Make sure that the generic stubs for keyed load and store and for...

src/ic-arm.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 299 matching lines @@
   // Get the receiver of the function from the stack into r1.
   __ ldr(r1, MemOperand(sp, argc * kPointerSize));
   // Get the name of the function from the stack; 1 ~ receiver.
   __ ldr(r2, MemOperand(sp, (argc + 1) * kPointerSize));
 
   // Check that the receiver isn't a smi.
   __ tst(r1, Operand(kSmiTagMask));
   __ b(eq, &miss);
 
   // Check that the receiver is a valid JS object.
-  __ ldr(r0, FieldMemOperand(r1, HeapObject::kMapOffset));
-  __ ldrb(r0, FieldMemOperand(r0, Map::kInstanceTypeOffset));
+  __ ldr(r3, FieldMemOperand(r1, HeapObject::kMapOffset));
+  __ ldrb(r0, FieldMemOperand(r3, Map::kInstanceTypeOffset));
   __ cmp(r0, Operand(FIRST_JS_OBJECT_TYPE));
   __ b(lt, &miss);
 
   // If this assert fails, we have to check upper bound too.
   ASSERT(LAST_TYPE == JS_FUNCTION_TYPE);
 
   // Check for access to global object.
   __ cmp(r0, Operand(JS_GLOBAL_OBJECT_TYPE));
   __ b(eq, &global_object);
   __ cmp(r0, Operand(JS_BUILTINS_OBJECT_TYPE));
   __ b(ne, &non_global_object);
 
   // Accessing global object: Load and invoke.
   __ bind(&global_object);
+  // Check that the global object does not require access checks.
+  __ ldrb(r3, FieldMemOperand(r3, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &miss);
   GenerateNormalHelper(masm, argc, true, &miss);
 
   // Accessing non-global object: Check for access to global proxy.
   Label global_proxy, invoke;
   __ bind(&non_global_object);
   __ cmp(r0, Operand(JS_GLOBAL_PROXY_TYPE));
   __ b(eq, &global_proxy);
+  // Check that the non-global, non-global-proxy object does not
+  // require access checks.
+  __ ldrb(r3, FieldMemOperand(r3, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &miss);
   __ bind(&invoke);
   GenerateNormalHelper(masm, argc, false, &miss);
 
   // Global object access: Check access rights.
   __ bind(&global_proxy);
   __ CheckAccessGlobalProxy(r1, r0, &miss);
   __ b(&invoke);
 
   // Cache miss: Jump to runtime.
   __ bind(&miss);
@@ skipping 81 matching lines @@
   // -----------------------------------
 
   Label miss, probe, global;
 
   __ ldr(r0, MemOperand(sp, 0));
   // Check that the receiver isn't a smi.
   __ tst(r0, Operand(kSmiTagMask));
   __ b(eq, &miss);
 
   // Check that the receiver is a valid JS object.
-  __ ldr(r1, FieldMemOperand(r0, HeapObject::kMapOffset));
-  __ ldrb(r1, FieldMemOperand(r1, Map::kInstanceTypeOffset));
+  __ ldr(r3, FieldMemOperand(r0, HeapObject::kMapOffset));
+  __ ldrb(r1, FieldMemOperand(r3, Map::kInstanceTypeOffset));
   __ cmp(r1, Operand(FIRST_JS_OBJECT_TYPE));
   __ b(lt, &miss);
   // If this assert fails, we have to check upper bound too.
   ASSERT(LAST_TYPE == JS_FUNCTION_TYPE);
 
   // Check for access to global object (unlikely).
   __ cmp(r1, Operand(JS_GLOBAL_PROXY_TYPE));
   __ b(eq, &global);
 
+  // Check for non-global object that requires access check.
+  __ ldrb(r3, FieldMemOperand(r3, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &miss);
+
   __ bind(&probe);
   GenerateDictionaryLoad(masm, &miss, r1, r0);
   GenerateCheckNonFunctionOrLoaded(masm, &miss, r0, r1);
   __ Ret();
 
   // Global object access: Check access rights.
   __ bind(&global);
   __ CheckAccessGlobalProxy(r0, r1, &miss);
   __ b(&probe);
 
@@ skipping 53 matching lines @@
   // Get the key and receiver object from the stack.
   __ ldm(ia, sp, r0.bit() | r1.bit());
   // Check that the key is a smi.
   __ tst(r0, Operand(kSmiTagMask));
   __ b(ne, &slow);
   __ mov(r0, Operand(r0, ASR, kSmiTagSize));
   // Check that the object isn't a smi.
   __ tst(r1, Operand(kSmiTagMask));
   __ b(eq, &slow);
 
+  // Get the map of the receiver.
+  __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
+  // Check that the receiver does not require access checks.  We need
+  // to check this explicitly since this generic stub does not perform
+  // map checks.
+  __ ldrb(r3, FieldMemOperand(r2, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &slow);
   // Check that the object is some kind of JS object EXCEPT JS Value type.
   // In the case that the object is a value-wrapper object,
   // we enter the runtime system to make sure that indexing into string
   // objects work as intended.
   ASSERT(JS_OBJECT_TYPE > JS_VALUE_TYPE);
-  __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
   __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
   __ cmp(r2, Operand(JS_OBJECT_TYPE));
   __ b(lt, &slow);
 
   // Get the elements array of the object.
   __ ldr(r1, FieldMemOperand(r1, JSObject::kElementsOffset));
   // Check that the object is in fast mode (not dictionary).
   __ ldr(r3, FieldMemOperand(r1, HeapObject::kMapOffset));
   __ cmp(r3, Operand(Factory::hash_table_map()));
   __ b(eq, &slow);
@@ skipping 46 matching lines @@
   //  -- sp[1]  : receiver
   Label slow, fast, array, extra, exit;
   // Get the key and the object from the stack.
   __ ldm(ia, sp, r1.bit() | r3.bit());  // r1 = key, r3 = receiver
   // Check that the key is a smi.
   __ tst(r1, Operand(kSmiTagMask));
   __ b(ne, &slow);
   // Check that the object isn't a smi.
   __ tst(r3, Operand(kSmiTagMask));
   __ b(eq, &slow);
-  // Get the type of the object from its map.
+  // Get the map of the object.
   __ ldr(r2, FieldMemOperand(r3, HeapObject::kMapOffset));
+  // Check that the receiver does not require access checks.  We need
+  // to do this because this generic stub does not perform map checks.
+  __ ldrb(ip, FieldMemOperand(r2, Map::kBitFieldOffset));
+  __ tst(ip, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &slow);
+  // Check if the object is a JS array or not.
   __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
-  // Check if the object is a JS array or not.
   __ cmp(r2, Operand(JS_ARRAY_TYPE));
   // r1 == key.
   __ b(eq, &array);
   // Check that the object is some kind of JS object.
   __ cmp(r2, Operand(FIRST_JS_OBJECT_TYPE));
   __ b(lt, &slow);
 
 
   // Object case: Check key against length in the elements array.
   __ ldr(r3, FieldMemOperand(r3, JSObject::kElementsOffset));
@@ skipping 144 matching lines @@
 
   // Perform tail call to the entry.
   __ TailCallRuntime(f, 3);
 }
 
 
 #undef __
 
 
 } }  // namespace v8::internal