Object.prototype.isPrototypeOf() should check if the passed in value is a non-object...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 7 Dec 2019 22:57:17 +0000 (22:57 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 7 Dec 2019 22:57:17 +0000 (22:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=204971
<rdar://problem/57730080>

Reviewed by Saam Barati.

JSTests:

* stress/object-prototype-isPrototypeOf-should-check-for-non-object-first.js: Added.

Source/JavaScriptCore:

The spec says Object.prototype.isPrototypeOf() should do checks in the following
order:
1. If Type(V) is not Object, return false.
2. Let O be ? ToObject(this value).
...
We were previously checking (2) before (1).  This patch fixes this order.

Ref: http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof

* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncIsPrototypeOf):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253264 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/object-prototype-isPrototypeOf-should-check-for-non-object-first.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ObjectPrototype.cpp

index 0dbe32c..d8cf33d 100644 (file)
@@ -1,3 +1,13 @@
+2019-12-07  Mark Lam  <mark.lam@apple.com>
+
+        Object.prototype.isPrototypeOf() should check if the passed in value is a non-object first.
+        https://bugs.webkit.org/show_bug.cgi?id=204971
+        <rdar://problem/57730080>
+
+        Reviewed by Saam Barati.
+
+        * stress/object-prototype-isPrototypeOf-should-check-for-non-object-first.js: Added.
+
 2019-12-06  Mark Lam  <mark.lam@apple.com>
 
         The compiler thread should not adjust Identifier refCounts.
diff --git a/JSTests/stress/object-prototype-isPrototypeOf-should-check-for-non-object-first.js b/JSTests/stress/object-prototype-isPrototypeOf-should-check-for-non-object-first.js
new file mode 100644 (file)
index 0000000..752dcbc
--- /dev/null
@@ -0,0 +1,16 @@
+//@ runDefault
+
+var result;
+var exception = undefined;
+try {
+    result = Object.prototype.isPrototypeOf.call(null);
+} catch (e) {
+    exception = e;
+}
+
+if (typeof exception != "undefined")
+    throw "FAILED";
+if (typeof result != "boolean")
+    throw "FAILED";
+if (result != false)
+    throw "FAILED";
index a765a89..c474b19 100644 (file)
@@ -1,3 +1,23 @@
+2019-12-07  Mark Lam  <mark.lam@apple.com>
+
+        Object.prototype.isPrototypeOf() should check if the passed in value is a non-object first.
+        https://bugs.webkit.org/show_bug.cgi?id=204971
+        <rdar://problem/57730080>
+
+        Reviewed by Saam Barati.
+
+        The spec says Object.prototype.isPrototypeOf() should do checks in the following
+        order:
+        1. If Type(V) is not Object, return false.
+        2. Let O be ? ToObject(this value).
+        ...
+        We were previously checking (2) before (1).  This patch fixes this order.
+
+        Ref: http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof
+
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncIsPrototypeOf):
+
 2019-12-07  Saam Barati  <sbarati@apple.com>
 
         Unreviewed. Roll out r253201. It was not a progression on any benchmarks, and was 8% slower on JetStream 2 ML.
index 79b693b..c05712b 100644 (file)
@@ -121,15 +121,15 @@ EncodedJSValue JSC_HOST_CALL objectProtoFuncIsPrototypeOf(JSGlobalObject* global
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
 
+    if (!callFrame->argument(0).isObject())
+        return JSValue::encode(jsBoolean(false));
+
     JSValue thisValue = callFrame->thisValue().toThis(globalObject, StrictMode);
     JSObject* thisObj = thisValue.toObject(globalObject);
     EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
 
-    if (!callFrame->argument(0).isObject())
-        return JSValue::encode(jsBoolean(false));
-
     JSValue v = asObject(callFrame->argument(0))->getPrototype(vm, globalObject);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());