[crankshaft] Don't inline the fast path for instanceof if the function has a non-instance .prototype
BUG=chromium:666308 Review-Url: https://codereview.chromium.org/2516603002 Cr-Commit-Position: refs/heads/master@{#41105}
This commit is contained in:
parent
7e5755cbc5
commit
0c70f3729e
@ -11209,8 +11209,9 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) {
|
|||||||
Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
|
Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
|
||||||
// Make sure that the {function} already has a meaningful initial map
|
// Make sure that the {function} already has a meaningful initial map
|
||||||
// (i.e. we constructed at least one instance using the constructor
|
// (i.e. we constructed at least one instance using the constructor
|
||||||
// {function}).
|
// {function}), and has an instance as .prototype.
|
||||||
if (function->has_initial_map()) {
|
if (function->has_initial_map() &&
|
||||||
|
!function->map()->has_non_instance_prototype()) {
|
||||||
// Lookup @@hasInstance on the {function}.
|
// Lookup @@hasInstance on the {function}.
|
||||||
Handle<Map> function_map(function->map(), isolate());
|
Handle<Map> function_map(function->map(), isolate());
|
||||||
PropertyAccessInfo has_instance(
|
PropertyAccessInfo has_instance(
|
||||||
|
9
test/mjsunit/regress/regress-crbug-666308.js
Normal file
9
test/mjsunit/regress/regress-crbug-666308.js
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
// Copyright 2016 the V8 project authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style license that can be
|
||||||
|
// found in the LICENSE file.
|
||||||
|
|
||||||
|
function foo() {}
|
||||||
|
foo.prototype = 1;
|
||||||
|
v = new foo();
|
||||||
|
function bar() { return v instanceof foo; }
|
||||||
|
assertThrows(bar);
|
Loading…
Reference in New Issue
Block a user