deps: cherry-pick 3a903c4 for PPC from V8 upstream

fhinkel · evanlucas · commit e5cce7acfe17 · 2016-07-21T15:01:29.000-05:00
Original commit message: PPC: InstanceOfStub incorrectly interprets the hole as a prototype. Port 2aa070b Original commit message: Repair this to match what the runtime correctly does, by first checking if the function is a constructor before we access the prototype. R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com BUG= Review URL: https://codereview.chromium.org/1811013002 Cr-Commit-Position: refs/heads/master@{#34869} Fixes: #7592 for PPC PR-URL: #7638 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
diff --git a/deps/v8/src/ppc/code-stubs-ppc.cc b/deps/v8/src/ppc/code-stubs-ppc.cc
@@ -1409,8 +1409,12 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
   __ CompareObjectType(function, function_map, scratch, JS_FUNCTION_TYPE);
   __ bne(&slow_case);
 
-  // Ensure that {function} has an instance prototype.
+  // Go to the runtime if the function is not a constructor.
   __ lbz(scratch, FieldMemOperand(function_map, Map::kBitFieldOffset));
+  __ TestBit(scratch, Map::kIsConstructor, r0);
+  __ beq(&slow_case, cr0);
+
+  // Ensure that {function} has an instance prototype.
   __ TestBit(scratch, Map::kHasNonInstancePrototype, r0);
   __ bne(&slow_case, cr0);
 
