Closed
Bug 642174
Opened 14 years ago
Closed 14 years ago
JM: jsop_instanceof only tests isFunction if !rhs->isTypeKnown
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bhackett1024, Assigned: bhackett1024)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.19 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
JM fast paths the .prototype access when testing x instanceof y and y is a function. It does this if the rhs is a known object, even if the rhs is not actually a function (and is instead StopIteration or some other value with a hasInstance hook). This is the relevant code:
if (!rhs->isTypeKnown()) {
Jump j = frame.testObject(Assembler::NotEqual, rhs);
stubcc.linkExit(j, Uses(2));
RegisterID reg = frame.tempRegForData(rhs);
j = masm.testFunction(Assembler::NotEqual, reg);
stubcc.linkExit(j, Uses(2));
}
The function test should always occur.
|
Assignee | |
Comment 1•14 years ago
|
||
No testcase for stock JM (hard to get it to know something is an object), but this breaks some jstests in the TI branch.
Assignee: general → bhackett1024
Attachment #519701 -
Flags: review?(dvander)
Comment on attachment 519701 [details] [diff] [review]
patch
Nice. You should be able to get a test case for this, JM will track entries as known-objects for object/array literals, |this| in constructors, and regexes.
Attachment #519701 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 3•14 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Comment 4•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•