71fbe7d4ec
All JSObjects in V8 either have a map()->constructor() field or are JSFunctions. JSProxy::Fix, however, was not enforcing this, and Object.observe's use of JSObject::GetCreationContext() exposed this. Note that this is not Object.observe-specific: the API call v8::Object::CreationContext() also would have revealed this bug. This patch chooses Object as a reasonable constructor to put on the newly-fixed object's map. Note that this has no effect on the "constructor" property in JS. In doing so, I've also tightened up the code underlying JSProxy::Fix to only support JSObject and JSFunction as possible output types. BUG=405844 LOG=N R=rossberg@chromium.org, verwaest@chromium.org Review URL: https://codereview.chromium.org/505303004 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
14 lines
510 B
JavaScript
14 lines
510 B
JavaScript
// Copyright 2014 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --harmony-proxies
|
|
|
|
var proxy = Proxy.create({ fix: function() { return {}; } });
|
|
Object.preventExtensions(proxy);
|
|
Object.observe(proxy, function(){});
|
|
|
|
var functionProxy = Proxy.createFunction({ fix: function() { return {}; } }, function(){});
|
|
Object.preventExtensions(functionProxy);
|
|
Object.observe(functionProxy, function(){});
|