| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #if V8_TARGET_ARCH_MIPS64 | 5 #if V8_TARGET_ARCH_MIPS64 |
| 6 | 6 |
| 7 #include "src/bootstrapper.h" | 7 #include "src/bootstrapper.h" |
| 8 #include "src/code-stubs.h" | 8 #include "src/code-stubs.h" |
| 9 #include "src/codegen.h" | 9 #include "src/codegen.h" |
| 10 #include "src/ic/handler-compiler.h" | 10 #include "src/ic/handler-compiler.h" |
| (...skipping 2405 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2416 // (9) Sliced string. Replace subject with parent. Go to (4). | 2416 // (9) Sliced string. Replace subject with parent. Go to (4). |
| 2417 // Load offset into t0 and replace subject string with parent. | 2417 // Load offset into t0 and replace subject string with parent. |
| 2418 __ ld(t0, FieldMemOperand(subject, SlicedString::kOffsetOffset)); | 2418 __ ld(t0, FieldMemOperand(subject, SlicedString::kOffsetOffset)); |
| 2419 __ SmiUntag(t0); | 2419 __ SmiUntag(t0); |
| 2420 __ ld(subject, FieldMemOperand(subject, SlicedString::kParentOffset)); | 2420 __ ld(subject, FieldMemOperand(subject, SlicedString::kParentOffset)); |
| 2421 __ jmp(&check_underlying); // Go to (4). | 2421 __ jmp(&check_underlying); // Go to (4). |
| 2422 #endif // V8_INTERPRETED_REGEXP | 2422 #endif // V8_INTERPRETED_REGEXP |
| 2423 } | 2423 } |
| 2424 | 2424 |
| 2425 | 2425 |
| 2426 static void CallStubInRecordCallTarget(MacroAssembler* masm, CodeStub* stub, | 2426 static void CallStubInRecordCallTarget(MacroAssembler* masm, CodeStub* stub) { |
| 2427 bool is_super) { | |
| 2428 // a0 : number of arguments to the construct function | 2427 // a0 : number of arguments to the construct function |
| 2429 // a2 : feedback vector | 2428 // a2 : feedback vector |
| 2430 // a3 : slot in feedback vector (Smi) | 2429 // a3 : slot in feedback vector (Smi) |
| 2431 // a1 : the function to call | 2430 // a1 : the function to call |
| 2432 // a4 : new target (for IsSuperConstructorCall) | |
| 2433 FrameScope scope(masm, StackFrame::INTERNAL); | 2431 FrameScope scope(masm, StackFrame::INTERNAL); |
| 2434 const RegList kSavedRegs = 1 << 4 | // a0 | 2432 const RegList kSavedRegs = 1 << 4 | // a0 |
| 2435 1 << 5 | // a1 | 2433 1 << 5 | // a1 |
| 2436 1 << 6 | // a2 | 2434 1 << 6 | // a2 |
| 2437 1 << 7 | // a3 | 2435 1 << 7; // a3 |
| 2438 BoolToInt(is_super) << 8; // a4 | |
| 2439 | 2436 |
| 2440 | 2437 |
| 2441 // Number-of-arguments register must be smi-tagged to call out. | 2438 // Number-of-arguments register must be smi-tagged to call out. |
| 2442 __ SmiTag(a0); | 2439 __ SmiTag(a0); |
| 2443 __ MultiPush(kSavedRegs); | 2440 __ MultiPush(kSavedRegs); |
| 2444 | 2441 |
| 2445 __ CallStub(stub); | 2442 __ CallStub(stub); |
| 2446 | 2443 |
| 2447 __ MultiPop(kSavedRegs); | 2444 __ MultiPop(kSavedRegs); |
| 2448 __ SmiUntag(a0); | 2445 __ SmiUntag(a0); |
| 2449 } | 2446 } |
| 2450 | 2447 |
| 2451 | 2448 |
| 2452 static void GenerateRecordCallTarget(MacroAssembler* masm, bool is_super) { | 2449 static void GenerateRecordCallTarget(MacroAssembler* masm) { |
| 2453 // Cache the called function in a feedback vector slot. Cache states | 2450 // Cache the called function in a feedback vector slot. Cache states |
| 2454 // are uninitialized, monomorphic (indicated by a JSFunction), and | 2451 // are uninitialized, monomorphic (indicated by a JSFunction), and |
| 2455 // megamorphic. | 2452 // megamorphic. |
| 2456 // a0 : number of arguments to the construct function | 2453 // a0 : number of arguments to the construct function |
| 2457 // a1 : the function to call | 2454 // a1 : the function to call |
| 2458 // a2 : feedback vector | 2455 // a2 : feedback vector |
| 2459 // a3 : slot in feedback vector (Smi) | 2456 // a3 : slot in feedback vector (Smi) |
| 2460 // a4 : new target (for IsSuperConstructorCall) | |
| 2461 Label initialize, done, miss, megamorphic, not_array_function; | 2457 Label initialize, done, miss, megamorphic, not_array_function; |
| 2462 | 2458 |
| 2463 DCHECK_EQ(*TypeFeedbackVector::MegamorphicSentinel(masm->isolate()), | 2459 DCHECK_EQ(*TypeFeedbackVector::MegamorphicSentinel(masm->isolate()), |
| 2464 masm->isolate()->heap()->megamorphic_symbol()); | 2460 masm->isolate()->heap()->megamorphic_symbol()); |
| 2465 DCHECK_EQ(*TypeFeedbackVector::UninitializedSentinel(masm->isolate()), | 2461 DCHECK_EQ(*TypeFeedbackVector::UninitializedSentinel(masm->isolate()), |
| 2466 masm->isolate()->heap()->uninitialized_symbol()); | 2462 masm->isolate()->heap()->uninitialized_symbol()); |
| 2467 | 2463 |
| 2468 // Load the cache state into a5. | 2464 // Load the cache state into a5. |
| 2469 __ dsrl(a5, a3, 32 - kPointerSizeLog2); | 2465 __ dsrl(a5, a3, 32 - kPointerSizeLog2); |
| 2470 __ Daddu(a5, a2, Operand(a5)); | 2466 __ Daddu(a5, a2, Operand(a5)); |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2520 // An uninitialized cache is patched with the function. | 2516 // An uninitialized cache is patched with the function. |
| 2521 __ bind(&initialize); | 2517 __ bind(&initialize); |
| 2522 // Make sure the function is the Array() function. | 2518 // Make sure the function is the Array() function. |
| 2523 __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, a5); | 2519 __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, a5); |
| 2524 __ Branch(¬_array_function, ne, a1, Operand(a5)); | 2520 __ Branch(¬_array_function, ne, a1, Operand(a5)); |
| 2525 | 2521 |
| 2526 // The target function is the Array constructor, | 2522 // The target function is the Array constructor, |
| 2527 // Create an AllocationSite if we don't already have it, store it in the | 2523 // Create an AllocationSite if we don't already have it, store it in the |
| 2528 // slot. | 2524 // slot. |
| 2529 CreateAllocationSiteStub create_stub(masm->isolate()); | 2525 CreateAllocationSiteStub create_stub(masm->isolate()); |
| 2530 CallStubInRecordCallTarget(masm, &create_stub, is_super); | 2526 CallStubInRecordCallTarget(masm, &create_stub); |
| 2531 __ Branch(&done); | 2527 __ Branch(&done); |
| 2532 | 2528 |
| 2533 __ bind(¬_array_function); | 2529 __ bind(¬_array_function); |
| 2534 | 2530 |
| 2535 CreateWeakCellStub weak_cell_stub(masm->isolate()); | 2531 CreateWeakCellStub weak_cell_stub(masm->isolate()); |
| 2536 CallStubInRecordCallTarget(masm, &weak_cell_stub, is_super); | 2532 CallStubInRecordCallTarget(masm, &weak_cell_stub); |
| 2537 __ bind(&done); | 2533 __ bind(&done); |
| 2538 } | 2534 } |
| 2539 | 2535 |
| 2540 | 2536 |
| 2541 void CallConstructStub::Generate(MacroAssembler* masm) { | 2537 void CallConstructStub::Generate(MacroAssembler* masm) { |
| 2542 // a0 : number of arguments | 2538 // a0 : number of arguments |
| 2543 // a1 : the function to call | 2539 // a1 : the function to call |
| 2544 // a2 : feedback vector | 2540 // a2 : feedback vector |
| 2545 // a3 : slot in feedback vector (Smi, for RecordCallTarget) | 2541 // a3 : slot in feedback vector (Smi, for RecordCallTarget) |
| 2546 // a4 : new target (for IsSuperConstructorCall) | |
| 2547 | 2542 |
| 2548 Label non_function; | 2543 Label non_function; |
| 2549 // Check that the function is not a smi. | 2544 // Check that the function is not a smi. |
| 2550 __ JumpIfSmi(a1, &non_function); | 2545 __ JumpIfSmi(a1, &non_function); |
