[constant-tracking,turbofan] Check @@hasInstance is callable.
This fixes several problems with instanceof and constant field tracking in the compiler: - properly bailout on numbers and non-functions at @@hasInstance. - deopt on changes of @@hasInstance property. Bug: v8:8361 Change-Id: I4a1cf9e29d72076f2d37a7c703f18cb2fb8f4040 Reviewed-on: https://chromium-review.googlesource.com/c/1322449 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#57532}
This commit is contained in:
parent
33f41e41d8
commit
ee8d9f2eba
@ -441,14 +441,10 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
|
||||
}
|
||||
|
||||
if (access_info.IsDataConstant() || access_info.IsDataConstantField()) {
|
||||
// Determine actual holder and perform prototype chain checks.
|
||||
// Determine actual holder.
|
||||
Handle<JSObject> holder;
|
||||
if (access_info.holder().ToHandle(&holder)) {
|
||||
dependencies()->DependOnStablePrototypeChains(
|
||||
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
|
||||
} else {
|
||||
holder = receiver;
|
||||
}
|
||||
bool found_on_proto = access_info.holder().ToHandle(&holder);
|
||||
if (!found_on_proto) holder = receiver;
|
||||
|
||||
Handle<Object> constant;
|
||||
if (access_info.IsDataConstant()) {
|
||||
@ -457,12 +453,30 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
|
||||
} else {
|
||||
DCHECK(FLAG_track_constant_fields);
|
||||
DCHECK(access_info.IsDataConstantField());
|
||||
// The value must be callable therefore tagged.
|
||||
DCHECK(CanBeTaggedPointer(access_info.field_representation()));
|
||||
FieldIndex field_index = access_info.field_index();
|
||||
constant = JSObject::FastPropertyAt(holder, Representation::Tagged(),
|
||||
field_index);
|
||||
if (!constant->IsCallable()) {
|
||||
return NoChange();
|
||||
}
|
||||
|
||||
// Install dependency on constness. Unfortunately, access_info does not
|
||||
// track descriptor index, so we have to search for it.
|
||||
Handle<Map> holder_map(holder->map(), isolate());
|
||||
Handle<DescriptorArray> descriptors(holder_map->instance_descriptors(),
|
||||
isolate());
|
||||
int descriptor_index =
|
||||
descriptors->Search(*(factory()->has_instance_symbol()), *holder_map);
|
||||
CHECK_NE(descriptor_index, DescriptorArray::kNotFound);
|
||||
dependencies()->DependOnFieldType(MapRef(broker(), holder_map),
|
||||
descriptor_index);
|
||||
}
|
||||
|
||||
if (found_on_proto) {
|
||||
dependencies()->DependOnStablePrototypeChains(
|
||||
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
|
||||
}
|
||||
|
||||
DCHECK(constant->IsCallable());
|
||||
|
||||
// Check that {constructor} is actually {receiver}.
|
||||
|
106
test/mjsunit/compiler/instance-of-overridden-has-instance.js
Normal file
106
test/mjsunit/compiler/instance-of-overridden-has-instance.js
Normal file
@ -0,0 +1,106 @@
|
||||
// Copyright 2018 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --allow-natives-syntax
|
||||
|
||||
(function NonConstHasInstance() {
|
||||
var C = {
|
||||
[Symbol.hasInstance] : () => true
|
||||
};
|
||||
|
||||
function f() {
|
||||
return {} instanceof C;
|
||||
}
|
||||
|
||||
assertTrue(f());
|
||||
assertTrue(f());
|
||||
%OptimizeFunctionOnNextCall(f);
|
||||
assertTrue(f());
|
||||
C[Symbol.hasInstance] = () => false;
|
||||
assertFalse(f());
|
||||
})();
|
||||
|
||||
(function NumberHasInstance() {
|
||||
var C = {
|
||||
[Symbol.hasInstance] : 0.1
|
||||
};
|
||||
|
||||
function f(b, C) {
|
||||
if (b) return {} instanceof C;
|
||||
return false;
|
||||
}
|
||||
|
||||
function g(b) {
|
||||
return f(b, C);
|
||||
}
|
||||
|
||||
assertFalse(f(true, Number));
|
||||
assertFalse(f(true, Number));
|
||||
assertFalse(g(false));
|
||||
assertFalse(g(false));
|
||||
%OptimizeFunctionOnNextCall(g);
|
||||
assertThrows(() => g(true));
|
||||
})();
|
||||
|
||||
(function NonFunctionHasInstance() {
|
||||
var C = {
|
||||
[Symbol.hasInstance] : {}
|
||||
};
|
||||
|
||||
function f(b, C) {
|
||||
if (b) return {} instanceof C;
|
||||
return false;
|
||||
}
|
||||
|
||||
function g(b) {
|
||||
return f(b, C);
|
||||
}
|
||||
|
||||
assertFalse(f(true, Number));
|
||||
assertFalse(f(true, Number));
|
||||
assertFalse(g(false));
|
||||
assertFalse(g(false));
|
||||
%OptimizeFunctionOnNextCall(g);
|
||||
assertThrows(() => g(true));
|
||||
})();
|
||||
|
||||
(function NonConstHasInstanceProto() {
|
||||
var B = {
|
||||
[Symbol.hasInstance]() { return true; }
|
||||
};
|
||||
|
||||
var C = { __proto__ : B };
|
||||
|
||||
function f() {
|
||||
return {} instanceof C;
|
||||
}
|
||||
|
||||
assertTrue(f());
|
||||
assertTrue(f());
|
||||
%OptimizeFunctionOnNextCall(f);
|
||||
assertTrue(f());
|
||||
B[Symbol.hasInstance] = () => { return false; };
|
||||
assertFalse(f());
|
||||
})();
|
||||
|
||||
(function HasInstanceOverwriteOnProto() {
|
||||
var A = {
|
||||
[Symbol.hasInstance] : () => false
|
||||
}
|
||||
|
||||
var B = { __proto__ : A };
|
||||
|
||||
var C = { __proto__ : B };
|
||||
|
||||
function f() {
|
||||
return {} instanceof C;
|
||||
}
|
||||
|
||||
assertFalse(f());
|
||||
assertFalse(f());
|
||||
%OptimizeFunctionOnNextCall(f);
|
||||
assertFalse(f());
|
||||
B[Symbol.hasInstance] = () => { return true; };
|
||||
assertTrue(f());
|
||||
})();
|
Loading…
Reference in New Issue
Block a user