| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdlib.h> | 5 #include <stdlib.h> |
| 6 | 6 |
| 7 #include <fstream> // NOLINT(readability/streams) | 7 #include <fstream> // NOLINT(readability/streams) |
| 8 #include <sstream> | 8 #include <sstream> |
| 9 | 9 |
| 10 #include "src/v8.h" | 10 #include "src/v8.h" |
| (...skipping 2357 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2368 | 2368 |
| 2369 | 2369 |
| 2370 bool Isolate::use_crankshaft() const { | 2370 bool Isolate::use_crankshaft() const { |
| 2371 return FLAG_crankshaft && | 2371 return FLAG_crankshaft && |
| 2372 !serializer_enabled_ && | 2372 !serializer_enabled_ && |
| 2373 CpuFeatures::SupportsCrankshaft(); | 2373 CpuFeatures::SupportsCrankshaft(); |
| 2374 } | 2374 } |
| 2375 | 2375 |
| 2376 | 2376 |
| 2377 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() { | 2377 bool Isolate::IsFastArrayConstructorPrototypeChainIntact() { |
| 2378 Handle<PropertyCell> no_elements_cell = | |
| 2379 handle(heap()->array_protector(), this); | |
| 2380 bool cell_reports_intact = no_elements_cell->value()->IsSmi() && | |
| 2381 Smi::cast(no_elements_cell->value())->value() == 1; | |
| 2382 | |
| 2383 #ifdef DEBUG | |
| 2384 Map* root_array_map = | 2378 Map* root_array_map = |
| 2385 get_initial_js_array_map(GetInitialFastElementsKind()); | 2379 get_initial_js_array_map(GetInitialFastElementsKind()); |
| 2380 DCHECK(root_array_map != NULL); |
| 2386 JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype()); | 2381 JSObject* initial_array_proto = JSObject::cast(*initial_array_prototype()); |
| 2387 JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype()); | |
| 2388 | |
| 2389 if (root_array_map == NULL || initial_array_proto == initial_object_proto) { | |
| 2390 // We are in the bootstrapping process, and the entire check sequence | |
| 2391 // shouldn't be performed. | |
| 2392 return cell_reports_intact; | |
| 2393 } | |
| 2394 | 2382 |
| 2395 // Check that the array prototype hasn't been altered WRT empty elements. | 2383 // Check that the array prototype hasn't been altered WRT empty elements. |
| 2396 if (root_array_map->prototype() != initial_array_proto) { | 2384 if (root_array_map->prototype() != initial_array_proto) return false; |
| 2397 DCHECK_EQ(false, cell_reports_intact); | |
| 2398 return cell_reports_intact; | |
| 2399 } | |
| 2400 | |
| 2401 if (initial_array_proto->elements() != heap()->empty_fixed_array()) { | 2385 if (initial_array_proto->elements() != heap()->empty_fixed_array()) { |
| 2402 DCHECK_EQ(false, cell_reports_intact); | 2386 return false; |
| 2403 return cell_reports_intact; | |
| 2404 } | 2387 } |
| 2405 | 2388 |
| 2406 // Check that the object prototype hasn't been altered WRT empty elements. | 2389 // Check that the object prototype hasn't been altered WRT empty elements. |
| 2390 JSObject* initial_object_proto = JSObject::cast(*initial_object_prototype()); |
| 2407 PrototypeIterator iter(this, initial_array_proto); | 2391 PrototypeIterator iter(this, initial_array_proto); |
| 2408 if (iter.IsAtEnd() || iter.GetCurrent() != initial_object_proto) { | 2392 if (iter.IsAtEnd() || iter.GetCurrent() != initial_object_proto) { |
| 2409 DCHECK_EQ(false, cell_reports_intact); | 2393 return false; |
| 2410 return cell_reports_intact; | |
| 2411 } | 2394 } |
| 2412 if (initial_object_proto->elements() != heap()->empty_fixed_array()) { | 2395 if (initial_object_proto->elements() != heap()->empty_fixed_array()) { |
| 2413 DCHECK_EQ(false, cell_reports_intact); | 2396 return false; |
