Skip to content
Permalink
Browse files

[turbofan] Fix type confusion in NodeProperties::InferReceiverMaps.

For JSCreate nodes with constant inputs we cannot simply assume that the
new.target input is a JSFunction, since it can essentially be any
JSReceiver that is a constructor, i.e. it can also be a JSBoundFunction.

Bug: chromium:801627
Change-Id: Ia37bf9c0a751e4665e1167a3771fbe166473c979
Reviewed-on: https://chromium-review.googlesource.com/866493
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50563}
  • Loading branch information...
bmeurer authored and Commit Bot committed Jan 15, 2018
1 parent 969fe7a commit e272a2f722422651cf5bbbe0168702ee5d38cfe8
Showing with 26 additions and 1 deletion.
  1. +2 −1 src/compiler/node-properties.cc
  2. +24 −0 test/mjsunit/regress/regress-crbug-801627.js
@@ -411,7 +411,8 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
if (IsSame(receiver, effect)) {
HeapObjectMatcher mtarget(GetValueInput(effect, 0));
HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
if (mtarget.HasValue() && mnewtarget.HasValue()) {
if (mtarget.HasValue() && mnewtarget.HasValue() &&
mnewtarget.Value()->IsJSFunction()) {
Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(mnewtarget.Value());
if (original_constructor->has_initial_map()) {
@@ -0,0 +1,24 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --enable-slow-asserts

class Base {
constructor() {
this.x = 1;
}
}

class Derived extends Base {
constructor() {
super();
}
}

// Feed a bound function as new.target
// to the profiler, so HeapObjectMatcher
// can find it.
Reflect.construct(Derived, [], Object.bind());
%OptimizeFunctionOnNextCall(Derived);
new Derived();

0 comments on commit e272a2f

Please sign in to comment.
You can’t perform that action at this time.