| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdlib.h> | 5 #include <stdlib.h> |
| 6 | 6 |
| 7 #include <fstream> // NOLINT(readability/streams) | 7 #include <fstream> // NOLINT(readability/streams) |
| 8 #include <sstream> | 8 #include <sstream> |
| 9 | 9 |
| 10 #include "src/v8.h" | 10 #include "src/v8.h" |
| (...skipping 2357 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2368 | 2368 |
| 2369 | 2369 |
| 2370 bool Isolate::use_crankshaft() const { | 2370 bool Isolate::use_crankshaft() const { |
| 2371 return FLAG_crankshaft && | 2371 return FLAG_crankshaft && |
| 2372 !serializer_enabled_ && | 2372 !serializer_enabled_ && |
| 2373 CpuFeatures::SupportsCrankshaft(); | 2373 CpuFeatures::SupportsCrankshaft(); |
| 2374 } | 2374 } |
| 2375 | 2375 |
| 2376 | 2376 |
| 2377 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() { | 2377 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() { |
| 2378 Handle<PropertyCell> no_elements_cell = |
| 2379 handle(heap()->array_protector(), this); |
| 2380 bool cell_reports_intact = no_elements_cell->value()->IsSmi() && |
| 2381 Smi::cast(no_elements_cell->value())->value() == 1; |
| 2382 |
| 2383 #ifdef DEBUG |
| 2378 Map* root_array_map = | 2384 Map* root_array_map = |
| 2379 get_initial_js_array_map(GetInitialFastElementsKind()); | 2385 get_initial_js_array_map(GetInitialFastElementsKind()); |
| 2380 DCHECK(root_array_map != NULL); | |
| 2381 JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype()); | 2386 JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype()); |
| 2387 JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype()); |
| 2388 |
| 2389 if (root_array_map == NULL || initial_array_proto == initial_object_proto) { |
| 2390 // We are in the bootstrapping process, and the entire check sequence |
| 2391 // shouldn't be performed. |
| 2392 return cell_reports_intact; |
| 2393 } |
| 2382 | 2394 |
| 2383 // Check that the array prototype hasn't been altered WRT empty elements. | 2395 // Check that the array prototype hasn't been altered WRT empty elements. |
| 2384 if (root_array_map->prototype() != initial_array_proto) return false; | 2396 if (root_array_map->prototype() != initial_array_proto) { |
| 2397 DCHECK_EQ(false, cell_reports_intact); |
| 2398 return cell_reports_intact; |
| 2399 } |
| 2400 |
| 2385 if (initial_array_proto->elements() != heap()->empty_fixed_array()) { | 2401 if (initial_array_proto->elements() != heap()->empty_fixed_array()) { |
| 2386 return false; | 2402 DCHECK_EQ(false, cell_reports_intact); |
| 2403 return cell_reports_intact; |
| 2387 } | 2404 } |
| 2388 | 2405 |
| 2389 // Check that the object prototype hasn't been altered WRT empty elements. | 2406 // Check that the object prototype hasn't been altered WRT empty elements. |
| 2390 JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype()); | |
| 2391 PrototypeIterator iter(this, initial_array_proto); | 2407 PrototypeIterator iter(this, initial_array_proto); |
| 2392 if (iter.IsAtEnd() || iter.GetCurrent() != initial_object_proto) { | 2408 if (iter.IsAtEnd() || iter.GetCurrent() != initial_object_proto) { |
| 2393 return false; | 2409 DCHECK_EQ(false, cell_reports_intact); |
| 2410 return cell_reports_intact; |
| 2394 } | 2411 } |
| 2395 if (initial_object_proto->elements() != heap()->empty_fixed_array()) { | 2412 if (initial_object_proto->elements() != heap()->empty_fixed_array()) { |
| 2396 return false; | 2413 DCHECK_EQ(false, cell_reports_intact); |
