According to ES10.0, If an object does not define or inherit "@@hasInstance" it uses the default "instanceof" semantics. When changing the value of "__proto__" of an object into "String", the algorithm to be used will be "Function.prototype[@@hasInstance]" instead of the default semantics. So the output of the testcase below is "false" as other engines do. This may be an issue of javascriptCore. #### version dbae081 #### command webkit/WebKitBuild/Debug/bin/jsc testcase.js testcase.js #### testcase var obj = {__proto__:String}; var result = "hello" instanceof obj; print(result); #### output TypeError: obj is not a function. (evaluating '"hello" instanceof obj') #### expected output false contributor:Yuan Wang
<rdar://problem/69396430>
sorry, I accidentally entered the wrong command. #### Right command webkit/WebKitBuild/Debug/bin/jsc testcase.js
(In reply to NWU_NISL from comment #0) > #### testcase > var obj = {__proto__:String}; > var result = "hello" instanceof obj; > print(result); https://test262.report/browse/language/expressions/instanceof/prototype-getter-with-primitive.js failure seems to be related. To fix this, JSObject::{hasInstance,defaultHasInstance} should be redesigned to accept a constructor instead of a prototype. Also, we'd need to make sure that primitives are correctly handled by JIT tiers.
Yes, and if it is possible, we should avoid bloating bytecodes for instanceof. Currently, our implementation is not so good...
(In reply to Yusuke Suzuki from comment #4) > Yes, and if it is possible, we should avoid bloating bytecodes for > instanceof. Currently, our implementation is not so good... Absolutely, it is the bytecode count that makes this change quite complicated. The best I could do is +1.
Created attachment 421996 [details] WIP
Created attachment 433333 [details] WIP
Created attachment 433364 [details] WIP Introduce JSCell::isJSFunction(), fix ASSERT in emitNodeInTailPosition() and use correct uint8_t comparison in LLInt's op_is_cell_with_type.
Created attachment 433615 [details] WIP Don't use 'bba' in LLInt in attempt to fix MASM build, fix JSCallbackObject<Parent>::customHasInstance() to use callFrame->thisValue(), fix JSValueIsInstanceOfConstructor to call hasInstance(), don't perform defaultHasInstance() for JSCallbackConstructor as it's non-callable, and swap arguments inside checkForbiddenPrototype().
Created attachment 433675 [details] WIP Revert r161564 and introduce isNonCallableAPIObjectThatPerformsDefaultHasInstance() instead to ensure correct 'instanceof' behavior for API objects, fix arguments for operationInstanceOfOptimize() to fix 32-bit build, and replace 'bbb' with LLInt instruction that sets value in attempt to fix MASM build.
Created attachment 433694 [details] WIP Bring back accidently removed throwException() to JSObject::hasInstance(), remove UntypedUse assert in compileInstanceOf() from 32-bit builds, and hoist 'getu' LLInt instructions in attempt to fix MASM build.
Created attachment 433737 [details] WIP Introduce _llint_slow_path_is_cell_with_type for MSVC targets in attempt to fix Windows builds, augment JSTypeRange with fromBits() / rawBits() to clean up casts, pass correct OpInfo for IsCellWithType in op_iterator_open, and speculate cell for 'prototype' in 32-bit compileInstanceOf().
Created attachment 434051 [details] WIP Bring back Function.prototype[Symbol.hasInstance] being a built-in function, reland r161564, add microbenchmarks for Function.prototype[Symbol.hasInstance] and Object.prototype.isPrototypeOf, fix 'instanceof' not to throw on API objects that lack 'hasInstance', fix JSValueIsInstanceOfConstructor not to invoke Symbol.hasInstance on non-callable targets, merge JSObject::hasInstance() overrides for clarity, and improve testapi coverage.
Created attachment 435108 [details] Patch Add tests, move js* methods from Operations.h to CommonSlowPaths namespace, refine speculated type for InternalFunction to drop SpecObjectOther, adding DFG use kind / fixup rules and introducing SpecObjectMaybeCallable to preserve correct DFG folding.
*** This bug has been marked as a duplicate of bug 270065 ***