Commit 26fdb617 authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[stubs] Properly convert the receiver for GetPropertyStub.

Call ToObject on the GetPropertyStub input first, so that lookups on
Strings and other primitives don't automatically hit the runtime, i.e.
as the stub is also used to lookup the special @@split and @@replace
symbols for various String builtins.

BUG=v8:5269
R=ishell@chromium.org

Change-Id: I5dbbc84aa2051173bf10be71c782fbe448481034
Reviewed-on: https://chromium-review.googlesource.com/488441
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44961}
parent 10903313
...@@ -856,6 +856,10 @@ TF_STUB(GetPropertyStub, CodeStubAssembler) { ...@@ -856,6 +856,10 @@ TF_STUB(GetPropertyStub, CodeStubAssembler) {
Goto(if_bailout); Goto(if_bailout);
}; };
// Ensure that the {object} is actually a JSReceiver.
Callable callable = CodeFactory::ToObject(isolate());
object = CallStub(callable, context, object);
TryPrototypeChainLookup(object, key, lookup_property_in_holder, TryPrototypeChainLookup(object, key, lookup_property_in_holder,
lookup_element_in_holder, &return_undefined, lookup_element_in_holder, &return_undefined,
&call_runtime); &call_runtime);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment