Chromium Code Reviews Chromium Code Reviews
Issue 1521953002:
[proxies] fix access issue when having proxies on the prototype-chain of global objects. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #if V8_TARGET_ARCH_IA32 | 5 #if V8_TARGET_ARCH_IA32 |
| 6 | 6 |
| 7 #include "src/crankshaft/ia32/lithium-codegen-ia32.h" | 7 #include "src/crankshaft/ia32/lithium-codegen-ia32.h" |
| 8 | 8 |
| 9 #include "src/base/bits.h" | 9 #include "src/base/bits.h" |
| 10 #include "src/code-factory.h" | 10 #include "src/code-factory.h" |
| (...skipping 2522 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2533 // will be ruled out below. | 2533 // will be ruled out below. |
| 2534 if (instr->hydrogen()->ObjectNeedsSmiCheck()) { | 2534 if (instr->hydrogen()->ObjectNeedsSmiCheck()) { |
| 2535 __ test(object, Immediate(kSmiTagMask)); | 2535 __ test(object, Immediate(kSmiTagMask)); |
| 2536 EmitFalseBranch(instr, zero); | 2536 EmitFalseBranch(instr, zero); |
| 2537 } | 2537 } |
| 2538 | 2538 |
| 2539 // Loop through the {object}s prototype chain looking for the {prototype}. | 2539 // Loop through the {object}s prototype chain looking for the {prototype}. |
| 2540 __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset)); | 2540 __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset)); |
| 2541 Label loop; | 2541 Label loop; |
| 2542 __ bind(&loop); | 2542 __ bind(&loop); |
| 2543 // If we find a JSProxy during the prototype chain walk we deopt. It is | |
| 2544 // important to note that we restart the lookup in the InstanceOfStub as | |
| 2545 // continuing the iteration on the JSProxy would lead to a potential security | |
| 2546 // issue by executing the getPrototypeOf trap of a cross-realm proxy-object | |
| 2547 // without performing the necessary access checks first. | |
|
Camillo Bruni
2015/12/14 19:59:20
probably should add this comment to all platforms.
Toon Verwaest
2015/12/14 20:06:48
There's still a silly issue. If you have:
window2.
Camillo Bruni
2015/12/15 14:09:26
fixed that now as well...
| |
| 2543 __ CmpInstanceType(object_map, JS_PROXY_TYPE); | 2548 __ CmpInstanceType(object_map, JS_PROXY_TYPE); |
| 2544 DeoptimizeIf(equal, instr, Deoptimizer::kProxy); | 2549 DeoptimizeIf(equal, instr, Deoptimizer::kProxy); |
| 2545 __ mov(object_prototype, FieldOperand(object_map, Map::kPrototypeOffset)); | 2550 __ mov(object_prototype, FieldOperand(object_map, Map::kPrototypeOffset)); |
| 2546 __ cmp(object_prototype, prototype); | 2551 __ cmp(object_prototype, prototype); |
| 2547 EmitTrueBranch(instr, equal); | 2552 EmitTrueBranch(instr, equal); |
| 2548 __ cmp(object_prototype, factory()->null_value()); | 2553 __ cmp(object_prototype, factory()->null_value()); |
| 2549 EmitFalseBranch(instr, equal); | 2554 EmitFalseBranch(instr, equal); |
| 2550 __ mov(object_map, FieldOperand(object_prototype, HeapObject::kMapOffset)); | 2555 __ mov(object_map, FieldOperand(object_prototype, HeapObject::kMapOffset)); |
| 2551 __ jmp(&loop); | 2556 __ jmp(&loop); |
| 2552 } | 2557 } |
| (...skipping 2954 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 5507 RecordSafepoint(Safepoint::kNoLazyDeopt); | 5512 RecordSafepoint(Safepoint::kNoLazyDeopt); |
| 5508 } | 5513 } |
| 5509 | 5514 |
| 5510 | 5515 |
| 5511 #undef __ | 5516 #undef __ |
| 5512 | 5517 |
| 5513 } // namespace internal | 5518 } // namespace internal |
| 5514 } // namespace v8 | 5519 } // namespace v8 |
| 5515 | 5520 |
| 5516 #endif // V8_TARGET_ARCH_IA32 | 5521 #endif // V8_TARGET_ARCH_IA32 |
| OLD | NEW |
