From 82ca7ae1f806d03efbba49c4c1c8404b7863f558 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sat, 28 Mar 2020 19:48:12 +0100
Subject: [PATCH] LibJS: Oops, "instanceof" was backwards!

Fix the "instanceof" operator to check if the constructor's prototype
property occurs anywhere in the prototype chain of the instance object.

This patch also adds Object.setPrototypeOf() to make it possible to
create a test for this bug.

Thanks to DexesTTP for pointing this out! :^)
---
 Libraries/LibJS/Runtime/Object.cpp            |  9 ++++++
 Libraries/LibJS/Runtime/Object.h              |  1 +
 Libraries/LibJS/Runtime/ObjectConstructor.cpp | 14 +++++++++
 Libraries/LibJS/Runtime/Value.cpp             | 15 ++-------
 Libraries/LibJS/Tests/instanceof-basic.js     | 31 ++++++++++++++++---
 5 files changed, 53 insertions(+), 17 deletions(-)

diff --git a/Libraries/LibJS/Runtime/Object.cpp b/Libraries/LibJS/Runtime/Object.cpp
index 3be68037125..1c4e70f5ea7 100644
--- a/Libraries/LibJS/Runtime/Object.cpp
+++ b/Libraries/LibJS/Runtime/Object.cpp
@@ -44,6 +44,15 @@ Object::~Object()
 {
 }
 
+bool Object::has_prototype(const Object* prototype) const
+{
+    for (auto* object = m_prototype; object; object = object->prototype()) {
+        if (object == prototype)
+            return true;
+    }
+    return false;
+}
+
 Optional<Value> Object::get_own_property(const Object& this_object, const FlyString& property_name) const
 {
     auto value_here = m_properties.get(property_name);
diff --git a/Libraries/LibJS/Runtime/Object.h b/Libraries/LibJS/Runtime/Object.h
index 041ea089ba6..aa2d887cbe1 100644
--- a/Libraries/LibJS/Runtime/Object.h
+++ b/Libraries/LibJS/Runtime/Object.h
@@ -62,6 +62,7 @@ public:
     Object* prototype() { return m_prototype; }
     const Object* prototype() const { return m_prototype; }
     void set_prototype(Object* prototype) { m_prototype = prototype; }
+    bool has_prototype(const Object* prototype) const;
 
     bool has_own_property(const FlyString& property_name) const;
     enum class PreferredType {
diff --git a/Libraries/LibJS/Runtime/ObjectConstructor.cpp b/Libraries/LibJS/Runtime/ObjectConstructor.cpp
index 998cb4b512a..11a36da59cb 100644
--- a/Libraries/LibJS/Runtime/ObjectConstructor.cpp
+++ b/Libraries/LibJS/Runtime/ObjectConstructor.cpp
@@ -45,6 +45,20 @@ ObjectConstructor::ObjectConstructor()
             return {};
         return object.as_object()->prototype();
     });
+
+    put_native_function("setPrototypeOf", [this](Object*, const Vector<Value>& arguments) -> Value {
+        if (arguments.size() < 2)
+            return {};
+        auto object = arguments[0].to_object(heap());
+        if (interpreter().exception())
+            return {};
+        if (!object.is_object())
+            return {};
+        if (!arguments[1].is_object())
+            return {};
+        const_cast<Object*>(object.as_object())->set_prototype(const_cast<Object*>(arguments[1].as_object()));
+        return {};
+    });
 }
 
 ObjectConstructor::~ObjectConstructor()
diff --git a/Libraries/LibJS/Runtime/Value.cpp b/Libraries/LibJS/Runtime/Value.cpp
index c36d358213f..fd5671aa106 100644
--- a/Libraries/LibJS/Runtime/Value.cpp
+++ b/Libraries/LibJS/Runtime/Value.cpp
@@ -259,20 +259,11 @@ Value instance_of(Value lhs, Value rhs)
     if (!lhs.is_object() || !rhs.is_object())
         return Value(false);
 
-    auto* instance_prototype = lhs.as_object()->prototype();
-
-    if (!instance_prototype)
+    auto constructor_prototype_property = rhs.as_object()->get("prototype");
+    if (!constructor_prototype_property.has_value() || !constructor_prototype_property.value().is_object())
         return Value(false);
 
-    for (auto* constructor_object = rhs.as_object(); constructor_object; constructor_object = constructor_object->prototype()) {
-        auto prototype_property = constructor_object->get_own_property(*constructor_object, "prototype");
-        if (!prototype_property.has_value())
-            continue;
-        if (prototype_property.value().is_object() && prototype_property.value().as_object() == instance_prototype)
-            return Value(true);
-    }
-
-    return Value(false);
+    return Value(lhs.as_object()->has_prototype(constructor_prototype_property.value().as_object()));
 }
 
 const LogStream& operator<<(const LogStream& stream, const Value& value)
diff --git a/Libraries/LibJS/Tests/instanceof-basic.js b/Libraries/LibJS/Tests/instanceof-basic.js
index 468da2f7fd3..5fa9805aa6a 100644
--- a/Libraries/LibJS/Tests/instanceof-basic.js
+++ b/Libraries/LibJS/Tests/instanceof-basic.js
@@ -1,7 +1,28 @@
-function Foo() {
-    this.x = 123;
-}
+function assert(x) { if (!x) throw 1; }
+
+try {
+    function Foo() {
+        this.x = 123;
+    }
+
+    var foo = new Foo();
+    assert(foo instanceof Foo);
+
+    function Base() {
+        this.is_base = true;
+    }
+
+    function Derived() {
+        this.is_derived = true;
+    }
+
+    Object.setPrototypeOf(Derived.prototype, Base.prototype);
+
+    var d = new Derived();
+    assert(d instanceof Derived);
+    assert(d instanceof Base);
 
-var foo = new Foo();
-if (foo instanceof Foo)
     console.log("PASS");
+} catch(e) {
+    console.log("FAIL: " + e);
+}