[torque] Check for prototype before loading it

sigurdschneider · Commit Bot · commit bdcc7502cb01 · 2019-08-30T09:37:23.000Z
Add a missing check for a prototype to GetDerivedMap. Bug: chromium:999310 Change-Id: I99c342a53e3b95bb7b624ff14c1c40576ee629df Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776092 Auto-Submit: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#63473}
diff --git a/src/builtins/base.tq b/src/builtins/base.tq
@@ -368,10 +368,16 @@ macro NewJSObject(implicit context: Context)(): JSObject {
   };
 }
 
+extern macro HasPrototypeSlot(JSFunction): bool;
+
 macro GetDerivedMap(implicit context: Context)(
     target: JSFunction, newTarget: JSReceiver): Map {
   try {
     const constructor = Cast<JSFunction>(newTarget) otherwise SlowPath;
+    if (!HasPrototypeSlot(constructor)) {
+      goto SlowPath;
+    }
+    assert(IsConstructor(constructor));
     const map =
         Cast<Map>(constructor.prototype_or_initial_map) otherwise SlowPath;
     if (LoadConstructorOrBackPointer(map) != target) {
diff --git a/src/codegen/code-stub-assembler.cc b/src/codegen/code-stub-assembler.cc
@@ -2767,6 +2767,11 @@ TNode<BoolT> CodeStubAssembler::IsGeneratorFunction(
                   Int32Constant(FunctionKind::kConciseGeneratorMethod))));
 }
 
+TNode<BoolT> CodeStubAssembler::HasPrototypeSlot(TNode<JSFunction> function) {
+  return TNode<BoolT>::UncheckedCast(IsSetWord32<Map::HasPrototypeSlotBit>(
+      LoadMapBitField(LoadMap(function))));
+}
+
 TNode<BoolT> CodeStubAssembler::HasPrototypeProperty(TNode<JSFunction> function,
                                                      TNode<Map> map) {
   // (has_prototype_slot() && IsConstructor()) ||
diff --git a/src/codegen/code-stub-assembler.h b/src/codegen/code-stub-assembler.h
@@ -1435,6 +1435,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
   TNode<Map> LoadJSArrayElementsMap(SloppyTNode<Int32T> kind,
                                     SloppyTNode<Context> native_context);
 
+  TNode<BoolT> HasPrototypeSlot(TNode<JSFunction> function);
   TNode<BoolT> IsGeneratorFunction(TNode<JSFunction> function);
   TNode<BoolT> HasPrototypeProperty(TNode<JSFunction> function, TNode<Map> map);
   void GotoIfPrototypeRequiresRuntimeLookup(TNode<JSFunction> function,
