[constant-tracking,turbofan] Check @@hasInstance is callable.

This fixes several problems with instanceof and constant field tracking
in the compiler:
- properly bailout on numbers and non-functions at @@hasInstance.
- deopt on changes of @@hasInstance property.

Bug: v8:8361
Change-Id: I4a1cf9e29d72076f2d37a7c703f18cb2fb8f4040
Reviewed-on: https://chromium-review.googlesource.com/c/1322449
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57532}
This commit is contained in:
Jaroslav Sevcik 2018-11-15 12:29:50 +01:00 committed by Commit Bot
parent 33f41e41d8
commit ee8d9f2eba
2 changed files with 129 additions and 9 deletions

View File

@ -441,14 +441,10 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
}
if (access_info.IsDataConstant() || access_info.IsDataConstantField()) {
// Determine actual holder and perform prototype chain checks.
// Determine actual holder.
Handle<JSObject> holder;
if (access_info.holder().ToHandle(&holder)) {
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
} else {
holder = receiver;
}
bool found_on_proto = access_info.holder().ToHandle(&holder);
if (!found_on_proto) holder = receiver;
Handle<Object> constant;
if (access_info.IsDataConstant()) {
@ -457,12 +453,30 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
} else {
DCHECK(FLAG_track_constant_fields);
DCHECK(access_info.IsDataConstantField());
// The value must be callable therefore tagged.
DCHECK(CanBeTaggedPointer(access_info.field_representation()));
FieldIndex field_index = access_info.field_index();
constant = JSObject::FastPropertyAt(holder, Representation::Tagged(),
field_index);
if (!constant->IsCallable()) {
return NoChange();
}
// Install dependency on constness. Unfortunately, access_info does not
// track descriptor index, so we have to search for it.
Handle<Map> holder_map(holder->map(), isolate());
Handle<DescriptorArray> descriptors(holder_map->instance_descriptors(),
isolate());
int descriptor_index =
descriptors->Search(*(factory()->has_instance_symbol()), *holder_map);
CHECK_NE(descriptor_index, DescriptorArray::kNotFound);
dependencies()->DependOnFieldType(MapRef(broker(), holder_map),
descriptor_index);
}
if (found_on_proto) {
dependencies()->DependOnStablePrototypeChains(
broker(), access_info.receiver_maps(), JSObjectRef(broker(), holder));
}
DCHECK(constant->IsCallable());
// Check that {constructor} is actually {receiver}.

View File

@ -0,0 +1,106 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function NonConstHasInstance() {
var C = {
[Symbol.hasInstance] : () => true
};
function f() {
return {} instanceof C;
}
assertTrue(f());
assertTrue(f());
%OptimizeFunctionOnNextCall(f);
assertTrue(f());
C[Symbol.hasInstance] = () => false;
assertFalse(f());
})();
(function NumberHasInstance() {
var C = {
[Symbol.hasInstance] : 0.1
};
function f(b, C) {
if (b) return {} instanceof C;
return false;
}
function g(b) {
return f(b, C);
}
assertFalse(f(true, Number));
assertFalse(f(true, Number));
assertFalse(g(false));
assertFalse(g(false));
%OptimizeFunctionOnNextCall(g);
assertThrows(() => g(true));
})();
(function NonFunctionHasInstance() {
var C = {
[Symbol.hasInstance] : {}
};
function f(b, C) {
if (b) return {} instanceof C;
return false;
}
function g(b) {
return f(b, C);
}
assertFalse(f(true, Number));
assertFalse(f(true, Number));
assertFalse(g(false));
assertFalse(g(false));
%OptimizeFunctionOnNextCall(g);
assertThrows(() => g(true));
})();
(function NonConstHasInstanceProto() {
var B = {
[Symbol.hasInstance]() { return true; }
};
var C = { __proto__ : B };
function f() {
return {} instanceof C;
}
assertTrue(f());
assertTrue(f());
%OptimizeFunctionOnNextCall(f);
assertTrue(f());
B[Symbol.hasInstance] = () => { return false; };
assertFalse(f());
})();
(function HasInstanceOverwriteOnProto() {
var A = {
[Symbol.hasInstance] : () => false
}
var B = { __proto__ : A };
var C = { __proto__ : B };
function f() {
return {} instanceof C;
}
assertFalse(f());
assertFalse(f());
%OptimizeFunctionOnNextCall(f);
assertFalse(f());
B[Symbol.hasInstance] = () => { return true; };
assertTrue(f());
})();