Turbofan instanceof lowering needs to address proxies.

src/compiler/js-typed-lowering.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
 #include "src/compiler/js-graph.h"
 #include "src/compiler/js-typed-lowering.h"
 #include "src/compiler/linkage.h"
@@ skipping 1082 matching lines @@
         return Changed(node);
       }
     }
   }
   return NoChange();
 }
 
 
 Reduction JSTypedLowering::ReduceJSInstanceOf(Node* node) {
   DCHECK_EQ(IrOpcode::kJSInstanceOf, node->opcode());
+  Node* const context = NodeProperties::GetContextInput(node);
+  Node* const frame_state = NodeProperties::GetFrameStateInput(node, 0);
 
   // If deoptimization is disabled, we cannot optimize.
   if (!(flags() & kDeoptimizationEnabled)) return NoChange();
 
+  // If we are in a try block, don't optimize since the runtime call
+  // in the proxy case can throw.
+  if (NodeProperties::IsExceptionalCall(node)) return NoChange();
+
   JSBinopReduction r(this, node);
   Node* effect = r.effect();
   Node* control = r.control();
 
   if (r.right_type()->IsConstant() &&
       r.right_type()->AsConstant()->Value()->IsJSFunction()) {
     Handle<JSFunction> function =
         Handle<JSFunction>::cast(r.right_type()->AsConstant()->Value());
     Handle<SharedFunctionInfo> shared(function->shared(), isolate());
     if (function->IsConstructor() &&
@@ skipping 25 matching lines @@
       Node* loop = control =
           graph()->NewNode(common()->Loop(2), control, control);
 
       Node* loop_effect = effect =
           graph()->NewNode(common()->EffectPhi(2), effect, effect, loop);
 
       Node* loop_object_map =
           graph()->NewNode(common()->Phi(MachineRepresentation::kTagged, 2),
                            object_map, r.left(), loop);
 
+      // Check if the lhs is a proxy.
+      Node* map_instance_type = effect = graph()->NewNode(
+          simplified()->LoadField(AccessBuilder::ForMapInstanceType()),
+          loop_object_map, loop_effect, control);
+      Node* is_proxy =
+          graph()->NewNode(machine()->Word32Equal(), map_instance_type,
+                           jsgraph()->Uint32Constant(JS_PROXY_TYPE));
+      Node* branch_is_proxy = graph()->NewNode(
+          common()->Branch(BranchHint::kFalse), is_proxy, control);
+      Node* if_is_proxy = graph()->NewNode(common()->IfTrue(), branch_is_proxy);
+      Node* e_is_proxy = effect;
+
+      // If it is, make a runtime call to finish the lowering.
+      Node* bool_result = e_is_proxy = graph()->NewNode(
+          javascript()->CallRuntime(Runtime::kHasInPrototypeChain, 2), r.left(),
+          prototype, context, frame_state, e_is_proxy, if_is_proxy);
+
+      control = graph()->NewNode(common()->IfFalse(), branch_is_proxy);
 
       Node* object_prototype = effect = graph()->NewNode(
           simplified()->LoadField(AccessBuilder::ForMapPrototype()),
           loop_object_map, loop_effect, control);
 
       // Check if object prototype is equal to function prototype.
       Node* eq_proto =
           graph()->NewNode(simplified()->ReferenceEqual(r.right_type()),
                            object_prototype, prototype);
       Node* branch_eq_proto = graph()->NewNode(
@@ skipping 15 matching lines @@
 
       control = graph()->NewNode(common()->IfFalse(), branch_null_proto);
       Node* load_object_map = effect =
           graph()->NewNode(simplified()->LoadField(AccessBuilder::ForMap()),
                            object_prototype, effect, control);
       // Close the loop.
       loop_effect->ReplaceInput(1, effect);
       loop_object_map->ReplaceInput(1, load_object_map);
       loop->ReplaceInput(1, control);
 
-      control =
-          graph()->NewNode(common()->Merge(2), if_eq_proto, if_null_proto);
-      effect = graph()->NewNode(common()->EffectPhi(2), e_eq_proto,
+      control = graph()->NewNode(common()->Merge(3), if_is_proxy, if_eq_proto,
+                                 if_null_proto);
+      effect = graph()->NewNode(common()->EffectPhi(3), e_is_proxy, e_eq_proto,
                                 e_null_proto, control);
 
 
       Node* result = graph()->NewNode(
-          common()->Phi(MachineRepresentation::kTagged, 2),
+          common()->Phi(MachineRepresentation::kTagged, 3), bool_result,
           jsgraph()->TrueConstant(), jsgraph()->FalseConstant(), control);
 
       if (if_is_smi != nullptr) {
         DCHECK(e_is_smi != nullptr);
         control = graph()->NewNode(common()->Merge(2), if_is_smi, control);
         effect =
             graph()->NewNode(common()->EffectPhi(2), e_is_smi, effect, control);
         result =
             graph()->NewNode(common()->Phi(MachineRepresentation::kTagged, 2),
                              jsgraph()->FalseConstant(), result, control);
@@ skipping 1484 matching lines @@
 }
 
 
 CompilationDependencies* JSTypedLowering::dependencies() const {
   return dependencies_;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8