| 2414 return cell_reports_intact; |
| 2397 } | 2415 } |
| 2398 | 2416 |
| 2399 iter.Advance(); | 2417 iter.Advance(); |
| 2400 return iter.IsAtEnd(); | 2418 if (!iter.IsAtEnd()) { |
| 2419 DCHECK_EQ(false, cell_reports_intact); |
| 2420 return cell_reports_intact; |
| 2421 } |
| 2422 |
| 2423 #endif |
| 2424 |
| 2425 return cell_reports_intact; |
| 2401 } | 2426 } |
| 2402 | 2427 |
| 2403 | 2428 |
| 2429 void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) { |
| 2430 Handle<PropertyCell> array_protector = factory()->array_protector(); |
| 2431 if (IsFastArrayConstructorPrototypeChainIntact() && |
| 2432 object->map()->is_prototype_map()) { |
| 2433 Object* context = heap()->native_contexts_list(); |
| 2434 while (!context->IsUndefined()) { |
| 2435 Context* current_context = Context::cast(context); |
| 2436 if (current_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX) == |
| 2437 *object || |
| 2438 current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) == |
| 2439 *object) { |
| 2440 PropertyCell::SetValueWithInvalidation(array_protector, |
| 2441 handle(Smi::FromInt(0), this)); |
| 2442 break; |
| 2443 } |
| 2444 context = current_context->get(Context::NEXT_CONTEXT_LINK); |
| 2445 } |
| 2446 } |
| 2447 } |
| 2448 |
| 2449 |
| 2450 bool Isolate::IsAnyInitialArrayPrototype(Handle<JSArray> array) { |
| 2451 if (array->map()->is_prototype_map()) { |
| 2452 Object* context = heap()->native_contexts_list(); |
| 2453 while (!context->IsUndefined()) { |
| 2454 Context* current_context = Context::cast(context); |
| 2455 if (current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) == |
| 2456 *array) { |
| 2457 return true; |
| 2458 } |
| 2459 context = current_context->get(Context::NEXT_CONTEXT_LINK); |
| 2460 } |
| 2461 } |
| 2462 return false; |
| 2463 } |
| 2464 |
| 2465 |
| 2404 CallInterfaceDescriptorData* Isolate::call_descriptor_data(int index) { | 2466 CallInterfaceDescriptorData* Isolate::call_descriptor_data(int index) { |
| 2405 DCHECK(0 <= index && index < CallDescriptors::NUMBER_OF_DESCRIPTORS); | 2467 DCHECK(0 <= index && index < CallDescriptors::NUMBER_OF_DESCRIPTORS); |
| 2406 return &call_descriptor_data_[index]; | 2468 return &call_descriptor_data_[index]; |
| 2407 } | 2469 } |
| 2408 | 2470 |
| 2409 | 2471 |
| 2410 Object* Isolate::FindCodeObject(Address a) { | 2472 Object* Isolate::FindCodeObject(Address a) { |
| 2411 return inner_pointer_to_code_cache()->GcSafeFindCodeForInnerPointer(a); | 2473 return inner_pointer_to_code_cache()->GcSafeFindCodeForInnerPointer(a); |
| 2412 } | 2474 } |
| 2413 | 2475 |
| (...skipping 252 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2666 if (prev_ && prev_->Intercept(flag)) return true; | 2728 if (prev_ && prev_->Intercept(flag)) return true; |
| 2667 // Then check whether this scope intercepts. | 2729 // Then check whether this scope intercepts. |
| 2668 if ((flag & intercept_mask_)) { | 2730 if ((flag & intercept_mask_)) { |
| 2669 intercepted_flags_ |= flag; | 2731 intercepted_flags_ |= flag; |
| 2670 return true; | 2732 return true; |
| 2671 } | 2733 } |
| 2672 return false; | 2734 return false; |
| 2673 } | 2735 } |
| 2674 | 2736 |
| 2675 } } // namespace v8::internal | 2737 } } // namespace v8::internal |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1092043002:
Protect the emptiness of Array prototype elements with a PropertyCell. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master