-
adamk@chromium.org authored
All JSObjects in V8 either have a map()->constructor() field or are JSFunctions. JSProxy::Fix, however, was not enforcing this, and Object.observe's use of JSObject::GetCreationContext() exposed this. Note that this is not Object.observe-specific: the API call v8::Object::CreationContext() also would have revealed this bug. This patch chooses Object as a reasonable constructor to put on the newly-fixed object's map. Note that this has no effect on the "constructor" property in JS. In doing so, I've also tightened up the code underlying JSProxy::Fix to only support JSObject and JSFunction as possible output types. BUG=405844 LOG=N R=rossberg@chromium.org, verwaest@chromium.org Review URL: https://codereview.chromium.org/505303004 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
71fbe7d4
