Bug 794947 - Add check for lazy proto in ion code (r=dvander)
authorBill McCloskey <wmccloskey@mozilla.com>
Thu, 27 Sep 2012 20:20:11 -0700
changeset 108446 64558e8ed7235e7284b17568832f44a9eb24c7ed
parent 108445 2d96ee8d9dd44ac0e80d79b33828f05cef79cedb
child 108447 bd2349429495a48b29b0eeefa4d1de21333b8cb4
push id82
push usershu@rfrn.org
push dateFri, 05 Oct 2012 13:20:22 +0000
reviewersdvander
bugs794947
milestone18.0a1
Bug 794947 - Add check for lazy proto in ion code (r=dvander)
js/src/ion/CodeGenerator.cpp
js/src/jit-test/tests/basic/bug794947.js
--- a/js/src/ion/CodeGenerator.cpp
+++ b/js/src/ion/CodeGenerator.cpp
@@ -3949,21 +3949,24 @@ CodeGenerator::emitInstanceOf(LInstructi
     masm.mov(output, rhsTmp);
     masm.mov(Imm32(0), output);
 
     // Walk the prototype chain
     masm.bind(&loopPrototypeChain);
     masm.loadPtr(Address(lhsTmp, JSObject::offsetOfType()), lhsTmp);
     masm.loadPtr(Address(lhsTmp, offsetof(types::TypeObject, proto)), lhsTmp);
 
-    masm.test32(lhsTmp, lhsTmp);
+    // Bail out if we hit a lazy proto
+    masm.branch32(Assembler::Equal, lhsTmp, Imm32(1), call->entry());
+
+    masm.testPtr(lhsTmp, lhsTmp);
     masm.j(Assembler::Zero, &done);
 
     // Check lhs is equal to rhsShape
-    masm.cmp32(lhsTmp, rhsTmp);
+    masm.cmpPtr(lhsTmp, rhsTmp);
     masm.j(Assembler::NotEqual, &loopPrototypeChain);
 
     // return true
     masm.mov(Imm32(1), output);
 
     masm.bind(call->rejoin());
     masm.bind(&done);
     return true;
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug794947.js
@@ -0,0 +1,10 @@
+function f(o)
+{
+    print(o instanceof String);
+}
+
+var g = newGlobal();
+f(new Object());
+var o1 = g.eval('new Object()');
+var o2 = Object.create(o1);
+f(o2);