deps: V8: cherry-pick a1efa5343880

targos · targos · commit 97c44c49ca3d · 2024-03-20T16:32:11.000+01:00
Original commit message: Merged: [runtime] Set instance prototypes directly on maps Bug: chromium:1452137 (cherry picked from commit c7c447735f762f6d6d0878e229371797845ef4ab) Change-Id: I611c41f942e2e51f3c4b4f1d119c18410617188e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4637888 Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/branch-heads/11.4@{#47} Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1} Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241} Refs: v8/v8@a1efa53 PR-URL: #50077 Refs: nodejs/nodejs-dependency-vuln-assessments#151 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Richard Lau <rlau@redhat.com>
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.35',
+    'v8_embedder_string': '-node.36',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/objects/js-function.cc b/deps/v8/src/objects/js-function.cc
@@ -638,6 +638,10 @@ void SetInstancePrototype(Isolate* isolate, Handle<JSFunction> function,
       // At that point, a new initial map is created and the prototype is put
       // into the initial map where it belongs.
       function->set_prototype_or_initial_map(*value, kReleaseStore);
+      if (value->IsJSObjectThatCanBeTrackedAsPrototype()) {
+        // Optimize as prototype to detach it from its transition tree.
+        JSObject::OptimizeAsPrototype(Handle<JSObject>::cast(value));
+      }
     } else {
       Handle<Map> new_map =
           Map::Copy(isolate, initial_map, "SetInstancePrototype");
@@ -762,8 +766,10 @@ void JSFunction::EnsureHasInitialMap(Handle<JSFunction> function) {
   Handle<HeapObject> prototype;
   if (function->has_instance_prototype()) {
     prototype = handle(function->instance_prototype(), isolate);
+    map->set_prototype(*prototype);
   } else {
     prototype = isolate->factory()->NewFunctionPrototype(function);
+    Map::SetPrototype(isolate, map, prototype);
   }
   DCHECK(map->has_fast_object_elements());
 