| 2414 return cell_reports_intact; | |
| 2415 } | 2397 } |
| 2416 | 2398 |
| 2417 iter.Advance(); | 2399 iter.Advance(); |
| 2418 if (!iter.IsAtEnd()) { | 2400 return iter.IsAtEnd(); |
| 2419 DCHECK_EQ(false, cell_reports_intact); | |
| 2420 return cell_reports_intact; | |
| 2421 } | |
| 2422 | |
| 2423 #endif | |
| 2424 | |
| 2425 return cell_reports_intact; | |
| 2426 } | 2401 } |
| 2427 | 2402 |
| 2428 | 2403 |
| 2429 void Isolate::UpdateArrayProtectorOnSetElement(Handle<JSObject> object) { | |
| 2430 Handle<PropertyCell> array_protector = factory()->array_protector(); | |
| 2431 if (IsFastArrayConstructorPrototypeChainIntact() && | |
| 2432 object->map()->is_prototype_map()) { | |
| 2433 Object* context = heap()->native_contexts_list(); | |
| 2434 while (!context->IsUndefined()) { | |
| 2435 Context* current_context = Context::cast(context); | |
| 2436 if (current_context->get(Context::INITIAL_OBJECT_PROTOTYPE_INDEX) == | |
| 2437 *object || | |
| 2438 current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) == | |
| 2439 *object) { | |
| 2440 PropertyCell::SetValueWithInvalidation(array_protector, | |
| 2441 handle(Smi::FromInt(0), this)); | |
| 2442 break; | |
| 2443 } | |
| 2444 context = current_context->get(Context::NEXT_CONTEXT_LINK); | |
| 2445 } | |
| 2446 } | |
| 2447 } | |
| 2448 | |
| 2449 | |
| 2450 bool Isolate::IsAnyInitialArrayPrototype(Handle<JSArray> array) { | |
| 2451 if (array->map()->is_prototype_map()) { | |
| 2452 Object* context = heap()->native_contexts_list(); | |
| 2453 while (!context->IsUndefined()) { | |
| 2454 Context* current_context = Context::cast(context); | |
| 2455 if (current_context->get(Context::INITIAL_ARRAY_PROTOTYPE_INDEX) == | |
| 2456 *array) { | |
| 2457 return true; | |
| 2458 } | |
| 2459 context = current_context->get(Context::NEXT_CONTEXT_LINK); | |
| 2460 } | |
| 2461 } | |
| 2462 return false; | |
| 2463 } | |
| 2464 | |
| 2465 | |
| 2466 CallInterfaceDescriptorData* Isolate::call_descriptor_data(int index) { | 2404 CallInterfaceDescriptorData* Isolate::call_descriptor_data(int index) { |
| 2467 DCHECK(0 <= index && index < CallDescriptors::NUMBER_OF_DESCRIPTORS); | 2405 DCHECK(0 <= index && index < CallDescriptors::NUMBER_OF_DESCRIPTORS); |
| 2468 return &call_descriptor_data_[index]; | 2406 return &call_descriptor_data_[index]; |
| 2469 } | 2407 } |
| 2470 | 2408 |
| 2471 | 2409 |
| 2472 Object* Isolate::FindCodeObject(Address a) { | 2410 Object* Isolate::FindCodeObject(Address a) { |
| 2473 return inner_pointer_to_code_cache()->GcSafeFindCodeForInnerPointer(a); | 2411 return inner_pointer_to_code_cache()->GcSafeFindCodeForInnerPointer(a); |
| 2474 } | 2412 } |
| 2475 | 2413 |
| (...skipping 252 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2728 if (prev_ && prev_->Intercept(flag)) return true; | 2666 if (prev_ && prev_->Intercept(flag)) return true; |
| 2729 // Then check whether this scope intercepts. | 2667 // Then check whether this scope intercepts. |
| 2730 if ((flag & intercept_mask_)) { | 2668 if ((flag & intercept_mask_)) { |
| 2731 intercepted_flags_ |= flag; | 2669 intercepted_flags_ |= flag; |
| 2732 return true; | 2670 return true; |
| 2733 } | 2671 } |
| 2734 return false; | 2672 return false; |
| 2735 } | 2673 } |
| 2736 | 2674 |
| 2737 } } // namespace v8::internal | 2675 } } // namespace v8::internal |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1099203004:
Revert of Protect the emptiness of Array prototype elements with a PropertyCell. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master