| 2551 // Check that the function is a JSFunction. | 2546 // Check that the function is a JSFunction. |
| 2552 __ GetObjectType(a1, a5, a5); | 2547 __ GetObjectType(a1, a5, a5); |
| 2553 __ Branch(&non_function, ne, a5, Operand(JS_FUNCTION_TYPE)); | 2548 __ Branch(&non_function, ne, a5, Operand(JS_FUNCTION_TYPE)); |
| 2554 | 2549 |
| 2555 if (RecordCallTarget()) { | 2550 GenerateRecordCallTarget(masm); |
| 2556 GenerateRecordCallTarget(masm, IsSuperConstructorCall()); | |
| 2557 | 2551 |
| 2558 __ dsrl(at, a3, 32 - kPointerSizeLog2); | 2552 __ dsrl(at, a3, 32 - kPointerSizeLog2); |
| 2559 __ Daddu(a5, a2, at); | 2553 __ Daddu(a5, a2, at); |
| 2560 Label feedback_register_initialized; | 2554 Label feedback_register_initialized; |
| 2561 // Put the AllocationSite from the feedback vector into a2, or undefined. | 2555 // Put the AllocationSite from the feedback vector into a2, or undefined. |
| 2562 __ ld(a2, FieldMemOperand(a5, FixedArray::kHeaderSize)); | 2556 __ ld(a2, FieldMemOperand(a5, FixedArray::kHeaderSize)); |
| 2563 __ ld(a5, FieldMemOperand(a2, AllocationSite::kMapOffset)); | 2557 __ ld(a5, FieldMemOperand(a2, AllocationSite::kMapOffset)); |
| 2564 __ LoadRoot(at, Heap::kAllocationSiteMapRootIndex); | 2558 __ LoadRoot(at, Heap::kAllocationSiteMapRootIndex); |
| 2565 __ Branch(&feedback_register_initialized, eq, a5, Operand(at)); | 2559 __ Branch(&feedback_register_initialized, eq, a5, Operand(at)); |
| 2566 __ LoadRoot(a2, Heap::kUndefinedValueRootIndex); | 2560 __ LoadRoot(a2, Heap::kUndefinedValueRootIndex); |
| 2567 __ bind(&feedback_register_initialized); | 2561 __ bind(&feedback_register_initialized); |
| 2568 | 2562 |
| 2569 __ AssertUndefinedOrAllocationSite(a2, a5); | 2563 __ AssertUndefinedOrAllocationSite(a2, a5); |
| 2570 } | |
| 2571 | 2564 |
| 2572 // Pass function as new target. | 2565 // Pass function as new target. |
| 2573 if (IsSuperConstructorCall()) { | 2566 __ mov(a3, a1); |
| 2574 __ mov(a3, a4); | |
| 2575 } else { | |
| 2576 __ mov(a3, a1); | |
| 2577 } | |
| 2578 | 2567 |
| 2579 // Tail call to the function-specific construct stub (still in the caller | 2568 // Tail call to the function-specific construct stub (still in the caller |
| 2580 // context at this point). | 2569 // context at this point). |
| 2581 __ ld(a4, FieldMemOperand(a1, JSFunction::kSharedFunctionInfoOffset)); | 2570 __ ld(a4, FieldMemOperand(a1, JSFunction::kSharedFunctionInfoOffset)); |
| 2582 __ ld(a4, FieldMemOperand(a4, SharedFunctionInfo::kConstructStubOffset)); | 2571 __ ld(a4, FieldMemOperand(a4, SharedFunctionInfo::kConstructStubOffset)); |
| 2583 __ Daddu(at, a4, Operand(Code::kHeaderSize - kHeapObjectTag)); | 2572 __ Daddu(at, a4, Operand(Code::kHeaderSize - kHeapObjectTag)); |
| 2584 __ Jump(at); | 2573 __ Jump(at); |
| 2585 | 2574 |
| 2586 __ bind(&non_function); | 2575 __ bind(&non_function); |
| 2587 __ mov(a3, a1); | 2576 __ mov(a3, a1); |
| (...skipping 3024 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5612 MemOperand(fp, 6 * kPointerSize), NULL); | 5601 MemOperand(fp, 6 * kPointerSize), NULL); |
| 5613 } | 5602 } |
| 5614 | 5603 |
| 5615 | 5604 |
| 5616 #undef __ | 5605 #undef __ |
| 5617 | 5606 |
| 5618 } // namespace internal | 5607 } // namespace internal |
| 5619 } // namespace v8 | 5608 } // namespace v8 |
| 5620 | 5609 |
| 5621 #endif // V8_TARGET_ARCH_MIPS64 | 5610 #endif // V8_TARGET_ARCH_MIPS64 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1469793002:
[builtins] Sanitize the machinery around Construct calls. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master