Commit 2d80e841 authored by Michael Starzinger's avatar Michael Starzinger Committed by Commit Bot

[turbofan] Properly restrict {JSCreate} to constructors.

This makes sure that the lowering of {JSCreate} operator during create
lowering is only applied to operations where both target and new.target
are known to be constructors.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-768080
BUG=chromium:774780,chromium:768080

Change-Id: I55a582a3453bba7e14655b594b7714a3940eeaae
Reviewed-on: https://chromium-review.googlesource.com/725332Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48680}
parent 713da2d5
...@@ -180,13 +180,14 @@ Reduction JSCreateLowering::ReduceJSCreate(Node* node) { ...@@ -180,13 +180,14 @@ Reduction JSCreateLowering::ReduceJSCreate(Node* node) {
Node* const control = NodeProperties::GetControlInput(node); Node* const control = NodeProperties::GetControlInput(node);
// Extract constructor and original constructor function. // Extract constructor and original constructor function.
if (target_type->IsHeapConstant() && new_target_type->IsHeapConstant() && if (target_type->IsHeapConstant() && new_target_type->IsHeapConstant() &&
target_type->AsHeapConstant()->Value()->IsJSFunction() &&
new_target_type->AsHeapConstant()->Value()->IsJSFunction()) { new_target_type->AsHeapConstant()->Value()->IsJSFunction()) {
Handle<JSFunction> constructor = Handle<JSFunction> constructor =
Handle<JSFunction>::cast(target_type->AsHeapConstant()->Value()); Handle<JSFunction>::cast(target_type->AsHeapConstant()->Value());
if (!constructor->IsConstructor()) return NoChange();
Handle<JSFunction> original_constructor = Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(new_target_type->AsHeapConstant()->Value()); Handle<JSFunction>::cast(new_target_type->AsHeapConstant()->Value());
DCHECK(constructor->IsConstructor()); if (!original_constructor->IsConstructor()) return NoChange();
DCHECK(original_constructor->IsConstructor());
// Check if we can inline the allocation. // Check if we can inline the allocation.
if (IsAllocationInlineable(constructor, original_constructor)) { if (IsAllocationInlineable(constructor, original_constructor)) {
......
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
function f() { function f() {
return new g(); return new g();
} }
new C(); // Warm-up!
assertThrows(f, TypeError); assertThrows(f, TypeError);
assertThrows(f, TypeError); assertThrows(f, TypeError);
%OptimizeFunctionOnNextCall(f); %OptimizeFunctionOnNextCall(f);
...@@ -29,6 +30,7 @@ ...@@ -29,6 +30,7 @@
function f() { function f() {
return new g(); return new g();
} }
new C(); // Warm-up!
assertThrows(f, TypeError); assertThrows(f, TypeError);
assertThrows(f, TypeError); assertThrows(f, TypeError);
%OptimizeFunctionOnNextCall(f); %OptimizeFunctionOnNextCall(f);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment