review.tizen.org Git - platform/upstream/v8.git/commit

author	dslomov <dslomov@chromium.org>
	Tue, 5 May 2015 19:56:56 +0000 (12:56 -0700)
committer	Commit bot <commit-bot@chromium.org>
	Tue, 5 May 2015 19:57:04 +0000 (19:57 +0000)
commit	cf53fed972896bf23c037ce7ac9f8e1512463c62
tree	e78aa954940a98d26d8c9ca54329be1b41db1a77	tree \| snapshot
parent	c37f439b70b5b7bb97cbed77c322db787947861c	commit \| diff

Handle the case when derived constructor is [[Call]]ed with 0 args.

ArgumentsAdaptorStub for derived constructor (the one that needs
new.target) works in this way:
- If the constructor is invoked via the Construct stub, we know that
   actual arguments always include new.target. ``arguments`` object
   however should not include a new.target, therefore we remove it.
   We achieve this by decrementing the argument count.
- If the constructor is invoked as a call, we do not care for a correct
   ``arguments`` array since the constructor will immediately throw on
   entrance.
The bug is that the call could actually pass 0 actual arguments, but I
decrement unconditionally :(. The fix is to detect this case and avoid
decrementing. ``arguments`` is bogus, but it is ok as constructor
throws.

Long-term we should just remove mucking about with arguments for
new.target and just get it from the stack.

R=arv@chromium.org,rossberg@chromium.org
BUG=chromium:474783
LOG=Y

Review URL: https://codereview.chromium.org/1126783003

Cr-Commit-Position: refs/heads/master@{#28242}

src/arm/code-stubs-arm.cc		diff \| blob \| history
src/arm64/code-stubs-arm64.cc		diff \| blob \| history
src/ia32/code-stubs-ia32.cc		diff \| blob \| history
src/mips/code-stubs-mips.cc		diff \| blob \| history
src/mips64/code-stubs-mips64.cc		diff \| blob \| history
src/x64/code-stubs-x64.cc		diff \| blob \| history
test/mjsunit/es6/regress/regress-474783.js	[new file with mode: 0644]	blob