Chromium Code Reviews Chromium Code Reviews
Issue 1683103002:
[compiler] Sanitize entry points to LookupSlot access. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/compiler/ast-graph-builder.h" | 5 #include "src/compiler/ast-graph-builder.h" |
| 6 | 6 |
| 7 #include "src/ast/scopes.h" | 7 #include "src/ast/scopes.h" |
| 8 #include "src/compiler.h" | 8 #include "src/compiler.h" |
| 9 #include "src/compiler/ast-loop-assignment-analyzer.h" | 9 #include "src/compiler/ast-loop-assignment-analyzer.h" |
| 10 #include "src/compiler/control-builders.h" | 10 #include "src/compiler/control-builders.h" |
| (...skipping 2320 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2331 BuildVariableLoad(proxy->var(), expr->expression()->id(), states, | 2331 BuildVariableLoad(proxy->var(), expr->expression()->id(), states, |
| 2332 pair, OutputFrameStateCombine::Push()); | 2332 pair, OutputFrameStateCombine::Push()); |
| 2333 receiver_hint = ConvertReceiverMode::kNullOrUndefined; | 2333 receiver_hint = ConvertReceiverMode::kNullOrUndefined; |
| 2334 receiver_value = jsgraph()->UndefinedConstant(); | 2334 receiver_value = jsgraph()->UndefinedConstant(); |
| 2335 break; | 2335 break; |
| 2336 } | 2336 } |
| 2337 case Call::LOOKUP_SLOT_CALL: { | 2337 case Call::LOOKUP_SLOT_CALL: { |
| 2338 Variable* variable = callee->AsVariableProxy()->var(); | 2338 Variable* variable = callee->AsVariableProxy()->var(); |
| 2339 DCHECK(variable->location() == VariableLocation::LOOKUP); | 2339 DCHECK(variable->location() == VariableLocation::LOOKUP); |
| 2340 Node* name = jsgraph()->Constant(variable->name()); | 2340 Node* name = jsgraph()->Constant(variable->name()); |
| 2341 const Operator* op = javascript()->CallRuntime(Runtime::kLoadLookupSlot); | 2341 const Operator* op = |
| 2342 Node* pair = NewNode(op, current_context(), name); | 2342 javascript()->CallRuntime(Runtime::kLoadLookupSlotForCall); |
| 2343 Node* pair = NewNode(op, name); | |
| 2343 callee_value = NewNode(common()->Projection(0), pair); | 2344 callee_value = NewNode(common()->Projection(0), pair); |
| 2344 receiver_value = NewNode(common()->Projection(1), pair); | 2345 receiver_value = NewNode(common()->Projection(1), pair); |
| 2345 PrepareFrameState(pair, expr->LookupId(), | 2346 PrepareFrameState(pair, expr->LookupId(), |
| 2346 OutputFrameStateCombine::Push(2)); | 2347 OutputFrameStateCombine::Push(2)); |
| 2347 break; | 2348 break; |
| 2348 } | 2349 } |
| 2349 case Call::NAMED_PROPERTY_CALL: { | 2350 case Call::NAMED_PROPERTY_CALL: { |
| 2350 Property* property = callee->AsProperty(); | 2351 Property* property = callee->AsProperty(); |
| 2351 VectorSlotPair feedback = | 2352 VectorSlotPair feedback = |
| 2352 CreateVectorSlotPair(property->PropertyFeedbackSlot()); | 2353 CreateVectorSlotPair(property->PropertyFeedbackSlot()); |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2427 break; | 2428 break; |
| 2428 } | 2429 } |
| 2429 case Call::SUPER_CALL: | 2430 case Call::SUPER_CALL: |
| 2430 return VisitCallSuper(expr); | 2431 return VisitCallSuper(expr); |
| 2431 case Call::POSSIBLY_EVAL_CALL: | 2432 case Call::POSSIBLY_EVAL_CALL: |
| 2432 possibly_eval = true; | 2433 possibly_eval = true; |
| 2433 if (callee->AsVariableProxy()->var()->IsLookupSlot()) { | 2434 if (callee->AsVariableProxy()->var()->IsLookupSlot()) { |
| 2434 Variable* variable = callee->AsVariableProxy()->var(); | 2435 Variable* variable = callee->AsVariableProxy()->var(); |
| 2435 Node* name = jsgraph()->Constant(variable->name()); | 2436 Node* name = jsgraph()->Constant(variable->name()); |
| 2436 const Operator* op = | 2437 const Operator* op = |
| 2437 javascript()->CallRuntime(Runtime::kLoadLookupSlot); | 2438 javascript()->CallRuntime(Runtime::kLoadLookupSlotForCall); |
| 2438 Node* pair = NewNode(op, current_context(), name); | 2439 Node* pair = NewNode(op, name); |
| 2439 callee_value = NewNode(common()->Projection(0), pair); | 2440 callee_value = NewNode(common()->Projection(0), pair); |
| 2440 receiver_value = NewNode(common()->Projection(1), pair); | 2441 receiver_value = NewNode(common()->Projection(1), pair); |
| 2441 PrepareFrameState(pair, expr->LookupId(), | 2442 PrepareFrameState(pair, expr->LookupId(), |
| 2442 OutputFrameStateCombine::Push(2)); | 2443 OutputFrameStateCombine::Push(2)); |
| 2443 break; | 2444 break; |
| 2444 } | 2445 } |
