| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #if V8_TARGET_ARCH_MIPS | 5 #if V8_TARGET_ARCH_MIPS |
| 6 | 6 |
| 7 #include "src/code-stubs.h" | 7 #include "src/code-stubs.h" |
| 8 #include "src/api-arguments.h" | 8 #include "src/api-arguments.h" |
| 9 #include "src/base/bits.h" | 9 #include "src/base/bits.h" |
| 10 #include "src/bootstrapper.h" | 10 #include "src/bootstrapper.h" |
| (...skipping 1485 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1496 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); | 1496 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); |
| 1497 __ Ret(USE_DELAY_SLOT); | 1497 __ Ret(USE_DELAY_SLOT); |
| 1498 __ LoadRoot(v0, Heap::kFalseValueRootIndex); // In delay slot. | 1498 __ LoadRoot(v0, Heap::kFalseValueRootIndex); // In delay slot. |
| 1499 | 1499 |
| 1500 // Fast-case: The {function} must be a valid JSFunction. | 1500 // Fast-case: The {function} must be a valid JSFunction. |
| 1501 __ bind(&fast_case); | 1501 __ bind(&fast_case); |
| 1502 __ JumpIfSmi(function, &slow_case); | 1502 __ JumpIfSmi(function, &slow_case); |
| 1503 __ GetObjectType(function, function_map, scratch); | 1503 __ GetObjectType(function, function_map, scratch); |
| 1504 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); | 1504 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); |
| 1505 | 1505 |
| 1506 // Go to the runtime if the function is not a constructor. |
| 1507 __ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); |
| 1508 __ And(at, scratch, Operand(1 << Map::kIsConstructor)); |
| 1509 __ Branch(&slow_case, eq, at, Operand(zero_reg)); |
| 1510 |
| 1506 // Ensure that {function} has an instance prototype. | 1511 // Ensure that {function} has an instance prototype. |
| 1507 __ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); | |
| 1508 __ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype)); | 1512 __ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype)); |
| 1509 __ Branch(&slow_case, ne, at, Operand(zero_reg)); | 1513 __ Branch(&slow_case, ne, at, Operand(zero_reg)); |
| 1510 | 1514 |
| 1511 // Get the "prototype" (or initial map) of the {function}. | 1515 // Get the "prototype" (or initial map) of the {function}. |
| 1512 __ lw(function_prototype, | 1516 __ lw(function_prototype, |
| 1513 FieldMemOperand(function, JSFunction::kPrototypeOrInitialMapOffset)); | 1517 FieldMemOperand(function, JSFunction::kPrototypeOrInitialMapOffset)); |
| 1514 __ AssertNotSmi(function_prototype); | 1518 __ AssertNotSmi(function_prototype); |
| 1515 | 1519 |
| 1516 // Resolve the prototype if the {function} has an initial map. Afterwards the | 1520 // Resolve the prototype if the {function} has an initial map. Afterwards the |
| 1517 // {function_prototype} will be either the JSReceiver prototype object or the | 1521 // {function_prototype} will be either the JSReceiver prototype object or the |
| (...skipping 4222 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5740 return_value_operand, NULL); | 5744 return_value_operand, NULL); |
| 5741 } | 5745 } |
| 5742 | 5746 |
| 5743 | 5747 |
| 5744 #undef __ | 5748 #undef __ |
| 5745 | 5749 |
| 5746 } // namespace internal | 5750 } // namespace internal |
| 5747 } // namespace v8 | 5751 } // namespace v8 |
| 5748 | 5752 |
| 5749 #endif // V8_TARGET_ARCH_MIPS | 5753 #endif // V8_TARGET_ARCH_MIPS |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1810953002:
InstanceOfStub incorrectly interprets the hole as a prototype. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master