Make sure to check that the function prototype is a

real JavaScript object before looking for it in the prototype chain during instanceof checks. Review URL: http://codereview.chromium.org/6579 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Make sure to check that the function prototype is a
real JavaScript object before looking for it in the prototype chain during instanceof checks. Review URL: http://codereview.chromium.org/6579 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
b314b46b · kasperl@chromium.org · 77643dbe · b314b46b · b314b46b · b314b46b
Commit b314b46b authored Oct 08, 2008 by kasperl@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 2 deletions

codegen-ia32.cc src/codegen-ia32.cc +8 -0

stub-cache-ia32.cc src/stub-cache-ia32.cc +0 -1

instanceof.js test/mjsunit/instanceof.js +7 -1

No files found.
--- a/src/codegen-ia32.cc
+++ b/src/codegen-ia32.cc
@@ -5304,6 +5304,14 @@ void InstanceofStub::Generate(MacroAssembler* masm) {
  __ mov(edx, Operand(esp, 1 * kPointerSize));  // 1 ~ return address
  __ TryGetFunctionPrototype(edx, ebx, ecx, &slow);
+  // Check that the function prototype is a JS object.
+  __ mov(ecx, FieldOperand(ebx, HeapObject::kMapOffset));
+  __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset));
+  __ cmp(ecx, FIRST_JS_OBJECT_TYPE);
+  __ j(less, &slow, not_taken);
+  __ cmp(ecx, LAST_JS_OBJECT_TYPE);
+  __ j(greater, &slow, not_taken);
  // Register mapping: eax is object map and ebx is function prototype.
  __ mov(ecx, FieldOperand(eax, Map::kPrototypeOffset));

--- a/src/stub-cache-ia32.cc
+++ b/src/stub-cache-ia32.cc
@@ -232,7 +232,6 @@ void StubCompiler::GenerateLoadFunctionPrototype(MacroAssembler* masm,
                                                 Register scratch1,
                                                 Register scratch2,
                                                 Label* miss_label) {
  __ TryGetFunctionPrototype(receiver, scratch1, scratch2, miss_label);
  __ mov(eax, Operand(scratch1));
  __ ret(0);

--- a/test/mjsunit/instanceof.js
+++ b/test/mjsunit/instanceof.js
@@ -64,7 +64,7 @@ function TestExceptions() {
                true, 
                'string', new String('hest'),
                {}, [], 
-                F, new F(), 
+                F, new F(),
                Object, String ];
  var exceptions = 0;
@@ -82,6 +82,12 @@ function TestExceptions() {
  }
  assertEquals(10, instanceofs);
  assertEquals(88, exceptions);
+  // Make sure to throw an exception if the function prototype
+  // isn't a proper JavaScript object.
+  function G() { }
+  G.prototype = undefined;
+  assertThrows("({} instanceof G)");
 }
 TestExceptions();