From 45335d1753e22c958a491bf87f74e25bbfc92f63 Mon Sep 17 00:00:00 2001
From: Bill McCloskey <wmccloskey@mozilla.com>
Date: Thu, 27 Sep 2012 20:20:11 -0700
Subject: [PATCH] Bug 794947 - Add check for lazy proto in ion code (r=dvander)

---
 js/src/ion/CodeGenerator.cpp             |  7 +++++--
 js/src/jit-test/tests/basic/bug794947.js | 10 ++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/bug794947.js

diff --git a/js/src/ion/CodeGenerator.cpp b/js/src/ion/CodeGenerator.cpp
index a0be0bc0616..905fc097b27 100644
--- a/js/src/ion/CodeGenerator.cpp
+++ b/js/src/ion/CodeGenerator.cpp
@@ -3954,11 +3954,14 @@ CodeGenerator::emitInstanceOf(LInstruction *ins, Register rhs)
     masm.loadPtr(Address(lhsTmp, JSObject::offsetOfType()), lhsTmp);
     masm.loadPtr(Address(lhsTmp, offsetof(types::TypeObject, proto)), lhsTmp);
 
-    masm.test32(lhsTmp, lhsTmp);
+    // Bail out if we hit a lazy proto
+    masm.branch32(Assembler::Equal, lhsTmp, Imm32(1), call->entry());
+
+    masm.testPtr(lhsTmp, lhsTmp);
     masm.j(Assembler::Zero, &done);
 
     // Check lhs is equal to rhsShape
-    masm.cmp32(lhsTmp, rhsTmp);
+    masm.cmpPtr(lhsTmp, rhsTmp);
     masm.j(Assembler::NotEqual, &loopPrototypeChain);
 
     // return true
diff --git a/js/src/jit-test/tests/basic/bug794947.js b/js/src/jit-test/tests/basic/bug794947.js
new file mode 100644
index 00000000000..e8a2829da27
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug794947.js
@@ -0,0 +1,10 @@
+function f(o)
+{
+    print(o instanceof String);
+}
+
+var g = newGlobal();
+f(new Object());
+var o1 = g.eval('new Object()');
+var o2 = Object.create(o1);
+f(o2);