Assertion failure for bound function with custom prototype and Reflect.construct
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 2 May 2016 08:09:21 +0000 (08:09 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 2 May 2016 08:09:21 +0000 (08:09 +0000)
commit176ea0178fa2d9632e8e78dd3133e55576eb33f5
tree4146fbfa065de5092d1037f88f3f99a9e8e24c7b
parent30fa56123c15e6c8307812695258e8aed5ab9466
Assertion failure for bound function with custom prototype and Reflect.construct
https://bugs.webkit.org/show_bug.cgi?id=157081

Reviewed by Saam Barati.

We ensured `newTarget != exec->callee()`. However, it does not mean `newTarget.get("prototype") != exec->callee()->get("prototype")`.
When the given `prototype` is the same to `baseStructure->sotredPrototype()`, it is unnecessary to create a new structure from this
baseStructure.

* bytecode/InternalFunctionAllocationProfile.h:
(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
* tests/stress/custom-prototype-may-be-same-to-original-one.js: Added.
(shouldBe):
(boundFunction):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200319 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h
Source/JavaScriptCore/tests/stress/custom-prototype-may-be-same-to-original-one.js [new file with mode: 0644]