want support for CONSTANT_FUNCTION fields

[davepacheco]

@arekinath ran into a case where ::jsprint wasn't printing the "ch_callback" property on an object even though it exists on the object. In the source, the property is unconditionally added in the constructor and never changed.

From Alex:

> a2da61c1::jsprint ch_callback
undefined

But if we look at the instance descriptors, it's there:

> a2da61c1::v8print
a2da61c1 JSObject {
    a2da61c1 JSReceiver {
        a2da61c1 HeapObject < Object  {
            a2da61c0 map = 9a2c9cb9 (Map)
        }
    }
    a2da61c4 properties = a2dc0e65 (FixedArray)
    a2da61c8 elements = af7080a1 (FixedArray)
}

> 9a2c9cb9::v8print
9a2c9cb9 Map {
    9a2c9cb9 HeapObject < Object  {
        9a2c9cb8 map = 83c080a5 (Map)
    }
    9a2c9cbc instance_size = 0x18
    9a2c9cbd inobject_properties = 0x15
    9a2c9cc0 instance_attributes = 0xaa
    9a2c9cc2 bit_field = ""
    9a2c9cc3 bit_field2 = "-�E�uEF���,��]ڢ��p�������
    "
    9a2c9cc4 prototype = 9245ef2d (JSObject: Object)
    9a2c9cc8 constructor = 92464575 (JSFunction)
    9a2c9ccc transitions = 9a2c9c95 (Map)
    9a2c9cd0 instance_descriptors = a2da5d81 (FixedArray)
    9a2c9cd4 code_cache = af7080a1 (FixedArray)
    9a2c9cd8 bit_field3 = 401cffe (SMI: value = 33613823)
}

> a2da5d81::v8array | ::jsprint -ad0
38: 28
0: 0
997daf81: "ch_claimTimeout"
180102: 786561
0: 0
997daf9d: "ch_pool"
680202: 3408129
2: 1
997dafe9: "ch_throwError"
a00302: 5243265
4: 2
997db025: "ch_claimStack"
d00402: 6816257
6: 3
997db07d: "ch_callback"
d80504: 7078530
bc2d8189: function <anonymous> (as b)
...

I found that if you use the undocumented "::jsprint -v", mdb_v8 reports that this is an object whose properties use the "properties" array:

> a2da61c1::jsprint -d1 -v 
{
    "ch_claimTimeout": Inf,
    "ch_pool": [...],
    "ch_throwError": true,
    "ch_claimStack": [...],
    "ch_log": [...],
    "ch_slot": [...],
    "ch_releaseStack": undefined,
    "ch_connection": [...],
    "ch_preListeners": [...],
    "ch_cancelled": false,
    "ch_lastError": undefined,
    "fsm_id": "rCF6Nbbe38Y",
    "fsm_clsname": "CueBallClaimHandle",
    "fsm_history": [...],
    "fsm_handle": [...],
    "fsm_inTransition": false,
    "fsm_allStateEvents": [...],
    "fsm_state": "claimed",
    "fsm_toEmit": [...],
    "domain": null,
    "_events": [...],
    "_maxListeners": 10,
    "fsm_nextState": undefined,
    "parser": [...],
    "_httpMessage": [...],
}
property kind: in-object "properties" array 

but that only has a few property values, and definitely not the value of ch_callback:

> a2dc0e65::v8array | ::jsprint -ad0
14: 10
90e08091: undefined
a2dd6c29: [...]
a2dd6c39: [...]
90e08091: undefined
90e08091: undefined

I dug into this a bit more and found that the reason mdb_v8 skips "ch_callback" is because its property type is not "field". The property type is indicated by the low bits (0x7) in the content field of the property descriptor, which is itself an SMI. In this case, the content field is d80504. As an SMI value, that's 6c0282, so those bits are just 2. Rather than being a property type FIELD, that's CONSTANT_FUNCTION. We'd have to dig into the V8 source a bit more to know for sure, but it seems like for this type of property, the value is just directly inside the instance descriptors and we can pull it out easily.

I'm not sure why V8 used this type of property here and we haven't seen this elsewhere, or if we just never noticed (which I find a little hard to believe).

There's a dump for this at /dap/stor/drop/core.16089.