Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit e239045

Browse filesBrowse files
fhinkelevanlucas
fhinkel
authored and
evanlucas
committed
deps: cherry-pick 2aa070be from V8 upstream
Original commit message: InstanceOfStub incorrectly interprets the hole as a prototype. Repair this to match what the runtime correctly does, by first checking if the function is a constructor before we access the prototype. R=verwaest@chromium.org BUG= Committed: https://crrev.com/2aa070be4fd2960df98905b254f12ed801ef26cd Cr-Commit-Position: refs/heads/master@{#34863} This fixes the behavior of instanceof when the second parameter is not a constructor. Fixes: #7592 PR-URL: #7638 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
1 parent 71f84b5 commit e239045
Copy full SHA for e239045

File tree

Expand file treeCollapse file tree

7 files changed

+30
-5
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

7 files changed

+30
-5
lines changed
Open diff view settings
Collapse file

‎deps/v8/src/arm/code-stubs-arm.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/arm/code-stubs-arm.cc
+5-1Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1358,8 +1358,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
13581358
__ CompareObjectType(function, function_map, scratch, JS_FUNCTION_TYPE);
13591359
__ b(ne, &slow_case);
13601360

1361-
// Ensure that {function} has an instance prototype.
1361+
// Go to the runtime if the function is not a constructor.
13621362
__ ldrb(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset));
1363+
__ tst(scratch, Operand(1 << Map::kIsConstructor));
1364+
__ b(eq, &slow_case);
1365+
1366+
// Ensure that {function} has an instance prototype.
13631367
__ tst(scratch, Operand(1 << Map::kHasNonInstancePrototype));
13641368
__ b(ne, &slow_case);
13651369

Collapse file

‎deps/v8/src/arm64/code-stubs-arm64.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/arm64/code-stubs-arm64.cc
+4-1Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1544,8 +1544,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
15441544
__ JumpIfNotObjectType(function, function_map, scratch, JS_FUNCTION_TYPE,
15451545
&slow_case);
15461546

1547-
// Ensure that {function} has an instance prototype.
1547+
// Go to the runtime if the function is not a constructor.
15481548
__ Ldrb(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset));
1549+
__ Tbz(scratch, Map::kIsConstructor, &slow_case);
1550+
1551+
// Ensure that {function} has an instance prototype.
15491552
__ Tbnz(scratch, Map::kHasNonInstancePrototype, &slow_case);
15501553

15511554
// Get the "prototype" (or initial map) of the {function}.
Collapse file

‎deps/v8/src/ia32/code-stubs-ia32.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/ia32/code-stubs-ia32.cc
+5Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2110,6 +2110,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
21102110
__ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
21112111
__ j(not_equal, &slow_case);
21122112

2113+
// Go to the runtime if the function is not a constructor.
2114+
__ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
2115+
static_cast<uint8_t>(1 << Map::kIsConstructor));
2116+
__ j(zero, &slow_case);
2117+
21132118
// Ensure that {function} has an instance prototype.
21142119
__ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
21152120
static_cast<uint8_t>(1 << Map::kHasNonInstancePrototype));
Collapse file

‎deps/v8/src/mips/code-stubs-mips.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/mips/code-stubs-mips.cc
+5-1Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1492,8 +1492,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
14921492
__ GetObjectType(function, function_map, scratch);
14931493
__ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE));
14941494

1495-
// Ensure that {function} has an instance prototype.
1495+
// Go to the runtime if the function is not a constructor.
14961496
__ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset));
1497+
__ And(at, scratch, Operand(1 << Map::kIsConstructor));
1498+
__ Branch(&slow_case, eq, at, Operand(zero_reg));
1499+
1500+
// Ensure that {function} has an instance prototype.
14971501
__ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype));
14981502
__ Branch(&slow_case, ne, at, Operand(zero_reg));
14991503

Collapse file

‎deps/v8/src/mips64/code-stubs-mips64.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/mips64/code-stubs-mips64.cc
+5-1Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1488,8 +1488,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
14881488
__ GetObjectType(function, function_map, scratch);
14891489
__ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE));
14901490

1491-
// Ensure that {function} has an instance prototype.
1491+
// Go to the runtime if the function is not a constructor.
14921492
__ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset));
1493+
__ And(at, scratch, Operand(1 << Map::kIsConstructor));
1494+
__ Branch(&slow_case, eq, at, Operand(zero_reg));
1495+
1496+
// Ensure that {function} has an instance prototype.
14931497
__ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype));
14941498
__ Branch(&slow_case, ne, at, Operand(zero_reg));
14951499

Collapse file

‎deps/v8/src/x64/code-stubs-x64.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/x64/code-stubs-x64.cc
+5Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2069,6 +2069,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
20692069
__ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
20702070
__ j(not_equal, &slow_case);
20712071

2072+
// Go to the runtime if the function is not a constructor.
2073+
__ testb(FieldOperand(function_map, Map::kBitFieldOffset),
2074+
Immediate(1 << Map::kIsConstructor));
2075+
__ j(zero, &slow_case);
2076+
20722077
// Ensure that {function} has an instance prototype.
20732078
__ testb(FieldOperand(function_map, Map::kBitFieldOffset),
20742079
Immediate(1 << Map::kHasNonInstancePrototype));
Collapse file

‎deps/v8/test/mjsunit/regress/regress-crbug-573858.js‎

Copy file name to clipboardExpand all lines: deps/v8/test/mjsunit/regress/regress-crbug-573858.js
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ var throw_type_error = Object.getOwnPropertyDescriptor(
99

1010
function create_initial_map() { this instanceof throw_type_error }
1111
%OptimizeFunctionOnNextCall(create_initial_map);
12-
create_initial_map();
12+
assertThrows(create_initial_map);
1313

1414
function test() { new throw_type_error }
1515
%OptimizeFunctionOnNextCall(test);

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.