LGTM On Wed, Oct 8, 2008 at 4:00 PM, <[EMAIL PROTECTED]> wrote:
> Reviewers: Erik Corry, > > Description: > Make sure to check that the function prototype is a > real JavaScript object before looking for it in the > prototype chain during instanceof checks. > > Please review this at http://codereview.chromium.org/6579 > > Affected files: > M src/codegen-ia32.cc > M src/stub-cache-ia32.cc > M test/mjsunit/instanceof.js > > > Index: test/mjsunit/instanceof.js > =================================================================== > --- test/mjsunit/instanceof.js (revision 470) > +++ test/mjsunit/instanceof.js (working copy) > @@ -60,11 +60,14 @@ > > function TestExceptions() { > function F() { } > + function G() { } > + G.prototype = undefined; > var items = [ 1, new Number(42), > true, > 'string', new String('hest'), > {}, [], > - F, new F(), > + F, new F(), > + G, new G(), > Object, String ]; > > var exceptions = 0; > @@ -80,8 +83,8 @@ > } > } > } > - assertEquals(10, instanceofs); > - assertEquals(88, exceptions); > + assertEquals(12, instanceofs); > + assertEquals(130, exceptions); > } > > TestExceptions(); > Index: src/stub-cache-ia32.cc > =================================================================== > --- src/stub-cache-ia32.cc (revision 470) > +++ src/stub-cache-ia32.cc (working copy) > @@ -232,7 +232,6 @@ > Register scratch1, > Register scratch2, > Label* miss_label) { > - > __ TryGetFunctionPrototype(receiver, scratch1, scratch2, miss_label); > __ mov(eax, Operand(scratch1)); > __ ret(0); > Index: src/codegen-ia32.cc > =================================================================== > --- src/codegen-ia32.cc (revision 470) > +++ src/codegen-ia32.cc (working copy) > @@ -5304,6 +5304,14 @@ > __ mov(edx, Operand(esp, 1 * kPointerSize)); // 1 ~ return address > __ TryGetFunctionPrototype(edx, ebx, ecx, &slow); > > + // Check that the function prototype is a JS object. > + __ mov(ecx, FieldOperand(ebx, HeapObject::kMapOffset)); > + __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset)); > + __ cmp(ecx, FIRST_JS_OBJECT_TYPE); > + __ j(less, &slow, not_taken); > + __ cmp(ecx, LAST_JS_OBJECT_TYPE); > + __ j(greater, &slow, not_taken); > + > // Register mapping: eax is object map and ebx is function prototype. > __ mov(ecx, FieldOperand(eax, Map::kPrototypeOffset)); > > > > -- Erik Corry, Software Engineer Google Denmark ApS. CVR nr. 28 86 69 84 c/o Philip & Partners, 7 Vognmagergade, P.O. Box 2227, DK-1018 Copenhagen K, Denmark. --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
