| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #if V8_TARGET_ARCH_MIPS64 | 5 #if V8_TARGET_ARCH_MIPS64 |
| 6 | 6 |
| 7 #include "src/code-stubs.h" | 7 #include "src/code-stubs.h" |
| 8 #include "src/api-arguments.h" | 8 #include "src/api-arguments.h" |
| 9 #include "src/bootstrapper.h" | 9 #include "src/bootstrapper.h" |
| 10 #include "src/codegen.h" | 10 #include "src/codegen.h" |
| (...skipping 1481 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1492 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); | 1492 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); |
| 1493 __ Ret(USE_DELAY_SLOT); | 1493 __ Ret(USE_DELAY_SLOT); |
| 1494 __ LoadRoot(v0, Heap::kFalseValueRootIndex); // In delay slot. | 1494 __ LoadRoot(v0, Heap::kFalseValueRootIndex); // In delay slot. |
| 1495 | 1495 |
| 1496 // Fast-case: The {function} must be a valid JSFunction. | 1496 // Fast-case: The {function} must be a valid JSFunction. |
| 1497 __ bind(&fast_case); | 1497 __ bind(&fast_case); |
| 1498 __ JumpIfSmi(function, &slow_case); | 1498 __ JumpIfSmi(function, &slow_case); |
| 1499 __ GetObjectType(function, function_map, scratch); | 1499 __ GetObjectType(function, function_map, scratch); |
| 1500 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); | 1500 __ Branch(&slow_case, ne, scratch, Operand(JS_FUNCTION_TYPE)); |
| 1501 | 1501 |
| 1502 // Go to the runtime if the function is not a constructor. |
| 1503 __ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); |
| 1504 __ And(at, scratch, Operand(1 << Map::kIsConstructor)); |
| 1505 __ Branch(&slow_case, eq, at, Operand(zero_reg)); |
| 1506 |
| 1502 // Ensure that {function} has an instance prototype. | 1507 // Ensure that {function} has an instance prototype. |
| 1503 __ lbu(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset)); | |
| 1504 __ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype)); | 1508 __ And(at, scratch, Operand(1 << Map::kHasNonInstancePrototype)); |
| 1505 __ Branch(&slow_case, ne, at, Operand(zero_reg)); | 1509 __ Branch(&slow_case, ne, at, Operand(zero_reg)); |
| 1506 | 1510 |
| 1507 // Get the "prototype" (or initial map) of the {function}. | 1511 // Get the "prototype" (or initial map) of the {function}. |
| 1508 __ ld(function_prototype, | 1512 __ ld(function_prototype, |
| 1509 FieldMemOperand(function, JSFunction::kPrototypeOrInitialMapOffset)); | 1513 FieldMemOperand(function, JSFunction::kPrototypeOrInitialMapOffset)); |
| 1510 __ AssertNotSmi(function_prototype); | 1514 __ AssertNotSmi(function_prototype); |
| 1511 | 1515 |
| 1512 // Resolve the prototype if the {function} has an initial map. Afterwards the | 1516 // Resolve the prototype if the {function} has an initial map. Afterwards the |
| 1513 // {function_prototype} will be either the JSReceiver prototype object or the | 1517 // {function_prototype} will be either the JSReceiver prototype object or the |
| (...skipping 4254 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5768 return_value_operand, NULL); | 5772 return_value_operand, NULL); |
| 5769 } | 5773 } |
| 5770 | 5774 |
| 5771 | 5775 |
| 5772 #undef __ | 5776 #undef __ |
| 5773 | 5777 |
| 5774 } // namespace internal | 5778 } // namespace internal |
| 5775 } // namespace v8 | 5779 } // namespace v8 |
| 5776 | 5780 |
| 5777 #endif // V8_TARGET_ARCH_MIPS64 | 5781 #endif // V8_TARGET_ARCH_MIPS64 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1810953002:
InstanceOfStub incorrectly interprets the hole as a prototype. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master