[torque] Check for prototype before loading it

Add a missing check for a prototype to GetDerivedMap. Bug: chromium:999310 Change-Id: I99c342a53e3b95bb7b624ff14c1c40576ee629df Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776092 Auto-Submit: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#63473}
2019-08-30 09:48:40 +02:00 · 2019-08-30 09:48:40 +02:00 · bdcc7502cb
commit bdcc7502cb
parent 2a099bfaf7
3 changed files with 12 additions and 0 deletions
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@ -368,10 +368,16 @@ macro NewJSObject(implicit context: Context)(): JSObject {
  };
 }

+extern macro HasPrototypeSlot(JSFunction): bool;
+
 macro GetDerivedMap(implicit context: Context)(
    target: JSFunction, newTarget: JSReceiver): Map {
  try {
    const constructor = Cast<JSFunction>(newTarget) otherwise SlowPath;
+    if (!HasPrototypeSlot(constructor)) {
+      goto SlowPath;
+    }
+    assert(IsConstructor(constructor));
    const map =
        Cast<Map>(constructor.prototype_or_initial_map) otherwise SlowPath;
    if (LoadConstructorOrBackPointer(map) != target) {
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -2767,6 +2767,11 @@ TNode<BoolT> CodeStubAssembler::IsGeneratorFunction(
                  Int32Constant(FunctionKind::kConciseGeneratorMethod))));
 }

+TNode<BoolT> CodeStubAssembler::HasPrototypeSlot(TNode<JSFunction> function) {
+  return TNode<BoolT>::UncheckedCast(IsSetWord32<Map::HasPrototypeSlotBit>(
+      LoadMapBitField(LoadMap(function))));
+}
+
 TNode<BoolT> CodeStubAssembler::HasPrototypeProperty(TNode<JSFunction> function,
                                                     TNode<Map> map) {
  // (has_prototype_slot() && IsConstructor()) ||
--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@ -1435,6 +1435,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
  TNode<Map> LoadJSArrayElementsMap(SloppyTNode<Int32T> kind,
                                    SloppyTNode<Context> native_context);

+  TNode<BoolT> HasPrototypeSlot(TNode<JSFunction> function);
  TNode<BoolT> IsGeneratorFunction(TNode<JSFunction> function);
  TNode<BoolT> HasPrototypeProperty(TNode<JSFunction> function, TNode<Map> map);
  void GotoIfPrototypeRequiresRuntimeLookup(TNode<JSFunction> function,