mjsunit

codesite-noreply Wed, 08 Oct 2008 07:05:41 -0700

Author: [EMAIL PROTECTED]
Date: Wed Oct  8 07:03:53 2008
New Revision: 471


Modified:
    branches/bleeding_edge/src/codegen-ia32.cc
    branches/bleeding_edge/src/stub-cache-ia32.cc
    branches/bleeding_edge/test/mjsunit/instanceof.js

Log:
Make sure to check that the function prototype is a
real JavaScript object before looking for it in the
prototype chain during instanceof checks.
Review URL: http://codereview.chromium.org/6579

Modified: branches/bleeding_edge/src/codegen-ia32.cc
==============================================================================
--- branches/bleeding_edge/src/codegen-ia32.cc  (original)
+++ branches/bleeding_edge/src/codegen-ia32.cc  Wed Oct  8 07:03:53 2008
@@ -5304,6 +5304,14 @@
    __ mov(edx, Operand(esp, 1 * kPointerSize));  // 1 ~ return address
    __ TryGetFunctionPrototype(edx, ebx, ecx, &slow);

+  // Check that the function prototype is a JS object.
+  __ mov(ecx, FieldOperand(ebx, HeapObject::kMapOffset));
+  __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset));
+  __ cmp(ecx, FIRST_JS_OBJECT_TYPE);
+  __ j(less, &slow, not_taken);
+  __ cmp(ecx, LAST_JS_OBJECT_TYPE);
+  __ j(greater, &slow, not_taken);
+
    // Register mapping: eax is object map and ebx is function prototype.
    __ mov(ecx, FieldOperand(eax, Map::kPrototypeOffset));


Modified: branches/bleeding_edge/src/stub-cache-ia32.cc
==============================================================================
--- branches/bleeding_edge/src/stub-cache-ia32.cc       (original)
+++ branches/bleeding_edge/src/stub-cache-ia32.cc       Wed Oct  8 07:03:53 2008
@@ -232,7 +232,6 @@
                                                   Register scratch1,
                                                   Register scratch2,
                                                   Label* miss_label) {
-
    __ TryGetFunctionPrototype(receiver, scratch1, scratch2, miss_label);
    __ mov(eax, Operand(scratch1));
    __ ret(0);

Modified: branches/bleeding_edge/test/mjsunit/instanceof.js
==============================================================================
--- branches/bleeding_edge/test/mjsunit/instanceof.js   (original)
+++ branches/bleeding_edge/test/mjsunit/instanceof.js   Wed Oct  8 07:03:53  
2008
@@ -64,7 +64,7 @@
                  true,
                  'string', new String('hest'),
                  {}, [],
-                F, new F(),
+                F, new F(),
                  Object, String ];

    var exceptions = 0;
@@ -82,6 +82,12 @@
    }
    assertEquals(10, instanceofs);
    assertEquals(88, exceptions);
+
+  // Make sure to throw an exception if the function prototype
+  // isn't a proper JavaScript object.
+  function G() { }
+  G.prototype = undefined;
+  assertThrows("({} instanceof G)");
  }

  TestExceptions();

--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

[v8-dev] [v8 commit] r471 - in branches/bleeding_edge: src test/mjsunit

Reply via email to