Make sure that the generic stubs for keyed load and store and for...

src/ic-arm.cc

Index: src/ic-arm.cc
===================================================================
--- src/ic-arm.cc	(revision 941)
+++ src/ic-arm.cc	(working copy)
@@ -317,8 +317,8 @@
   __ b(eq, &miss);
 
   // Check that the receiver is a valid JS object.
-  __ ldr(r0, FieldMemOperand(r1, HeapObject::kMapOffset));
-  __ ldrb(r0, FieldMemOperand(r0, Map::kInstanceTypeOffset));
+  __ ldr(r3, FieldMemOperand(r1, HeapObject::kMapOffset));
+  __ ldrb(r0, FieldMemOperand(r3, Map::kInstanceTypeOffset));
   __ cmp(r0, Operand(FIRST_JS_OBJECT_TYPE));
   __ b(lt, &miss);
 
@@ -333,6 +333,10 @@
 
   // Accessing global object: Load and invoke.
   __ bind(&global_object);
+  // Check that the global object does not require access checks.
+  __ ldrb(r3, FieldMemOperand(r3, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &miss);
   GenerateNormalHelper(masm, argc, true, &miss);
 
   // Accessing non-global object: Check for access to global proxy.
@@ -340,6 +344,11 @@
   __ bind(&non_global_object);
   __ cmp(r0, Operand(JS_GLOBAL_PROXY_TYPE));
   __ b(eq, &global_proxy);
+  // Check that the non-global, non-global-proxy object does not
+  // require access checks.
+  __ ldrb(r3, FieldMemOperand(r3, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &miss);
   __ bind(&invoke);
   GenerateNormalHelper(masm, argc, false, &miss);
 
@@ -441,8 +450,8 @@
   __ b(eq, &miss);
 
   // Check that the receiver is a valid JS object.
-  __ ldr(r1, FieldMemOperand(r0, HeapObject::kMapOffset));
-  __ ldrb(r1, FieldMemOperand(r1, Map::kInstanceTypeOffset));
+  __ ldr(r3, FieldMemOperand(r0, HeapObject::kMapOffset));
+  __ ldrb(r1, FieldMemOperand(r3, Map::kInstanceTypeOffset));
   __ cmp(r1, Operand(FIRST_JS_OBJECT_TYPE));
   __ b(lt, &miss);
   // If this assert fails, we have to check upper bound too.
@@ -452,6 +461,11 @@
   __ cmp(r1, Operand(JS_GLOBAL_PROXY_TYPE));
   __ b(eq, &global);
 
+  // Check for non-global object that requires access check.
+  __ ldrb(r3, FieldMemOperand(r3, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &miss);
+
   __ bind(&probe);
   GenerateDictionaryLoad(masm, &miss, r1, r0);
   GenerateCheckNonFunctionOrLoaded(masm, &miss, r0, r1);
@@ -525,12 +539,19 @@
   __ tst(r1, Operand(kSmiTagMask));
   __ b(eq, &slow);
 
+  // Get the map of the receiver.
+  __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
+  // Check that the receiver does not require access checks.  We need
+  // to check this explicitly since this generic stub does not perform
+  // map checks.
+  __ ldrb(r3, FieldMemOperand(r2, Map::kBitFieldOffset));
+  __ tst(r3, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &slow);
   // Check that the object is some kind of JS object EXCEPT JS Value type.
   // In the case that the object is a value-wrapper object,
   // we enter the runtime system to make sure that indexing into string
   // objects work as intended.
   ASSERT(JS_OBJECT_TYPE > JS_VALUE_TYPE);
-  __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
   __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
   __ cmp(r2, Operand(JS_OBJECT_TYPE));
   __ b(lt, &slow);
@@ -597,10 +618,15 @@
   // Check that the object isn't a smi.
   __ tst(r3, Operand(kSmiTagMask));
   __ b(eq, &slow);
-  // Get the type of the object from its map.
+  // Get the map of the object.
   __ ldr(r2, FieldMemOperand(r3, HeapObject::kMapOffset));
+  // Check that the receiver does not require access checks.  We need
+  // to do this because this generic stub does not perform map checks.
+  __ ldrb(ip, FieldMemOperand(r2, Map::kBitFieldOffset));
+  __ tst(ip, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ b(ne, &slow);
+  // Check if the object is a JS array or not.
   __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
-  // Check if the object is a JS array or not.
   __ cmp(r2, Operand(JS_ARRAY_TYPE));
   // r1 == key.
   __ b(eq, &array);