[v8-dev] Make sure to check that the function prototype is a ...

Wed, 08 Oct 2008 07:00:28 -0700 

Reviewers: Erik Corry,

Description:
Make sure to check that the function prototype is a
real JavaScript object before looking for it in the
prototype chain during instanceof checks.

Please review this at http://codereview.chromium.org/6579

Affected files:
   M     src/codegen-ia32.cc
   M     src/stub-cache-ia32.cc
   M     test/mjsunit/instanceof.js


Index: test/mjsunit/instanceof.js
===================================================================
--- test/mjsunit/instanceof.js  (revision 470)
+++ test/mjsunit/instanceof.js  (working copy)
@@ -60,11 +60,14 @@

  function TestExceptions() {
    function F() { }
+  function G() { }
+  G.prototype = undefined;
    var items = [ 1, new Number(42),
                  true,
                  'string', new String('hest'),
                  {}, [],
-                F, new F(),
+                F, new F(),
+                G, new G(),
                  Object, String ];

    var exceptions = 0;
@@ -80,8 +83,8 @@
        }
      }
    }
-  assertEquals(10, instanceofs);
-  assertEquals(88, exceptions);
+  assertEquals(12, instanceofs);
+  assertEquals(130, exceptions);
  }

  TestExceptions();
Index: src/stub-cache-ia32.cc
===================================================================
--- src/stub-cache-ia32.cc      (revision 470)
+++ src/stub-cache-ia32.cc      (working copy)
@@ -232,7 +232,6 @@
                                                   Register scratch1,
                                                   Register scratch2,
                                                   Label* miss_label) {
-
    __ TryGetFunctionPrototype(receiver, scratch1, scratch2, miss_label);
    __ mov(eax, Operand(scratch1));
    __ ret(0);
Index: src/codegen-ia32.cc
===================================================================
--- src/codegen-ia32.cc (revision 470)
+++ src/codegen-ia32.cc (working copy)
@@ -5304,6 +5304,14 @@
    __ mov(edx, Operand(esp, 1 * kPointerSize));  // 1 ~ return address
    __ TryGetFunctionPrototype(edx, ebx, ecx, &slow);

+  // Check that the function prototype is a JS object.
+  __ mov(ecx, FieldOperand(ebx, HeapObject::kMapOffset));
+  __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset));
+  __ cmp(ecx, FIRST_JS_OBJECT_TYPE);
+  __ j(less, &slow, not_taken);
+  __ cmp(ecx, LAST_JS_OBJECT_TYPE);
+  __ j(greater, &slow, not_taken);
+
    // Register mapping: eax is object map and ebx is function prototype.
    __ mov(ecx, FieldOperand(eax, Map::kPrototypeOffset));




--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to