From f732ccd0056e45f2aa3b78736d73390671cd45fe Mon Sep 17 00:00:00 2001 From: Toon Verwaest Date: Fri, 16 Jun 2023 17:13:52 +0200 Subject: [PATCH] Merged: [runtime] Set instance prototypes directly on maps Bug: chromium:1452137 (cherry picked from commit c7c447735f762f6d6d0878e229371797845ef4ab) Change-Id: I022863daf8da14feb68862b45bf3d3504a25540c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4637890 Reviewed-by: Toon Verwaest Auto-Submit: Igor Sheludko Commit-Queue: Toon Verwaest Commit-Queue: Igor Sheludko Cr-Commit-Position: refs/branch-heads/11.5@{#20} Cr-Branched-From: 0c4044b7336787781646e48b2f98f0c7d1b400a5-refs/heads/11.5.150@{#1} Cr-Branched-From: b71d3038a7d99c79e1c21239e8ae07da5fc8c90b-refs/heads/main@{#87781} --- src/objects/js-function.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/objects/js-function.cc b/src/objects/js-function.cc index 62e21a99c04c..63efffa94fe1 100644 --- a/src/objects/js-function.cc +++ b/src/objects/js-function.cc @@ -676,6 +676,10 @@ void SetInstancePrototype(Isolate* isolate, Handle function, // At that point, a new initial map is created and the prototype is put // into the initial map where it belongs. function->set_prototype_or_initial_map(*value, kReleaseStore); + if (value->IsJSObjectThatCanBeTrackedAsPrototype()) { + // Optimize as prototype to detach it from its transition tree. + JSObject::OptimizeAsPrototype(Handle::cast(value)); + } } else { Handle new_map = Map::Copy(isolate, initial_map, "SetInstancePrototype"); @@ -808,8 +812,10 @@ void JSFunction::EnsureHasInitialMap(Handle function) { Handle prototype; if (function->has_instance_prototype()) { prototype = handle(function->instance_prototype(), isolate); + map->set_prototype(*prototype); } else { prototype = isolate->factory()->NewFunctionPrototype(function); + Map::SetPrototype(isolate, map, prototype); } DCHECK(map->has_fast_object_elements());