Commit 9bee6750 authored by verwaest's avatar verwaest Committed by Commit bot

Don't EnsureHasInitialMap on non-constructors.

non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof.

BUG=

Review URL: https://codereview.chromium.org/1490003003

Cr-Commit-Position: refs/heads/master@{#32497}
parent e478a8ac
...@@ -1150,7 +1150,8 @@ Reduction JSTypedLowering::ReduceJSInstanceOf(Node* node) { ...@@ -1150,7 +1150,8 @@ Reduction JSTypedLowering::ReduceJSInstanceOf(Node* node) {
Handle<JSFunction> function = Handle<JSFunction> function =
Handle<JSFunction>::cast(r.right_type()->AsConstant()->Value()); Handle<JSFunction>::cast(r.right_type()->AsConstant()->Value());
Handle<SharedFunctionInfo> shared(function->shared(), isolate()); Handle<SharedFunctionInfo> shared(function->shared(), isolate());
if (!function->map()->has_non_instance_prototype()) { if (function->IsConstructor() &&
!function->map()->has_non_instance_prototype()) {
JSFunction::EnsureHasInitialMap(function); JSFunction::EnsureHasInitialMap(function);
DCHECK(function->has_initial_map()); DCHECK(function->has_initial_map());
Handle<Map> initial_map(function->initial_map(), isolate()); Handle<Map> initial_map(function->initial_map(), isolate());
......
...@@ -11459,7 +11459,8 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) { ...@@ -11459,7 +11459,8 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) {
HConstant::cast(right)->handle(isolate())->IsJSFunction()) { HConstant::cast(right)->handle(isolate())->IsJSFunction()) {
Handle<JSFunction> constructor = Handle<JSFunction> constructor =
Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate())); Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
if (!constructor->map()->has_non_instance_prototype()) { if (constructor->IsConstructor() &&
!constructor->map()->has_non_instance_prototype()) {
JSFunction::EnsureHasInitialMap(constructor); JSFunction::EnsureHasInitialMap(constructor);
DCHECK(constructor->has_initial_map()); DCHECK(constructor->has_initial_map());
Handle<Map> initial_map(constructor->initial_map(), isolate()); Handle<Map> initial_map(constructor->initial_map(), isolate());
......
...@@ -12524,6 +12524,7 @@ bool CanSubclassHaveInobjectProperties(InstanceType instance_type) { ...@@ -12524,6 +12524,7 @@ bool CanSubclassHaveInobjectProperties(InstanceType instance_type) {
void JSFunction::EnsureHasInitialMap(Handle<JSFunction> function) { void JSFunction::EnsureHasInitialMap(Handle<JSFunction> function) {
DCHECK(function->IsConstructor() || function->shared()->is_generator());
if (function->has_initial_map()) return; if (function->has_initial_map()) return;
Isolate* isolate = function->GetIsolate(); Isolate* isolate = function->GetIsolate();
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var x = Object.getOwnPropertyDescriptor({get x() {}}, "x").get;
function f(o, b) {
if (b) {
return o instanceof x;
}
}
%OptimizeFunctionOnNextCall(f);
f();
function g() {
return new x();
}
%OptimizeFunctionOnNextCall(g);
assertThrows(()=>g());
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment