adamk@chromium.org 71fbe7d4ec Ensure that JSProxy::Fix gives the generated JSObject map a constructor ... All JSObjects in V8 either have a map()->constructor() field or are JSFunctions. JSProxy::Fix, however, was not enforcing this, and Object.observe's use of JSObject::GetCreationContext() exposed this. Note that this is not Object.observe-specific: the API call v8::Object::CreationContext() also would have revealed this bug. This patch chooses Object as a reasonable constructor to put on the newly-fixed object's map. Note that this has no effect on the "constructor" property in JS. In doing so, I've also tightened up the code underlying JSProxy::Fix to only support JSObject and JSFunction as possible output types. BUG=405844 LOG=N R=rossberg@chromium.org, verwaest@chromium.org Review URL: https://codereview.chromium.org/505303004 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00		2014-08-27 15:54:23 +00:00
..
regress	Ensure that JSProxy::Fix gives the generated JSObject map a constructor	2014-08-27 15:54:23 +00:00
array-fill.js
array-find.js
array-findindex.js
array-of.js
arrow-functions.js
block-conflicts.js
block-const-assign.js
block-early-errors.js
block-for.js
block-lazy-compile.js
block-leave.js
block-let-crankshaft.js
block-let-declaration.js
block-let-semantics.js
block-scoping.js
dataview-accessors.js
debug-blockscopes.js
debug-evaluate-blockscopes.js
debug-function-scopes.js
empty-for.js
module-linking.js
module-parsing.js
module-recompile.js
module-resolution.js
numeric-literals-off.js
numeric-literals.js
private.js
proxies-example-membrane.js
proxies-for.js
proxies-function.js
proxies-hash.js
proxies-json.js
proxies-symbols.js
proxies-with-unscopables.js
proxies-with.js
proxies.js
set-prototype-of.js
string-codepointat.js
string-contains.js
string-endswith.js
string-fromcodepoint.js
string-repeat.js
string-startswith.js
toMethod.js	Implement Function.prototype.toMethod.	2014-08-21 12:39:33 +00:00
typedarrays.js