42 lines
1.4 KiB
JavaScript
42 lines
1.4 KiB
JavaScript
description(
|
|
"instanceof test"
|
|
);
|
|
|
|
getterCalled = false;
|
|
try {
|
|
({} instanceof { get prototype(){ getterCalled = true; } });
|
|
} catch (e) {
|
|
}
|
|
shouldBeFalse("getterCalled");
|
|
|
|
// Regression test for <https://webkit.org/b/129768>.
|
|
// This test should not crash.
|
|
function dummyFunction() {}
|
|
var c = dummyFunction.bind();
|
|
|
|
function foo() {
|
|
// To reproduce the issue of <https://webkit.org/b/129768>, we need to do
|
|
// an instanceof test against an object that has the following attributes:
|
|
// ImplementsHasInstance, and OverridesHasInstance. A bound function fits
|
|
// the bill.
|
|
var result = c instanceof c;
|
|
|
|
// This is where the op_check_has_instance bytecode jumps to after the
|
|
// instanceof test. At this location, we need the word at offset 1 to be
|
|
// a ridiculously large value that can't be a valid stack register index.
|
|
// To achieve that, we use an op_loop_hint followed by any other bytecode
|
|
// instruction. The op_loop_hint takes up exactly 1 word, and the word at
|
|
// offset 1 that follows after is the opcode of the next instruction. In
|
|
// the LLINT, that opcode value will be a pointer to the opcode handler
|
|
// which will be large and exactly what we need. Hence, we plant a loop
|
|
// here for the op_loop_hint, and have some instruction inside the loop.
|
|
while (true) {
|
|
var dummy2 = 123456789;
|
|
break;
|
|
}
|
|
return result;
|
|
}
|
|
|
|
shouldBeFalse("foo()");
|
|
|