mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-20 16:55:40 +00:00
1c38bd4e40
Based on discussions with :djvj, it seems that this IC attachment logic is
overly conservative. We're seeing a case where the `__proto__` of a constructor
function is reassigned, which causes all instanceof ICs to fail to attach. The
test case is like:
function C() { /* ... */ }
C.__proto__ = D;
var o = new C();
var result = o instanceof C; // this IC fails to attach
This change generalizes the IC attachment logic to check whether @@hasInstance
is defined anywhere below Function in the prototype chain of the RHS. If not,
it is still safe to attach the IC; the IC simply needs to guard on the
prototype chain to ensure no @@hasInstance override is inserted later.
Differential Revision: https://phabricator.services.mozilla.com/D42366
--HG--
extra : moz-landing-system : lando
|
||
|---|---|---|
| .. | ||
| ductwork/debugger | ||
| examples | ||
| ipc | ||
| public | ||
| rust | ||
| src | ||
| xpconnect | ||
| app.mozbuild | ||
| ffi.configure | ||
| moz.build | ||
| moz.configure | ||
| sub.configure | ||