Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(121)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/crankshaft/hydrogen.cc

Issue 2504263004: [crankshaft] No need to rely on the @@hasInstance protector. (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/contexts.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/crankshaft/hydrogen.cc
diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc
index 731d9484d2fa6fe76f6a663e42d4732b4b2ed228..dfb84bb825eec73b62e7889f624155d64914835f 100644
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -11207,24 +11207,37 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) {
HConstant::cast(right)->handle(isolate())->IsJSFunction()) {
Handle<JSFunction> function =
Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
- // Make sure the prototype of {function} is the %FunctionPrototype%, and
- // it already has a meaningful initial map (i.e. we constructed at least
- // one instance using the constructor {function}).
- // We can only use the fast case if @@hasInstance was not used so far.
- if (function->has_initial_map() &&
- function->map()->prototype() ==
- function->native_context()->closure() &&
- !function->map()->has_non_instance_prototype() &&
- isolate()->IsHasInstanceLookupChainIntact()) {
- Handle<Map> initial_map(function->initial_map(), isolate());
- top_info()->dependencies()->AssumeInitialMapCantChange(initial_map);
- top_info()->dependencies()->AssumePropertyCell(
- isolate()->factory()->has_instance_protector());
- HInstruction* prototype =
- Add<HConstant>(handle(initial_map->prototype(), isolate()));
- HHasInPrototypeChainAndBranch* result =
- New<HHasInPrototypeChainAndBranch>(left, prototype);
- return ast_context()->ReturnControl(result, expr->id());
+ // Make sure that the {function} already has a meaningful initial map
+ // (i.e. we constructed at least one instance using the constructor
+ // {function}).
+ if (function->has_initial_map()) {
+ // Lookup @@hasInstance on the {function}.
+ Handle<Map> function_map(function->map(), isolate());
+ PropertyAccessInfo has_instance(
+ this, LOAD, function_map,
+ isolate()->factory()->has_instance_symbol());
+ // Check if we are using the Function.prototype[@@hasInstance].
+ if (has_instance.CanAccessMonomorphic() &&
+ has_instance.IsDataConstant() &&
+ has_instance.constant().is_identical_to(
+ isolate()->function_has_instance())) {
+ // Add appropriate receiver map check and prototype chain
+ // checks to guard the @@hasInstance lookup chain.
+ AddCheckMap(right, function_map);
+ if (has_instance.has_holder()) {
+ Handle<JSObject> prototype(
+ JSObject::cast(has_instance.map()->prototype()), isolate());
+ BuildCheckPrototypeMaps(prototype, has_instance.holder());
+ }
+ // Perform the prototype chain walk.
+ Handle<Map> initial_map(function->initial_map(), isolate());
+ top_info()->dependencies()->AssumeInitialMapCantChange(initial_map);
+ HInstruction* prototype =
+ Add<HConstant>(handle(initial_map->prototype(), isolate()));
+ HHasInPrototypeChainAndBranch* result =
+ New<HHasInPrototypeChainAndBranch>(left, prototype);
+ return ast_context()->ReturnControl(result, expr->id());
+ }
}
}
« no previous file with comments | « src/contexts.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698