Fix instance type check in apply optimization.

We accidentally compared a map address with an instance type. This fix additionally avoids an upper bounds check that is not needed. Review URL: http://codereview.chromium.org/149003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2272 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-06-25 11:35:03 +00:00 · 2009-06-25 11:35:03 +00:00 · a5331d6426
commit a5331d6426
parent 617fa455a6
2 changed files with 13 additions and 2 deletions
--- a/src/ia32/codegen-ia32.cc
+++ b/src/ia32/codegen-ia32.cc
@ -2184,10 +2184,14 @@ void CodeGenerator::CallApplyLazy(Property* apply,
      __ test(receiver.reg(), Immediate(kSmiTagMask));
      build_args.Branch(zero);
      Result tmp = allocator_->Allocate();
+      // We allow all JSObjects including JSFunctions.  As long as
+      // JS_FUNCTION_TYPE is the last instance type and it is right
+      // after LAST_JS_OBJECT_TYPE, we do not have to check the upper
+      // bound.
+      ASSERT(LAST_TYPE == JS_FUNCTION_TYPE);
+      ASSERT(JS_FUNCTION_TYPE == LAST_JS_OBJECT_TYPE + 1);
      __ CmpObjectType(receiver.reg(), FIRST_JS_OBJECT_TYPE, tmp.reg());
      build_args.Branch(less);
-      __ cmp(tmp.reg(), LAST_JS_OBJECT_TYPE);
-      build_args.Branch(greater);
    }

    // Verify that we're invoking Function.prototype.apply.
--- a/test/mjsunit/arguments-apply.js
+++ b/test/mjsunit/arguments-apply.js
@ -80,6 +80,13 @@ assertTrue(this === NonObjectReceiver(null));
 assertTrue(this === NonObjectReceiver(void 0));


+function FunctionReceiver() {
+  return ReturnReceiver.apply(Object, arguments);
+}
+
+assertTrue(Object === FunctionReceiver());
+
+
 function ShadowApply() {
  function f() { return 42; }
  f.apply = function() { return 87; }