Commit a5331d64 authored by ager@chromium.org's avatar ager@chromium.org

Fix instance type check in apply optimization.

We accidentally compared a map address with an instance type.  This
fix additionally avoids an upper bounds check that is not needed.

Review URL: http://codereview.chromium.org/149003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2272 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 617fa455
...@@ -2184,10 +2184,14 @@ void CodeGenerator::CallApplyLazy(Property* apply, ...@@ -2184,10 +2184,14 @@ void CodeGenerator::CallApplyLazy(Property* apply,
__ test(receiver.reg(), Immediate(kSmiTagMask)); __ test(receiver.reg(), Immediate(kSmiTagMask));
build_args.Branch(zero); build_args.Branch(zero);
Result tmp = allocator_->Allocate(); Result tmp = allocator_->Allocate();
// We allow all JSObjects including JSFunctions. As long as
// JS_FUNCTION_TYPE is the last instance type and it is right
// after LAST_JS_OBJECT_TYPE, we do not have to check the upper
// bound.
ASSERT(LAST_TYPE == JS_FUNCTION_TYPE);
ASSERT(JS_FUNCTION_TYPE == LAST_JS_OBJECT_TYPE + 1);
__ CmpObjectType(receiver.reg(), FIRST_JS_OBJECT_TYPE, tmp.reg()); __ CmpObjectType(receiver.reg(), FIRST_JS_OBJECT_TYPE, tmp.reg());
build_args.Branch(less); build_args.Branch(less);
__ cmp(tmp.reg(), LAST_JS_OBJECT_TYPE);
build_args.Branch(greater);
} }
// Verify that we're invoking Function.prototype.apply. // Verify that we're invoking Function.prototype.apply.
......
...@@ -80,6 +80,13 @@ assertTrue(this === NonObjectReceiver(null)); ...@@ -80,6 +80,13 @@ assertTrue(this === NonObjectReceiver(null));
assertTrue(this === NonObjectReceiver(void 0)); assertTrue(this === NonObjectReceiver(void 0));
function FunctionReceiver() {
return ReturnReceiver.apply(Object, arguments);
}
assertTrue(Object === FunctionReceiver());
function ShadowApply() { function ShadowApply() {
function f() { return 42; } function f() { return 42; }
f.apply = function() { return 87; } f.apply = function() { return 87; }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment