Remove invalid assertion in operationInstanceOfCustom
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Apr 2019 01:04:32 +0000 (01:04 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Apr 2019 01:04:32 +0000 (01:04 +0000)
commited584f3c1a063cfe5a2eb86043e95deb156c51b3
tree280d19c728699ca251777fb29fe6c97967326430
parenta09f0de05530904a1c529a1fb89c5233189e7bce
Remove invalid assertion in operationInstanceOfCustom
https://bugs.webkit.org/show_bug.cgi?id=196842
<rdar://problem/49725493>

Reviewed by Michael Saboff.

JSTests:

* stress/operationInstanceOfCustom-bad-assertion.js: Added.

Source/JavaScriptCore:

In the generated JIT code, we go to the slow path when the incoming function
isn't the Node's CodeOrigin's functionProtoHasInstanceSymbolFunction. However,
in the JIT operation, we were asserting against exec->lexicalGlobalObject()'s
functionProtoHasInstanceSymbolFunction. That assertion might be wrong when
inlining across global objects as exec->lexicalGlobalObject() uses the machine
frame for procuring the global object. There is no harm when this assertion fails
as we just execute the slow path. This patch removes the assertion. (However, this
does shed light on the deficiency in our exec->lexicalGlobalObject() function with
respect to inlining. However, this isn't new -- we've known about this for a while.)

* jit/JITOperations.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244206 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/operationInstanceOfCustom-bad-assertion.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp