Commit bdcc7502 authored by Sigurd Schneider's avatar Sigurd Schneider Committed by Commit Bot

[torque] Check for prototype before loading it

Add a missing check for a prototype to GetDerivedMap.

Bug: chromium:999310
Change-Id: I99c342a53e3b95bb7b624ff14c1c40576ee629df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776092
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63473}
parent 2a099bfa
......@@ -368,10 +368,16 @@ macro NewJSObject(implicit context: Context)(): JSObject {
};
}
extern macro HasPrototypeSlot(JSFunction): bool;
macro GetDerivedMap(implicit context: Context)(
target: JSFunction, newTarget: JSReceiver): Map {
try {
const constructor = Cast<JSFunction>(newTarget) otherwise SlowPath;
if (!HasPrototypeSlot(constructor)) {
goto SlowPath;
}
assert(IsConstructor(constructor));
const map =
Cast<Map>(constructor.prototype_or_initial_map) otherwise SlowPath;
if (LoadConstructorOrBackPointer(map) != target) {
......
......@@ -2767,6 +2767,11 @@ TNode<BoolT> CodeStubAssembler::IsGeneratorFunction(
Int32Constant(FunctionKind::kConciseGeneratorMethod))));
}
TNode<BoolT> CodeStubAssembler::HasPrototypeSlot(TNode<JSFunction> function) {
return TNode<BoolT>::UncheckedCast(IsSetWord32<Map::HasPrototypeSlotBit>(
LoadMapBitField(LoadMap(function))));
}
TNode<BoolT> CodeStubAssembler::HasPrototypeProperty(TNode<JSFunction> function,
TNode<Map> map) {
// (has_prototype_slot() && IsConstructor()) ||
......
......@@ -1435,6 +1435,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
TNode<Map> LoadJSArrayElementsMap(SloppyTNode<Int32T> kind,
SloppyTNode<Context> native_context);
TNode<BoolT> HasPrototypeSlot(TNode<JSFunction> function);
TNode<BoolT> IsGeneratorFunction(TNode<JSFunction> function);
TNode<BoolT> HasPrototypeProperty(TNode<JSFunction> function, TNode<Map> map);
void GotoIfPrototypeRequiresRuntimeLookup(TNode<JSFunction> function,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment