Bootstrapper::DetachGlobal also need to unset global_proxy's constructor to remove...

DetachGlobal detaches original context of a global proxy object.

Before this patch, the constructor JSFunction still carried a reference to the old context after |Bootstrapper::DetachGlobal| call.
This patch removes the reference by setting the constructor null.

TEST=http/tests/security/isolatedWorld w/ --enable-leak-detection
LOG=N
BUG=364377
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/397953009

Patch from Kouhei Ueno <kouhei@chromium.org>.

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22460 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
index aaa0f3f7e521d4bf63263d48e658a8649ce7e429..0dfe3a3f7a4024f8d47b4b4162f821491f951833 100644 (file)
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -355,6 +355,7 @@ void Bootstrapper::DetachGlobal(Handle<Context> env) {
   Handle<JSGlobalProxy> global_proxy(JSGlobalProxy::cast(env->global_proxy()));
   global_proxy->set_native_context(*factory->null_value());
   SetObjectPrototype(global_proxy, factory->null_value());
+  global_proxy->map()->set_constructor(*factory->null_value());
 }