Changeset 233427 in webkit
- Timestamp:
- Jul 2, 2018 11:04:54 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/jit/Repatch.cpp (modified) (1 diff)
-
jstests (added)
-
jstests/stress (added)
-
jstests/stress/instanceof-non-object-prototype.js (added)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r233426 r233427 1 2018-07-02 Keith Miller <keith_miller@apple.com> 2 3 InstanceOf IC should do generic if the prototype is not an object. 4 https://bugs.webkit.org/show_bug.cgi?id=187250 5 6 Reviewed by Mark Lam. 7 8 * stress/instanceof-non-object-prototype.js: Added. 9 (let): 10 (test): 11 (i.catch): 12 1 13 2018-06-30 Mark Lam <mark.lam@apple.com> 2 14 -
trunk/Source/JavaScriptCore/ChangeLog
r233426 r233427 1 2018-07-02 Keith Miller <keith_miller@apple.com> 2 3 InstanceOf IC should do generic if the prototype is not an object. 4 https://bugs.webkit.org/show_bug.cgi?id=187250 5 6 Reviewed by Mark Lam. 7 8 The old code was wrong for two reasons. First, the AccessCase expected that 9 the prototype value would be non-null. Second, we would end up returning 10 false instead of throwing an exception. 11 12 * jit/Repatch.cpp: 13 (JSC::tryCacheInstanceOf): 14 1 15 2018-07-01 Mark Lam <mark.lam@apple.com> 2 16 -
trunk/Source/JavaScriptCore/jit/Repatch.cpp
r233291 r233427 737 737 738 738 JSCell* value = valueValue.asCell(); 739 Structure* structure = value->structure(vm); 740 std::unique_ptr<AccessCase> newCase; 739 741 JSObject* prototype = jsDynamicCast<JSObject*>(vm, prototypeValue); 740 741 Structure* structure = value->structure(vm); 742 743 std::unique_ptr<AccessCase> newCase; 744 745 if (!jsDynamicCast<JSObject*>(vm, value)) { 746 newCase = InstanceOfAccessCase::create( 747 vm, codeBlock, AccessCase::InstanceOfMiss, structure, ObjectPropertyConditionSet(), 748 prototype); 749 } else if (prototype && structure->prototypeQueriesAreCacheable()) { 750 // FIXME: Teach this to do poly proto. 751 // https://bugs.webkit.org/show_bug.cgi?id=185663 752 753 ObjectPropertyConditionSet conditionSet = generateConditionsForInstanceOf( 754 vm, codeBlock, exec, structure, prototype, wasFound); 755 756 if (conditionSet.isValid()) { 742 if (prototype) { 743 if (!jsDynamicCast<JSObject*>(vm, value)) { 757 744 newCase = InstanceOfAccessCase::create( 758 vm, codeBlock, 759 wasFound ? AccessCase::InstanceOfHit : AccessCase::InstanceOfMiss, 760 structure, conditionSet, prototype); 745 vm, codeBlock, AccessCase::InstanceOfMiss, structure, ObjectPropertyConditionSet(), 746 prototype); 747 } else if (structure->prototypeQueriesAreCacheable()) { 748 // FIXME: Teach this to do poly proto. 749 // https://bugs.webkit.org/show_bug.cgi?id=185663 750 751 ObjectPropertyConditionSet conditionSet = generateConditionsForInstanceOf( 752 vm, codeBlock, exec, structure, prototype, wasFound); 753 754 if (conditionSet.isValid()) { 755 newCase = InstanceOfAccessCase::create( 756 vm, codeBlock, 757 wasFound ? AccessCase::InstanceOfHit : AccessCase::InstanceOfMiss, 758 structure, conditionSet, prototype); 759 } 761 760 } 762 761 }
Note: See TracChangeset
for help on using the changeset viewer.
