Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2163)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/crankshaft/hydrogen.cc

Issue 2621583002: [crankshaft] Properly deal with null prototype. (Closed)
Patch Set: Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-679202.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/crankshaft/hydrogen.cc
diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc
index 69daeb4c57d36e53b77927a94aa13a31ac1ba1db..b9f7fc36d3a30e1992ff96353a6f76e866bd39f2 100644
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -11352,8 +11352,11 @@ HControlInstruction* HOptimizedGraphBuilder::BuildCompareInstruction(
// We depend on the prototype chain to stay the same, because we
// also need to deoptimize when someone installs @@toPrimitive
// or @@toStringTag somewhere in the prototype chain.
- BuildCheckPrototypeMaps(handle(JSObject::cast(map->prototype())),
- Handle<JSObject>::null());
+ Handle<Object> prototype(map->prototype(), isolate());
+ if (prototype->IsJSObject()) {
+ BuildCheckPrototypeMaps(Handle<JSObject>::cast(prototype),
+ Handle<JSObject>::null());
+ }
AddCheckMap(left, map);
AddCheckMap(right, map);
// The caller expects a branch instruction, so make it happy.
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-679202.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698