RESOLVED DUPLICATE of bug 270065 216816
An issue about evaluating instanceof 
https://bugs.webkit.org/show_bug.cgi?id=216816
Summary An issue about evaluating instanceof
NWU_NISL
Reported 2020-09-22 01:28:19 PDT
According to ES10.0, If an object does not define or inherit "@@hasInstance" it uses the default "instanceof" semantics. When changing the value of "__proto__" of an object into "String", the algorithm to be used will be "Function.prototype[@@hasInstance]" instead of the default semantics. So the output of the testcase below is "false" as other engines do. This may be an issue of javascriptCore. #### version dbae081 #### command webkit/WebKitBuild/Debug/bin/jsc testcase.js testcase.js #### testcase var obj = {__proto__:String}; var result = "hello" instanceof obj; print(result); #### output TypeError: obj is not a function. (evaluating '"hello" instanceof obj') #### expected output false contributor:Yuan Wang
Attachments
WIP (143.96 KB, patch)
2021-03-02 14:16 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (163.64 KB, patch)
2021-07-12 11:20 PDT, Alexey Shvayka 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
WIP (164.22 KB, patch)
2021-07-12 15:09 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (167.41 KB, patch)
2021-07-15 13:01 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (169.59 KB, patch)
2021-07-16 07:20 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (169.64 KB, patch)
2021-07-16 12:47 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (171.89 KB, patch)
2021-07-17 19:26 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (177.50 KB, patch)
2021-07-22 18:30 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (190.09 KB, patch)
2021-08-06 19:57 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-09-22 15:42:42 PDT
<rdar://problem/69396430>
NWU_NISL
Comment 2 2020-09-24 20:31:27 PDT
sorry, I accidentally entered the wrong command. #### Right command webkit/WebKitBuild/Debug/bin/jsc testcase.js
Alexey Shvayka
Comment 3 2020-09-29 12:59:11 PDT
(In reply to NWU_NISL from comment #0) > #### testcase > var obj = {__proto__:String}; > var result = "hello" instanceof obj; > print(result); https://test262.report/browse/language/expressions/instanceof/prototype-getter-with-primitive.js failure seems to be related. To fix this, JSObject::{hasInstance,defaultHasInstance} should be redesigned to accept a constructor instead of a prototype. Also, we'd need to make sure that primitives are correctly handled by JIT tiers.
Yusuke Suzuki
Comment 4 2021-03-02 14:02:50 PST
Yes, and if it is possible, we should avoid bloating bytecodes for instanceof. Currently, our implementation is not so good...
Alexey Shvayka
Comment 5 2021-03-02 14:13:10 PST
(In reply to Yusuke Suzuki from comment #4) > Yes, and if it is possible, we should avoid bloating bytecodes for > instanceof. Currently, our implementation is not so good... Absolutely, it is the bytecode count that makes this change quite complicated. The best I could do is +1.
Alexey Shvayka
Comment 6 2021-03-02 14:16:18 PST
Created attachment 421996 [details] WIP
Alexey Shvayka
Comment 7 2021-07-12 11:20:07 PDT
Created attachment 433333 [details] WIP
Alexey Shvayka
Comment 8 2021-07-12 15:09:32 PDT
Created attachment 433364 [details] WIP Introduce JSCell::isJSFunction(), fix ASSERT in emitNodeInTailPosition() and use correct uint8_t comparison in LLInt's op_is_cell_with_type.
Alexey Shvayka
Comment 9 2021-07-15 13:01:30 PDT
Created attachment 433615 [details] WIP Don't use 'bba' in LLInt in attempt to fix MASM build, fix JSCallbackObject<Parent>::customHasInstance() to use callFrame->thisValue(), fix JSValueIsInstanceOfConstructor to call hasInstance(), don't perform defaultHasInstance() for JSCallbackConstructor as it's non-callable, and swap arguments inside checkForbiddenPrototype().
Alexey Shvayka
Comment 10 2021-07-16 07:20:08 PDT
Created attachment 433675 [details] WIP Revert r161564 and introduce isNonCallableAPIObjectThatPerformsDefaultHasInstance() instead to ensure correct 'instanceof' behavior for API objects, fix arguments for operationInstanceOfOptimize() to fix 32-bit build, and replace 'bbb' with LLInt instruction that sets value in attempt to fix MASM build.
Alexey Shvayka
Comment 11 2021-07-16 12:47:37 PDT
Created attachment 433694 [details] WIP Bring back accidently removed throwException() to JSObject::hasInstance(), remove UntypedUse assert in compileInstanceOf() from 32-bit builds, and hoist 'getu' LLInt instructions in attempt to fix MASM build.
Alexey Shvayka
Comment 12 2021-07-17 19:26:00 PDT
Created attachment 433737 [details] WIP Introduce _llint_slow_path_is_cell_with_type for MSVC targets in attempt to fix Windows builds, augment JSTypeRange with fromBits() / rawBits() to clean up casts, pass correct OpInfo for IsCellWithType in op_iterator_open, and speculate cell for 'prototype' in 32-bit compileInstanceOf().
Alexey Shvayka
Comment 13 2021-07-22 18:30:38 PDT
Created attachment 434051 [details] WIP Bring back Function.prototype[Symbol.hasInstance] being a built-in function, reland r161564, add microbenchmarks for Function.prototype[Symbol.hasInstance] and Object.prototype.isPrototypeOf, fix 'instanceof' not to throw on API objects that lack 'hasInstance', fix JSValueIsInstanceOfConstructor not to invoke Symbol.hasInstance on non-callable targets, merge JSObject::hasInstance() overrides for clarity, and improve testapi coverage.
Alexey Shvayka
Comment 14 2021-08-06 19:57:08 PDT
Created attachment 435108 [details] Patch Add tests, move js* methods from Operations.h to CommonSlowPaths namespace, refine speculated type for InternalFunction to drop SpecObjectOther, adding DFG use kind / fixup rules and introducing SpecObjectMaybeCallable to preserve correct DFG folding.
Alexey Shvayka
Comment 15 2024-07-13 17:31:41 PDT
*** This bug has been marked as a duplicate of bug 270065 ***
Note You need to log in before you can comment on or make changes to this bug.