Changeset 41904 in webkit for trunk/JavaScriptCore/jit/JITStubs.cpp

Timestamp:

Mar 22, 2009, 9:31:39 PM (16 years ago)

Author:

[email protected]

Message:

Fix instanceof implementation to handle API object overriding hasInstance

Reviewed by Cameron Zwarich.

We can only take the fast paths for instanceof if the object doesn't override
hasInstance, so we have to check for that.

File:

• trunk/JavaScriptCore/jit/JITStubs.cpp (modified) (1 diff)

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -752 +752 @@
     }
 
-    if (!asObject(baseVal)->structure()->typeInfo().implementsHasInstance())
+    JSObject* baseObj = asObject(baseVal);
+    TypeInfo typeInfo = baseObj->structure()->typeInfo();
+    if (!typeInfo.implementsHasInstance())
         return JSValuePtr::encode(jsBoolean(false));
 
-    if (!proto.isObject()) {
-        throwError(callFrame, TypeError, "instanceof called on an object with an invalid prototype property.");
-        VM_THROW_EXCEPTION();
-    }
-        
-    if (!value.isObject())
-        return JSValuePtr::encode(jsBoolean(false));
-
-    JSValuePtr result = jsBoolean(asObject(baseVal)->hasInstance(callFrame, value, proto));
+    if (!typeInfo.overridesHasInstance()) {
+        if (!proto.isObject()) {
+            throwError(callFrame, TypeError, "instanceof called on an object with an invalid prototype property.");
+            VM_THROW_EXCEPTION();
+        }
+
+        if (!value.isObject())
+            return JSValuePtr::encode(jsBoolean(false));
+    }
+
+    JSValuePtr result = jsBoolean(baseObj->hasInstance(callFrame, value, proto));
     CHECK_FOR_EXCEPTION_AT_END();