JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=49606
Reviewed by Oliver Hunt.
The bug here is that we read the prototype from the RHS argument using a regular
op_get_by_id before op_instanceof has checked that this is an object implementing
HasInstance. This incorrect behaviour gives rise to further unnecessary complexity
in the code base, since we have additional logic (implemented using the
GetByIdExceptionInfo data structures on CodeBlock) to convert not an object errors
from the get_by_id into invalid parameter errors. Having fixed this bug this code
is all redundant, since in these cases the get_by_id will never have been reached.
(JSC::CodeBlock::dump):
(JSC::CodeBlock::shrinkToFit):
(JSC::CodeBlock::addExpressionInfo):
- bytecode/Opcode.h:
- bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitCheckHasInstance):
- bytecompiler/BytecodeGenerator.h:
- bytecompiler/NodesCodegen.cpp:
(JSC::InstanceOfNode::emitBytecode):
- interpreter/Interpreter.cpp:
(JSC::Interpreter::throwException):
(JSC::Interpreter::privateExecute):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
- jit/JIT.h:
- jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::DEFINE_STUB_FUNCTION):
- jit/JITStubs.h:
- runtime/ExceptionHelpers.cpp:
(JSC::createInterruptedExecutionException):
(JSC::createTerminatedExecutionException):
(JSC::createUndefinedVariableError):
(JSC::createNotAFunctionError):
(JSC::createNotAnObjectError):
- runtime/ExceptionHelpers.h:
- runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
- runtime/JSGlobalData.h:
- runtime/JSNotAnObject.cpp:
(JSC::JSNotAnObject::toPrimitive):
(JSC::JSNotAnObject::getPrimitiveNumber):
(JSC::JSNotAnObject::toBoolean):
(JSC::JSNotAnObject::toNumber):
(JSC::JSNotAnObject::toString):
(JSC::JSNotAnObject::toObject):
(JSC::JSNotAnObject::getOwnPropertySlot):
(JSC::JSNotAnObject::getOwnPropertyDescriptor):
(JSC::JSNotAnObject::put):
(JSC::JSNotAnObject::deleteProperty):
(JSC::JSNotAnObject::getOwnPropertyNames):
(JSC::JSNotAnObject::JSNotAnObject):
(JSC::JSObject::isActivationObject):
(JSC::JSValue::toObjectSlowCase):
(JSC::JSValue::synthesizeObject):
(JSC::JSValue::synthesizePrototype):
LayoutTests: Bug 49606 - instanceof should only get the prototype property if the RHS operand implements HasInstance
Reviewed by Oliver Hunt.
- fast/js/instanceof-XMLHttpRequest-expected.txt: Copied from LayoutTests/fast/js/instanceof-operator-expected.txt.
- fast/js/instanceof-XMLHttpRequest.html: Copied from LayoutTests/fast/js/instanceof-operator.html.
- fast/js/script-tests/instanceof-XMLHttpRequest.js: Copied from LayoutTests/fast/js/script-tests/instanceof-operator.js.
- renamed existing testcase; these really test XMLHttpRequest objects, rather than the instanceof operator.
- fast/js/instanceof-operator-expected.txt:
- fast/js/script-tests/instanceof-operator.js:
- added test case for: javascript: ({} instanceof { get prototype(){ alert("Error!"); } })
