[heap-profiler] remove bogus DCHECK
A map’s `constructor_or_backpointer` can be any kind of value,
because `fn.prototype = foo` sets that field to `foo` if the
latter is not a `JSReceiver`; so the `DCHECK` that is being
removed here was invalid.
Refs: https://github.com/nodejs/node/issues/18223
Bug: node:18223
Change-Id: Ia6449c07bb724e515d73b162369ab36ab1d89c6b
Reviewed-on: https://chromium-review.googlesource.com/874472
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50735}diff --git a/src/profiler/heap-snapshot-generator.cc b/src/profiler/heap-snapshot-generator.cc
index 73263fc..40779d9 100644
--- a/src/profiler/heap-snapshot-generator.cc
+++ b/src/profiler/heap-snapshot-generator.cc
@@ -1113,8 +1113,6 @@
constructor_or_backpointer,
Map::kConstructorOrBackPointerOffset);
} else {
- DCHECK(constructor_or_backpointer->IsJSFunction() ||
- constructor_or_backpointer->IsNull(map->GetIsolate()));
SetInternalReference(map, entry, "constructor", constructor_or_backpointer,
Map::kConstructorOrBackPointerOffset);
}
diff --git a/test/cctest/test-heap-profiler.cc b/test/cctest/test-heap-profiler.cc
index 8a79656..a07c228 100644
--- a/test/cctest/test-heap-profiler.cc
+++ b/test/cctest/test-heap-profiler.cc
@@ -3160,3 +3160,14 @@
heap_profiler->StopSamplingHeapProfiler();
}
+
+TEST(HeapSnapshotPrototypeNotJSReceiver) {
+ LocalContext env;
+ v8::HandleScope scope(env->GetIsolate());
+ v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+ CompileRun(
+ "function object() {}"
+ "object.prototype = 42;");
+ const v8::HeapSnapshot* snapshot = heap_profiler->TakeHeapSnapshot();
+ CHECK(ValidateSnapshot(snapshot));
+}
