[heap-profiler] remove bogus DCHECK

A map’s `constructor_or_backpointer` can be any kind of value, because `fn.prototype = foo` sets that field to `foo` if the latter is not a `JSReceiver`; so the `DCHECK` that is being removed here was invalid. Refs: https://github.com/nodejs/node/issues/18223 Bug: node:18223 Change-Id: Ia6449c07bb724e515d73b162369ab36ab1d89c6b Reviewed-on: https://chromium-review.googlesource.com/874472 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#50735}
2018-01-18 22:22:55 +01:00 · 2018-01-18 22:22:55 +01:00 · 55b48798eb
commit 55b48798eb
parent fb9e22123d
2 changed files with 11 additions and 2 deletions
--- a/src/profiler/heap-snapshot-generator.cc
+++ b/src/profiler/heap-snapshot-generator.cc
@ -1113,8 +1113,6 @@ void V8HeapExplorer::ExtractMapReferences(int entry, Map* map) {
                         constructor_or_backpointer,
                         Map::kConstructorOrBackPointerOffset);
  } else {
-    DCHECK(constructor_or_backpointer->IsJSFunction() ||
-           constructor_or_backpointer->IsNull(map->GetIsolate()));
    SetInternalReference(map, entry, "constructor", constructor_or_backpointer,
                         Map::kConstructorOrBackPointerOffset);
  }
--- a/test/cctest/test-heap-profiler.cc
+++ b/test/cctest/test-heap-profiler.cc
@ -3160,3 +3160,14 @@ TEST(SamplingHeapProfilerLargeInterval) {

  heap_profiler->StopSamplingHeapProfiler();
 }
+
+TEST(HeapSnapshotPrototypeNotJSReceiver) {
+  LocalContext env;
+  v8::HandleScope scope(env->GetIsolate());
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+  CompileRun(
+      "function object() {}"
+      "object.prototype = 42;");
+  const v8::HeapSnapshot* snapshot = heap_profiler->TakeHeapSnapshot();
+  CHECK(ValidateSnapshot(snapshot));
+}