X87: InstanceOfStub incorrectly interprets the hole as a prototype.

port 2aa070be (r34863) original commit message: Repair this to match what the runtime correctly does, by first checking if the function is a constructor before we access the prototype. BUG= Review URL: https://codereview.chromium.org/1809333002 Cr-Commit-Position: refs/heads/master@{#34880}

X87: InstanceOfStub incorrectly interprets the hole as a prototype.
port 2aa070be (r34863) original commit message: Repair this to match what the runtime correctly does, by first checking if the function is a constructor before we access the prototype. BUG= Review URL: https://codereview.chromium.org/1809333002 Cr-Commit-Position: refs/heads/master@{#34880}
5b5d24b3 · zhengxing.li · Commit bot · 7544b81b · 5b5d24b3
Commit 5b5d24b3 authored Mar 18, 2016 by zhengxing.li Committed by Commit bot Mar 18, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

code-stubs-x87.cc src/x87/code-stubs-x87.cc +5 -0

No files found.
--- a/src/x87/code-stubs-x87.cc
+++ b/src/x87/code-stubs-x87.cc
@@ -1862,6 +1862,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
  __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
  __ j(not_equal, &slow_case);

+  // Go to the runtime if the function is not a constructor.
+  __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
+            static_cast<uint8_t>(1 << Map::kIsConstructor));
+  __ j(zero, &slow_case);
+
  // Ensure that {function} has an instance prototype.
  __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
            static_cast<uint8_t>(1 << Map::kHasNonInstancePrototype));