing with 25 additions and 3 deletions
src/objects.cc
View file @ 7a3cb59f
...@@ -13383,6 +13383,8 @@ namespace { ...@@ -13383,6 +13383,8 @@ namespace {
bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target, bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target,
Handle<JSFunction> constructor, Handle<JSFunction> constructor,
Handle<Map> constructor_initial_map) { Handle<Map> constructor_initial_map) {
// Use the default intrinsic prototype instead.
if (!new_target->has_prototype_slot()) return false;
// Check that |function|'s initial map still in sync with the |constructor|, // Check that |function|'s initial map still in sync with the |constructor|,
// otherwise we must create a new initial map for |function|. // otherwise we must create a new initial map for |function|.
if (new_target->has_initial_map() && if (new_target->has_initial_map() &&
...@@ -13457,9 +13459,14 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate, ...@@ -13457,9 +13459,14 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
Handle<Object> prototype; Handle<Object> prototype;
if (new_target->IsJSFunction()) { if (new_target->IsJSFunction()) {
Handle<JSFunction> function = Handle<JSFunction>::cast(new_target); Handle<JSFunction> function = Handle<JSFunction>::cast(new_target);
// Make sure the new.target.prototype is cached. if (function->has_prototype_slot()) {
EnsureHasInitialMap(function); // Make sure the new.target.prototype is cached.
prototype = handle(function->prototype(), isolate); EnsureHasInitialMap(function);
prototype = handle(function->prototype(), isolate);
} else {
// No prototype property, use the intrinsict default proto further down.
prototype = isolate->factory()->undefined_value();
}
} else { } else {
Handle<String> prototype_string = isolate->factory()->prototype_string(); Handle<String> prototype_string = isolate->factory()->prototype_string();
ASSIGN_RETURN_ON_EXCEPTION( ASSIGN_RETURN_ON_EXCEPTION(
......
test/mjsunit/regress/regress-crbug-90771.js 0 → 100644
View file @ 7a3cb59f
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function target() {};
for (let key of Object.getOwnPropertyNames(this)) {
try {
let newTarget = this[key];
let arg = target;
Reflect.construct(target, arg, newTarget);
} catch {}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment