Skip to content

Commit

Permalink
deps: cherry-pick 79aee39 from upstream v8
Browse files Browse the repository at this point in the history
This is a chery-pick if you consider reducing the context to -C2
a cherry-pick; WordIsSmi has been renamed to TaggedIsSmi upstream.

Original commit message:

    [builtins] Fix pointer comparison in ToString builtin.

    This fixes the bogus {Word32Equal} comparison in the ToString
    builtin implementing Object.prototype.toString to be a pointer-size
    {WordEqual} comparison instead. Comparing just the lower half-word
    is insufficient on 64-bit architectures.

    R=jgruber@chromium.org
    TEST=mjsunit/regress/regress-crbug-664506
    BUG=chromium:664506

    Review-Url: https://codereview.chromium.org/2496043003
    Cr-Commit-Position: refs/heads/master@{#40963}

Fixes: #12411
PR-URL: #12412
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
  • Loading branch information
bnoordhuis committed Apr 19, 2017
1 parent 9f73df5 commit f882f47
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
4 changes: 2 additions & 2 deletions deps/v8/src/builtins/builtins-object.cc
Original file line number Diff line number Diff line change
Expand Up @@ -300,10 +300,10 @@ void Builtins::Generate_ObjectProtoToString(CodeStubAssembler* assembler) {
Node* context = assembler->Parameter(3);

assembler->GotoIf(
assembler->Word32Equal(receiver, assembler->UndefinedConstant()),
assembler->WordEqual(receiver, assembler->UndefinedConstant()),
&return_undefined);

assembler->GotoIf(assembler->Word32Equal(receiver, assembler->NullConstant()),
assembler->GotoIf(assembler->WordEqual(receiver, assembler->NullConstant()),
&return_null);

assembler->GotoIf(assembler->WordIsSmi(receiver), &return_number);
Expand Down
11 changes: 11 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-664506.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-gc --predictable --random-seed=-1109634722

gc();
gc();
assertEquals("[object Object]", Object.prototype.toString.call({}));
gc();
assertEquals("[object Array]", Object.prototype.toString.call([]));

0 comments on commit f882f47

Please sign in to comment.