Skip to content

Commit

Permalink
deps: V8: cherry-pick a1efa5343880
Browse files Browse the repository at this point in the history
Original commit message:

    Merged: [runtime] Set instance prototypes directly on maps

    Bug: chromium:1452137
    (cherry picked from commit c7c447735f762f6d6d0878e229371797845ef4ab)

    Change-Id: I611c41f942e2e51f3c4b4f1d119c18410617188e
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4637888
    Commit-Queue: Igor Sheludko <[email protected]>
    Auto-Submit: Igor Sheludko <[email protected]>
    Commit-Queue: Toon Verwaest <[email protected]>
    Reviewed-by: Toon Verwaest <[email protected]>
    Cr-Commit-Position: refs/branch-heads/11.4@{#47}
    Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1}
    Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241}

Refs: v8/v8@a1efa53
PR-URL: #50077
Refs: nodejs/nodejs-dependency-vuln-assessments#151
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
  • Loading branch information
targos committed Nov 21, 2023
1 parent 68cddd7 commit 0c40b51
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.20',
'v8_embedder_string': '-node.21',

##### V8 defaults for Node.js #####

Expand Down
6 changes: 6 additions & 0 deletions deps/v8/src/objects/js-function.cc
Original file line number Diff line number Diff line change
Expand Up @@ -676,6 +676,10 @@ void SetInstancePrototype(Isolate* isolate, Handle<JSFunction> function,
// At that point, a new initial map is created and the prototype is put
// into the initial map where it belongs.
function->set_prototype_or_initial_map(*value, kReleaseStore);
if (value->IsJSObjectThatCanBeTrackedAsPrototype()) {
// Optimize as prototype to detach it from its transition tree.
JSObject::OptimizeAsPrototype(Handle<JSObject>::cast(value));
}
} else {
Handle<Map> new_map =
Map::Copy(isolate, initial_map, "SetInstancePrototype");
Expand Down Expand Up @@ -801,8 +805,10 @@ void JSFunction::EnsureHasInitialMap(Handle<JSFunction> function) {
Handle<HeapObject> prototype;
if (function->has_instance_prototype()) {
prototype = handle(function->instance_prototype(), isolate);
map->set_prototype(*prototype);
} else {
prototype = isolate->factory()->NewFunctionPrototype(function);
Map::SetPrototype(isolate, map, prototype);
}
DCHECK(map->has_fast_object_elements());

Expand Down

0 comments on commit 0c40b51

Please sign in to comment.