Store correct String.prototype map on the context

The String.prototype was altered after snapshot time (during experimental natives setup), invalidating the stored map used for fast-path checks. BUG= Review-Url: https://codereview.chromium.org/2663303003 Cr-Commit-Position: refs/heads/master@{#42842}

Store correct String.prototype map on the context
The String.prototype was altered after snapshot time (during experimental natives setup), invalidating the stored map used for fast-path checks. BUG= Review-Url: https://codereview.chromium.org/2663303003 Cr-Commit-Position: refs/heads/master@{#42842}
c67dc7e2 · jgruber · Commit bot · ad9dfc09 · c67dc7e2 · c67dc7e2
Commit c67dc7e2 authored Feb 01, 2017 by jgruber Committed by Commit bot Feb 01, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 0 deletions

bootstrapper.cc src/bootstrapper.cc +9 -0

test-heap.cc test/cctest/heap/test-heap.cc +31 -0

No files found.
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -4718,6 +4718,15 @@ Genesis::Genesis(
      if (FLAG_experimental_extras) {
        if (!InstallExperimentalExtraNatives()) return;
      }
+
+      // Store String.prototype's map again in case it has been changed by
+      // experimental natives.
+      Handle<JSFunction> string_function(native_context()->string_function());
+      JSObject* string_function_prototype =
+          JSObject::cast(string_function->initial_map()->prototype());
+      DCHECK(string_function_prototype->HasFastProperties());
+      native_context()->set_string_function_prototype_map(
+          string_function_prototype->map());
    }
    // The serializer cannot serialize typed arrays. Reset those typed arrays
    // for each new context.

--- a/test/cctest/heap/test-heap.cc
+++ b/test/cctest/heap/test-heap.cc
@@ -76,6 +76,37 @@ TEST(HeapMaps) {
  CheckMap(heap->string_map(), STRING_TYPE, kVariableSizeSentinel);
 }

+static void VerifyStoredPrototypeMap(Isolate* isolate,
+                                     int stored_map_context_index,
+                                     int stored_ctor_context_index) {
+  Handle<Context> context = isolate->native_context();
+
+  Handle<Map> this_map(Map::cast(context->get(stored_map_context_index)));
+
+  Handle<JSFunction> fun(
+      JSFunction::cast(context->get(stored_ctor_context_index)));
+  Handle<JSObject> proto(JSObject::cast(fun->initial_map()->prototype()));
+  Handle<Map> that_map(proto->map());
+
+  CHECK(proto->HasFastProperties());
+  CHECK_EQ(*this_map, *that_map);
+}
+
+// Checks that critical maps stored on the context (mostly used for fast-path
+// checks) are unchanged after initialization.
+TEST(ContextMaps) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  HandleScope handle_scope(isolate);
+
+  VerifyStoredPrototypeMap(isolate,
+                           Context::STRING_FUNCTION_PROTOTYPE_MAP_INDEX,
+                           Context::STRING_FUNCTION_INDEX);
+  VerifyStoredPrototypeMap(isolate, Context::REGEXP_PROTOTYPE_MAP_INDEX,
+                           Context::REGEXP_FUNCTION_INDEX);
+  VerifyStoredPrototypeMap(isolate, Context::PROMISE_PROTOTYPE_MAP_INDEX,
+                           Context::PROMISE_FUNCTION_INDEX);
+}

 static void CheckOddball(Isolate* isolate, Object* obj, const char* string) {
  CHECK(obj->IsOddball());