Skip to content

V
V8
Commit 79aee39f authored by mstarzinger's avatar mstarzinger Committed by Commit bot
Browse files
Options

[builtins] Fix pointer comparison in ToString builtin. 

This fixes the bogus {Word32Equal} comparison in the ToString builtin
implementing Object.prototype.toString to be a pointer-size {WordEqual}
comparison instead. Comparing just the lower half-word is insufficient
on 64-bit architectures.

R=jgruber@chromium.org
TEST=mjsunit/regress/regress-crbug-664506
BUG=chromium:664506

Review-Url: https://codereview.chromium.org/2496043003
Cr-Commit-Position: refs/heads/master@{#40963}
parent 733af7eb
Hide whitespace changes
Inline Side-by-side
Showing with 13 additions and 2 deletions
src/builtins/builtins-object.cc
View file @ 79aee39f
......@@ -296,10 +296,10 @@ void Builtins::Generate_ObjectProtoToString(CodeStubAssembler* assembler) {
Node* context = assembler->Parameter(3);
assembler->GotoIf(
assembler->Word32Equal(receiver, assembler->UndefinedConstant()),
assembler->WordEqual(receiver, assembler->UndefinedConstant()),
&return_undefined);
assembler->GotoIf(assembler->Word32Equal(receiver, assembler->NullConstant()),
assembler->GotoIf(assembler->WordEqual(receiver, assembler->NullConstant()),
&return_null);
assembler->GotoIf(assembler->TaggedIsSmi(receiver), &return_number);
......
test/mjsunit/regress/regress-crbug-664506.js 0 → 100644
View file @ 79aee39f
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc --predictable --random-seed=-1109634722
gc();
gc();
assertEquals("[object Object]", Object.prototype.toString.call({}));
gc();
assertEquals("[object Array]", Object.prototype.toString.call([]));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment