Don't EnsureHasInitialMap on non-constructors.

non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof. BUG= Review URL: https://codereview.chromium.org/1490003003 Cr-Commit-Position: refs/heads/master@{#32497}
2015-12-02 02:39:33 -08:00 · 2015-12-02 02:39:33 -08:00 · 9bee67509c
commit 9bee67509c
parent e478a8ac39
4 changed files with 27 additions and 2 deletions
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@ -1150,7 +1150,8 @@ Reduction JSTypedLowering::ReduceJSInstanceOf(Node* node) {
    Handle<JSFunction> function =
        Handle<JSFunction>::cast(r.right_type()->AsConstant()->Value());
    Handle<SharedFunctionInfo> shared(function->shared(), isolate());
-    if (!function->map()->has_non_instance_prototype()) {
+    if (function->IsConstructor() &&
+        !function->map()->has_non_instance_prototype()) {
      JSFunction::EnsureHasInitialMap(function);
      DCHECK(function->has_initial_map());
      Handle<Map> initial_map(function->initial_map(), isolate());
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@ -11459,7 +11459,8 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) {
        HConstant::cast(right)->handle(isolate())->IsJSFunction()) {
      Handle<JSFunction> constructor =
          Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
-      if (!constructor->map()->has_non_instance_prototype()) {
+      if (constructor->IsConstructor() &&
+          !constructor->map()->has_non_instance_prototype()) {
        JSFunction::EnsureHasInitialMap(constructor);
        DCHECK(constructor->has_initial_map());
        Handle<Map> initial_map(constructor->initial_map(), isolate());
--- a/src/objects.cc
+++ b/src/objects.cc
@ -12524,6 +12524,7 @@ bool CanSubclassHaveInobjectProperties(InstanceType instance_type) {


 void JSFunction::EnsureHasInitialMap(Handle<JSFunction> function) {
+  DCHECK(function->IsConstructor() || function->shared()->is_generator());
  if (function->has_initial_map()) return;
  Isolate* isolate = function->GetIsolate();

--- a/test/mjsunit/regress/regress-ensure-initial-map.js
+++ b/test/mjsunit/regress/regress-ensure-initial-map.js
@ -0,0 +1,22 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var x = Object.getOwnPropertyDescriptor({get x() {}}, "x").get;
+function f(o, b) {
+  if (b) {
+    return o instanceof x;
+  }
+}
+
+%OptimizeFunctionOnNextCall(f);
+f();
+
+function g() {
+  return new x();
+}
+
+%OptimizeFunctionOnNextCall(g);
+assertThrows(()=>g());