From 796310304bbf56a58594217b8d7cbb408c51334c Mon Sep 17 00:00:00 2001 From: Franziska Hinkelmann Date: Fri, 8 Jul 2016 22:12:42 +0200 Subject: [PATCH] deps: cherry-pick 2aa070be from V8 upstream Original commit message: InstanceOfStub incorrectly interprets the hole as a prototype. Repair this to match what the runtime correctly does, by first checking if the function is a constructor before we access the prototype. R=verwaest@chromium.org BUG= Committed: https://crrev.com/2aa070be4fd2960df98905b254f12ed801ef26cd Cr-Commit-Position: refs/heads/master@{#34863} This fixes the behavior of instanceof when the second parameter is not a constructor. Fixes: https://github.com/nodejs/node/issues/7592 PR-URL: https://github.com/nodejs/node/pull/7638 Reviewed-By: Anna Henningsen Reviewed-By: Ben Noordhuis Reviewed-By: Ali Ijaz Sheikh --- deps/v8z/src/arm/code-stubs-arm.cc | 6 +++++- deps/v8z/src/arm64/code-stubs-arm64.cc | 5 ++++- deps/v8z/src/ia32/code-stubs-ia32.cc | 5 +++++ deps/v8z/src/mips/code-stubs-mips.cc | 6 +++++- deps/v8z/src/mips64/code-stubs-mips64.cc | 6 +++++- deps/v8z/src/x64/code-stubs-x64.cc | 5 +++++ deps/v8z/test/mjsunit/regress/regress-crbug-573858.js | 2 +- 7 files changed, 30 insertions(+), 5 deletions(-) diff --git a/deps/v8z/src/arm/code-stubs-arm.cc b/deps/v8z/src/arm/code-stubs-arm.cc index 82fb51d2f19..adcd5872958 100644 --- a/deps/v8z/src/arm/code-stubs-arm.cc +++ b/deps/v8z/src/arm/code-stubs-arm.cc @@ -1358,8 +1358,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) { __ CompareObjectType(function, function_map, scratch, JS_FUNCTION_TYPE); __ b(ne, &slow_case); - // Ensure that {function} has an instance prototype. + // Go to the runtime if the function is not a constructor. __ ldrb(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); + __ tst(scratch, Operand(1 << Map::kIsConstructor)); + __ b(eq, &slow_case); + + // Ensure that {function} has an instance prototype. __ tst(scratch, Operand(1 << Map::kHasNonInstancePrototype)); __ b(ne, &slow_case); diff --git a/deps/v8z/src/arm64/code-stubs-arm64.cc b/deps/v8z/src/arm64/code-stubs-arm64.cc index ad566e68fc2..f8d7e23709a 100644 --- a/deps/v8z/src/arm64/code-stubs-arm64.cc +++ b/deps/v8z/src/arm64/code-stubs-arm64.cc @@ -1544,8 +1544,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) { __ JumpIfNotObjectType(function, function_map, scratch, JS_FUNCTION_TYPE, &slow_case); - // Ensure that {function} has an instance prototype. + // Go to the runtime if the function is not a constructor. __ Ldrb(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); + __ Tbz(scratch, Map::kIsConstructor, &slow_case); + + // Ensure that {function} has an instance prototype. __ Tbnz(scratch, Map::kHasNonInstancePrototype, &slow_case); // Get the "prototype" (or initial map) of the {function}. diff --git a/deps/v8z/src/ia32/code-stubs-ia32.cc b/deps/v8z/src/ia32/code-stubs-ia32.cc index 510b58e7235..ba7140d20af 100644 --- a/deps/v8z/src/ia32/code-stubs-ia32.cc +++ b/deps/v8z/src/ia32/code-stubs-ia32.cc @@ -2110,6 +2110,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) { __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map); __ j(not_equal, &slow_case); + // Go to the runtime if the function is not a constructor. + __ test_b(FieldOperand(function_map, Map::kBitFieldOffset), + static_cast(1 << Map::kIsConstructor)); + __ j(zero, &slow_case); + // Ensure that {function} has an instance prototype. __ test_b(FieldOperand(function_map, Map::kBitFieldOffset), static_cast(1 << Map::kHasNonInstancePrototype)); diff --git a/deps/v8z/src/mips/code-stubs-mips.cc b/deps/v8z/src/mips/code-stubs-mips.cc index 541e73e2fa4..441d3d050c8 100644 --- a/deps/v8z/src/mips/code-stubs-mips.cc +++ b/deps/v8z/src/mips/code-stubs-mips.cc @@ -1492,8 +1492,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) { __ GetObjectType(function, function_map, scratch); __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); - // Ensure that {function} has an instance prototype. + // Go to the runtime if the function is not a constructor. __ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); + __ And(at, scratch, Operand(1 << Map::kIsConstructor)); + __ Branch(&slow_case, eq, at, Operand(zero_reg)); + + // Ensure that {function} has an instance prototype. __ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype)); __ Branch(&slow_case, ne, at, Operand(zero_reg)); diff --git a/deps/v8z/src/mips64/code-stubs-mips64.cc b/deps/v8z/src/mips64/code-stubs-mips64.cc index 28812ad9973..b1d2bfe74cb 100644 --- a/deps/v8z/src/mips64/code-stubs-mips64.cc +++ b/deps/v8z/src/mips64/code-stubs-mips64.cc @@ -1488,8 +1488,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) { __ GetObjectType(function, function_map, scratch); __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); - // Ensure that {function} has an instance prototype. + // Go to the runtime if the function is not a constructor. __ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); + __ And(at, scratch, Operand(1 << Map::kIsConstructor)); + __ Branch(&slow_case, eq, at, Operand(zero_reg)); + + // Ensure that {function} has an instance prototype. __ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype)); __ Branch(&slow_case, ne, at, Operand(zero_reg)); diff --git a/deps/v8z/src/x64/code-stubs-x64.cc b/deps/v8z/src/x64/code-stubs-x64.cc index f314b9cfcb6..be534afdb26 100644 --- a/deps/v8z/src/x64/code-stubs-x64.cc +++ b/deps/v8z/src/x64/code-stubs-x64.cc @@ -2069,6 +2069,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) { __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map); __ j(not_equal, &slow_case); + // Go to the runtime if the function is not a constructor. + __ testb(FieldOperand(function_map, Map::kBitFieldOffset), + Immediate(1 << Map::kIsConstructor)); + __ j(zero, &slow_case); + // Ensure that {function} has an instance prototype. __ testb(FieldOperand(function_map, Map::kBitFieldOffset), Immediate(1 << Map::kHasNonInstancePrototype)); diff --git a/deps/v8z/test/mjsunit/regress/regress-crbug-573858.js b/deps/v8z/test/mjsunit/regress/regress-crbug-573858.js index 37a9eb84e50..270df5a64aa 100644 --- a/deps/v8z/test/mjsunit/regress/regress-crbug-573858.js +++ b/deps/v8z/test/mjsunit/regress/regress-crbug-573858.js @@ -9,7 +9,7 @@ var throw_type_error = Object.getOwnPropertyDescriptor( function create_initial_map() { this instanceof throw_type_error } %OptimizeFunctionOnNextCall(create_initial_map); -create_initial_map(); +assertThrows(create_initial_map); function test() { new throw_type_error } %OptimizeFunctionOnNextCall(test);