From a5331d6426f2412ca2dc3c1a90f7247b501b777c Mon Sep 17 00:00:00 2001 From: "ager@chromium.org" Date: Thu, 25 Jun 2009 11:35:03 +0000 Subject: [PATCH] Fix instance type check in apply optimization. We accidentally compared a map address with an instance type. This fix additionally avoids an upper bounds check that is not needed. Review URL: http://codereview.chromium.org/149003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2272 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/ia32/codegen-ia32.cc | 8 ++++++-- test/mjsunit/arguments-apply.js | 7 +++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/ia32/codegen-ia32.cc b/src/ia32/codegen-ia32.cc index 970a4ea..9bc6290 100644 --- a/src/ia32/codegen-ia32.cc +++ b/src/ia32/codegen-ia32.cc @@ -2184,10 +2184,14 @@ void CodeGenerator::CallApplyLazy(Property* apply, __ test(receiver.reg(), Immediate(kSmiTagMask)); build_args.Branch(zero); Result tmp = allocator_->Allocate(); + // We allow all JSObjects including JSFunctions. As long as + // JS_FUNCTION_TYPE is the last instance type and it is right + // after LAST_JS_OBJECT_TYPE, we do not have to check the upper + // bound. + ASSERT(LAST_TYPE == JS_FUNCTION_TYPE); + ASSERT(JS_FUNCTION_TYPE == LAST_JS_OBJECT_TYPE + 1); __ CmpObjectType(receiver.reg(), FIRST_JS_OBJECT_TYPE, tmp.reg()); build_args.Branch(less); - __ cmp(tmp.reg(), LAST_JS_OBJECT_TYPE); - build_args.Branch(greater); } // Verify that we're invoking Function.prototype.apply. diff --git a/test/mjsunit/arguments-apply.js b/test/mjsunit/arguments-apply.js index d8172cc..5a91228 100644 --- a/test/mjsunit/arguments-apply.js +++ b/test/mjsunit/arguments-apply.js @@ -80,6 +80,13 @@ assertTrue(this === NonObjectReceiver(null)); assertTrue(this === NonObjectReceiver(void 0)); +function FunctionReceiver() { + return ReturnReceiver.apply(Object, arguments); +} + +assertTrue(Object === FunctionReceiver()); + + function ShadowApply() { function f() { return 42; } f.apply = function() { return 87; } -- 2.7.4