[turbofan] Add missing heap object check

Bug: chromium:918763 Change-Id: Ic9faaed6b3194269748ba35740cda0dc8dde3241 Reviewed-on: https://chromium-review.googlesource.com/c/1397707Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#58589}

[turbofan] Add missing heap object check
Bug: chromium:918763 Change-Id: Ic9faaed6b3194269748ba35740cda0dc8dde3241 Reviewed-on: https://chromium-review.googlesource.com/c/1397707Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#58589}
426312c8 · Jaroslav Sevcik · Commit Bot · 23a85a33 · 426312c8 · 426312c8
Commit 426312c8 authored Jan 07, 2019 by Jaroslav Sevcik Committed by Commit Bot Jan 07, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +2 -0

regress-918763.js test/mjsunit/regress-918763.js +14 -0

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -430,6 +430,8 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
    }

    // Monomorphic property access.
+    constructor =
+        access_builder.BuildCheckHeapObject(constructor, &effect, control);
    access_builder.BuildCheckMaps(constructor, &effect, control,
                                  access_info.receiver_maps());


--- a/test/mjsunit/regress-918763.js
+++ b/test/mjsunit/regress-918763.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function C() {}
+C.__proto__ = null;
+
+function f(c) { return 0 instanceof c; }
+
+f(C);
+%OptimizeFunctionOnNextCall(f);
+assertThrows(() => f(0));