From 9bee67509c5837d5fb84cddac133e67d289a0cf7 Mon Sep 17 00:00:00 2001 From: verwaest Date: Wed, 2 Dec 2015 02:39:33 -0800 Subject: [PATCH] Don't EnsureHasInitialMap on non-constructors. non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof. BUG= Review URL: https://codereview.chromium.org/1490003003 Cr-Commit-Position: refs/heads/master@{#32497} --- src/compiler/js-typed-lowering.cc | 3 ++- src/crankshaft/hydrogen.cc | 3 ++- src/objects.cc | 1 + .../regress/regress-ensure-initial-map.js | 22 +++++++++++++++++++ 4 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/regress/regress-ensure-initial-map.js diff --git a/src/compiler/js-typed-lowering.cc b/src/compiler/js-typed-lowering.cc index 8285e7e13d..668d4c0eee 100644 --- a/src/compiler/js-typed-lowering.cc +++ b/src/compiler/js-typed-lowering.cc @@ -1150,7 +1150,8 @@ Reduction JSTypedLowering::ReduceJSInstanceOf(Node* node) { Handle function = Handle::cast(r.right_type()->AsConstant()->Value()); Handle shared(function->shared(), isolate()); - if (!function->map()->has_non_instance_prototype()) { + if (function->IsConstructor() && + !function->map()->has_non_instance_prototype()) { JSFunction::EnsureHasInitialMap(function); DCHECK(function->has_initial_map()); Handle initial_map(function->initial_map(), isolate()); diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc index 2c8a5f2adc..81c6ed4281 100644 --- a/src/crankshaft/hydrogen.cc +++ b/src/crankshaft/hydrogen.cc @@ -11459,7 +11459,8 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) { HConstant::cast(right)->handle(isolate())->IsJSFunction()) { Handle constructor = Handle::cast(HConstant::cast(right)->handle(isolate())); - if (!constructor->map()->has_non_instance_prototype()) { + if (constructor->IsConstructor() && + !constructor->map()->has_non_instance_prototype()) { JSFunction::EnsureHasInitialMap(constructor); DCHECK(constructor->has_initial_map()); Handle initial_map(constructor->initial_map(), isolate()); diff --git a/src/objects.cc b/src/objects.cc index 3fd653067f..41d85c7c1c 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -12524,6 +12524,7 @@ bool CanSubclassHaveInobjectProperties(InstanceType instance_type) { void JSFunction::EnsureHasInitialMap(Handle function) { + DCHECK(function->IsConstructor() || function->shared()->is_generator()); if (function->has_initial_map()) return; Isolate* isolate = function->GetIsolate(); diff --git a/test/mjsunit/regress/regress-ensure-initial-map.js b/test/mjsunit/regress/regress-ensure-initial-map.js new file mode 100644 index 0000000000..dbd4762fcd --- /dev/null +++ b/test/mjsunit/regress/regress-ensure-initial-map.js @@ -0,0 +1,22 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +var x = Object.getOwnPropertyDescriptor({get x() {}}, "x").get; +function f(o, b) { + if (b) { + return o instanceof x; + } +} + +%OptimizeFunctionOnNextCall(f); +f(); + +function g() { + return new x(); +} + +%OptimizeFunctionOnNextCall(g); +assertThrows(()=>g());