WebKit GIT trees - WebKit-https.git/commit

generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
https://bugs.webkit.org/show_bug.cgi?id=186363

Rubber-stamped by Filip Pizlo.

JSTests:

* stress/instance-of-on-poly-proto-opc-should-not-crash.js: Added.

Source/JavaScriptCore:

The code was assuming that the object it was creating an OPC for always
had a non-poly-proto structure. However, this assumption was wrong. For
example, an object in the prototype chain could be poly proto. That type
of object graph would cause a crash in this code. This patch makes it so
that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
object as we traverse the prototype chain.

* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForInstanceOf):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232562 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	sbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 7 Jun 2018 00:01:31 +0000 (00:01 +0000)
committer	sbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 7 Jun 2018 00:01:31 +0000 (00:01 +0000)
commit	16b2378e5c046b46026747b835c03d3f779b7c11
tree	66e252267c9032b97b4940eacda4cfb9e953c2f5	tree \| snapshot
parent	8d1eb17a4e5961fab3ec84b099d6ad6dd425fb4f	commit \| diff

JSTests/ChangeLog		diff \| blob \| history
JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js	[new file with mode: 0644]	blob
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp		diff \| blob \| history