v8/regress-9036-2.js at 97eff73b71a99ff6a8f97ea7ee8c15a058b96eaf - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Georg Neis b9076b4976 [csa] Fix instanceof for LHS with proxy in prototype chain

If the LHS has a proxy in its prototype chain (or is itself one), then
the LHS's [prototype_or_initial_map] being the hole does not necessarily
imply that the result is false.

This CL also adds support for --force-slow-path, which would have been
useful in finding this bug earlier.

Bug: v8:9036
Change-Id: I6f5134d6ce18f9f14549ced3d33527f54ce9bcb2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539497
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60476}

2019-03-26 19:35:25 +00:00

11 lines

333 B

JavaScript

Raw Blame History

 // Copyright 2019 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 function C() {};
 const p = new Proxy({}, { getPrototypeOf() { return C.prototype } });
 assertTrue(C[Symbol.hasInstance](p));
 assertTrue(C[Symbol.hasInstance](p));