Revision: 12677
Author:   svenpa...@chromium.org
Date:     Mon Oct  8 05:58:46 2012
Log:      Fixed Accessors::FunctionGetPrototype's proto chain traversal.

Actually it didn't traverse that far... ;-) Did some cleanup on the way.

R=rossb...@chromium.org
BUG=chrome:143967
TEST=regress/regress-143967.js

Review URL: https://codereview.chromium.org/11087004
http://code.google.com/p/v8/source/detail?r=12677

Added:
  /branches/bleeding_edge/test/mjsunit/regress/regress-143967.js
Modified:
  /branches/bleeding_edge/src/accessors.cc

=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-143967.js      Mon Oct  
8 05:58:46 2012
@@ -0,0 +1,34 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Check that Accessors::FunctionGetPrototype traverses the prototype
+// chain correctly and doesn't get stuck.
+
+var functionWithoutProto = [].filter;
+var obj = Object.create(functionWithoutProto);
+functionWithoutProto.__proto__ = function() {};
+assertEquals(functionWithoutProto.prototype, obj.prototype);
=======================================
--- /branches/bleeding_edge/src/accessors.cc    Wed Sep  5 01:19:49 2012
+++ /branches/bleeding_edge/src/accessors.cc    Mon Oct  8 05:58:46 2012
@@ -42,15 +42,11 @@

  template <class C>
-static C* FindInPrototypeChain(Object* obj, bool* found_it) {
-  ASSERT(!*found_it);
-  Heap* heap = HEAP;
-  while (!Is<C>(obj)) {
-    if (obj == heap->null_value()) return NULL;
-    obj = obj->GetPrototype();
+static C* FindInstanceOf(Object* obj) {
+  for (Object* cur = obj; !cur->IsNull(); cur = cur->GetPrototype()) {
+    if (Is<C>(cur)) return C::cast(cur);
    }
-  *found_it = true;
-  return C::cast(obj);
+  return NULL;
  }

@@ -81,10 +77,8 @@

  MaybeObject* Accessors::ArrayGetLength(Object* object, void*) {
    // Traverse the prototype chain until we reach an array.
-  bool found_it = false;
-  JSArray* holder = FindInPrototypeChain<JSArray>(object, &found_it);
-  if (!found_it) return Smi::FromInt(0);
-  return holder->length();
+  JSArray* holder = FindInstanceOf<JSArray>(object);
+  return holder == NULL ? Smi::FromInt(0) : holder->length();
  }

@@ -448,15 +442,12 @@

  MaybeObject* Accessors::FunctionGetPrototype(Object* object, void*) {
    Heap* heap = Isolate::Current()->heap();
-  bool found_it = false;
-  JSFunction* function = FindInPrototypeChain<JSFunction>(object,  
&found_it);
-  if (!found_it) return heap->undefined_value();
+  JSFunction* function = FindInstanceOf<JSFunction>(object);
+  if (function == NULL) return heap->undefined_value();
    while (!function->should_have_prototype()) {
-    found_it = false;
-    function = FindInPrototypeChain<JSFunction>(object->GetPrototype(),
-                                                &found_it);
+    function = FindInstanceOf<JSFunction>(function->GetPrototype());
      // There has to be one because we hit the getter.
-    ASSERT(found_it);
+    ASSERT(function != NULL);
    }

    if (!function->has_prototype()) {
@@ -477,9 +468,8 @@
                                               Object* value,
                                               void*) {
    Heap* heap = object->GetHeap();
-  bool found_it = false;
-  JSFunction* function = FindInPrototypeChain<JSFunction>(object,  
&found_it);
-  if (!found_it) return heap->undefined_value();
+  JSFunction* function = FindInstanceOf<JSFunction>(object);
+  if (function == NULL) return heap->undefined_value();
    if (!function->should_have_prototype()) {
      // Since we hit this accessor, object will have no prototype property.
      return  
object->SetLocalPropertyIgnoreAttributes(heap->prototype_symbol(),
@@ -509,22 +499,20 @@

  MaybeObject* Accessors::FunctionGetLength(Object* object, void*) {
-  bool found_it = false;
-  JSFunction* function = FindInPrototypeChain<JSFunction>(object,  
&found_it);
-  if (!found_it) return Smi::FromInt(0);
+  JSFunction* function = FindInstanceOf<JSFunction>(object);
+  if (function == NULL) return Smi::FromInt(0);
    // Check if already compiled.
-  if (!function->shared()->is_compiled()) {
-    // If the function isn't compiled yet, the length is not computed
-    // correctly yet. Compile it now and return the right length.
-    HandleScope scope;
-    Handle<JSFunction> handle(function);
-    if (!JSFunction::CompileLazy(handle, KEEP_EXCEPTION)) {
-      return Failure::Exception();
-    }
+  if (function->shared()->is_compiled()) {
+    return Smi::FromInt(function->shared()->length());
+  }
+  // If the function isn't compiled yet, the length is not computed  
correctly
+  // yet. Compile it now and return the right length.
+  HandleScope scope;
+  Handle<JSFunction> handle(function);
+  if (JSFunction::CompileLazy(handle, KEEP_EXCEPTION)) {
      return Smi::FromInt(handle->shared()->length());
-  } else {
-    return Smi::FromInt(function->shared()->length());
    }
+  return Failure::Exception();
  }

@@ -541,10 +529,8 @@

  MaybeObject* Accessors::FunctionGetName(Object* object, void*) {
-  bool found_it = false;
-  JSFunction* holder = FindInPrototypeChain<JSFunction>(object, &found_it);
-  if (!found_it) return HEAP->undefined_value();
-  return holder->shared()->name();
+  JSFunction* holder = FindInstanceOf<JSFunction>(object);
+  return holder == NULL ? HEAP->undefined_value() :  
holder->shared()->name();
  }

@@ -589,9 +575,8 @@
  MaybeObject* Accessors::FunctionGetArguments(Object* object, void*) {
    Isolate* isolate = Isolate::Current();
    HandleScope scope(isolate);
-  bool found_it = false;
-  JSFunction* holder = FindInPrototypeChain<JSFunction>(object, &found_it);
-  if (!found_it) return isolate->heap()->undefined_value();
+  JSFunction* holder = FindInstanceOf<JSFunction>(object);
+  if (holder == NULL) return isolate->heap()->undefined_value();
    Handle<JSFunction> function(holder, isolate);

    if (function->shared()->native()) return isolate->heap()->null_value();
@@ -727,9 +712,8 @@
    Isolate* isolate = Isolate::Current();
    HandleScope scope(isolate);
    AssertNoAllocation no_alloc;
-  bool found_it = false;
-  JSFunction* holder = FindInPrototypeChain<JSFunction>(object, &found_it);
-  if (!found_it) return isolate->heap()->undefined_value();
+  JSFunction* holder = FindInstanceOf<JSFunction>(object);
+  if (holder == NULL) return isolate->heap()->undefined_value();
    if (holder->shared()->native()) return isolate->heap()->null_value();
    Handle<JSFunction> function(holder, isolate);