LGTM. On Tue, May 12, 2009 at 4:18 PM, <[email protected]> wrote:
> Reviewers: Kevin Millikin, > > Description: > Push revision 1914 which fixes crash in generated code for instanceof. > > http://code.google.com/p/v8/issues/detail?id=341 > > > Please review this at http://codereview.chromium.org/113266 > > SVN Base: http://v8.googlecode.com/svn/branches/1.1/ > > Affected files: > M src/api.cc > M src/codegen-ia32.cc > A test/mjsunit/regress/regress-341.js > > > Index: test/mjsunit/regress/regress-341.js > =================================================================== > --- test/mjsunit/regress/regress-341.js (revision 0) > +++ test/mjsunit/regress/regress-341.js (revision 1905) > @@ -0,0 +1,36 @@ > +// Copyright 2009 the V8 project authors. All rights reserved. > +// Redistribution and use in source and binary forms, with or without > +// modification, are permitted provided that the following conditions are > +// met: > +// > +// * Redistributions of source code must retain the above copyright > +// notice, this list of conditions and the following disclaimer. > +// * Redistributions in binary form must reproduce the above > +// copyright notice, this list of conditions and the following > +// disclaimer in the documentation and/or other materials provided > +// with the distribution. > +// * Neither the name of Google Inc. nor the names of its > +// contributors may be used to endorse or promote products derived > +// from this software without specific prior written permission. > +// > +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > +// Should not crash. > +// See http://code.google.com/p/v8/issues/detail?id=341 > + > +function F() {} > + > +F.prototype = 1; > +var o = {}; > + > +assertThrows("o instanceof F"); > Index: src/api.cc > =================================================================== > --- src/api.cc (revision 1905) > +++ src/api.cc (working copy) > @@ -2373,7 +2373,7 @@ > > > const char* v8::V8::GetVersion() { > - return "1.1.10.10"; > + return "1.1.10.11"; > } > > > Index: src/codegen-ia32.cc > =================================================================== > --- src/codegen-ia32.cc (revision 1905) > +++ src/codegen-ia32.cc (working copy) > @@ -7064,7 +7064,7 @@ > __ j(zero, &slow, not_taken); > > // Check that the left hand is a JS object. > - __ mov(eax, FieldOperand(eax, HeapObject::kMapOffset)); // ebx - object > map > + __ mov(eax, FieldOperand(eax, HeapObject::kMapOffset)); // eax - object > map > __ movzx_b(ecx, FieldOperand(eax, Map::kInstanceTypeOffset)); // ecx - > type > __ cmp(ecx, FIRST_JS_OBJECT_TYPE); > __ j(less, &slow, not_taken); > @@ -7076,6 +7076,8 @@ > __ TryGetFunctionPrototype(edx, ebx, ecx, &slow); > > // Check that the function prototype is a JS object. > + __ test(ebx, Immediate(kSmiTagMask)); > + __ j(zero, &slow, not_taken); > __ mov(ecx, FieldOperand(ebx, HeapObject::kMapOffset)); > __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset)); > __ cmp(ecx, FIRST_JS_OBJECT_TYPE); > > > --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
