Status: Assigned
Owner: [email protected]
Labels: Type-Bug Priority-Medium
New issue 4133 by [email protected]: instanceof broken in crankshaft
https://code.google.com/p/v8/issues/detail?id=4133
There's an invalid one-element cache in crankshaft that breaks when you
1) Swap an indirect prototype that (somewhere) points to
constructor.prototype.
function f() {};
function test(o) { return o instanceof f };
var o = {__proto__:{__proto__:new f()}};
assertTrue(test(o));
assertTrue(test(o));
assertTrue(test(o));
%OptimizeFunctionOnNextCall(test);
assertTrue(test(o));
o.__proto__.__proto__ = null;
assertFalse(test(o));
2) Change constructor.prototype itself.
function f() {};
function test(o) { return o instanceof f; }
var o = new f();
assertTrue(test(o));
assertTrue(test(o));
assertTrue(test(o));
%OptimizeFunctionOnNextCall(test);
assertTrue(test(o));
f.prototype = {};
assertFalse(test(o));
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