| 2445 // Fall through. | 2446 // Fall through. |
| 2446 case Call::OTHER_CALL: | 2447 case Call::OTHER_CALL: |
| 2447 VisitForValue(callee); | 2448 VisitForValue(callee); |
| 2448 callee_value = environment()->Pop(); | 2449 callee_value = environment()->Pop(); |
| (...skipping 946 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3395 return value; | 3396 return value; |
| 3396 } | 3397 } |
| 3397 case VariableLocation::LOOKUP: { | 3398 case VariableLocation::LOOKUP: { |
| 3398 // Dynamic lookup of context variable (anywhere in the chain). | 3399 // Dynamic lookup of context variable (anywhere in the chain). |
| 3399 Handle<String> name = variable->name(); | 3400 Handle<String> name = variable->name(); |
| 3400 if (Node* node = | 3401 if (Node* node = |
| 3401 TryLoadDynamicVariable(variable, name, bailout_id, states, | 3402 TryLoadDynamicVariable(variable, name, bailout_id, states, |
| 3402 feedback, combine, typeof_mode)) { | 3403 feedback, combine, typeof_mode)) { |
| 3403 return node; | 3404 return node; |
| 3404 } | 3405 } |
| 3405 const Operator* op = javascript()->LoadDynamic(name, typeof_mode); | 3406 const Operator* op = |
| 3406 Node* value = NewNode(op, BuildLoadFeedbackVector(), current_context()); | 3407 javascript()->CallRuntime(typeof_mode == TypeofMode::NOT_INSIDE_TYPEOF |
| 3408 ? Runtime::kLoadLookupSlot | |
| 3409 : Runtime::kLoadLookupSlotInsideTypeof); | |
| 3410 Node* value = NewNode(op, jsgraph()->Constant(name)); | |
|
Michael Starzinger
2016/02/10 19:48:16
nit: Can we wrap this into a helper with the follo
Benedikt Meurer
2016/02/11 05:25:04
Done.
| |
| 3407 states.AddToNode(value, bailout_id, combine); | 3411 states.AddToNode(value, bailout_id, combine); |
| 3408 return value; | 3412 return value; |
| 3409 } | 3413 } |
| 3410 } | 3414 } |
| 3411 UNREACHABLE(); | 3415 UNREACHABLE(); |
| 3412 return nullptr; | 3416 return nullptr; |
| 3413 } | 3417 } |
| 3414 | 3418 |
| 3415 | 3419 |
| 3416 Node* AstGraphBuilder::BuildVariableDelete(Variable* variable, | 3420 Node* AstGraphBuilder::BuildVariableDelete(Variable* variable, |
| (...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3554 Node* current = NewNode(op, current_context()); | 3558 Node* current = NewNode(op, current_context()); |
| 3555 BuildHoleCheckThenThrow(current, variable, value, bailout_id); | 3559 BuildHoleCheckThenThrow(current, variable, value, bailout_id); |
| 3556 return BuildThrowConstAssignError(bailout_id); | 3560 return BuildThrowConstAssignError(bailout_id); |
| 3557 } | 3561 } |
| 3558 const Operator* op = javascript()->StoreContext(depth, variable->index()); | 3562 const Operator* op = javascript()->StoreContext(depth, variable->index()); |
| 3559 return NewNode(op, current_context(), value); | 3563 return NewNode(op, current_context(), value); |
| 3560 } | 3564 } |
| 3561 case VariableLocation::LOOKUP: { | 3565 case VariableLocation::LOOKUP: { |
| 3562 // Dynamic lookup of context variable (anywhere in the chain). | 3566 // Dynamic lookup of context variable (anywhere in the chain). |
| 3563 Node* name = jsgraph()->Constant(variable->name()); | 3567 Node* name = jsgraph()->Constant(variable->name()); |
| 3564 Node* language = jsgraph()->Constant(language_mode()); | |
| 3565 // TODO(mstarzinger): Use Runtime::kInitializeLegacyConstLookupSlot for | 3568 // TODO(mstarzinger): Use Runtime::kInitializeLegacyConstLookupSlot for |
| 3566 // initializations of const declarations. | 3569 // initializations of const declarations. |
| 3567 const Operator* op = javascript()->CallRuntime(Runtime::kStoreLookupSlot); | 3570 const Operator* op = javascript()->CallRuntime( |
| 3568 Node* store = NewNode(op, value, current_context(), name, language); | 3571 is_strict(language_mode()) ? Runtime::kStoreLookupSlot_Strict |
| 3572 : Runtime::kStoreLookupSlot_Sloppy); | |
| 3573 Node* store = NewNode(op, name, value); | |
|
Michael Starzinger
2016/02/10 19:48:16
nit: Can we wrap this into a helper with the follo
Benedikt Meurer
2016/02/11 05:25:04
Done.
| |
| 3569 PrepareFrameState(store, bailout_id, combine); | 3574 PrepareFrameState(store, bailout_id, combine); |
| 3570 return store; | 3575 return store; |
| 3571 } | 3576 } |
| 3572 } | 3577 } |
| 3573 UNREACHABLE(); | 3578 UNREACHABLE(); |
| 3574 return nullptr; | 3579 return nullptr; |
| 3575 } | 3580 } |
| 3576 | 3581 |
| 3577 | 3582 |
| 3578 Node* AstGraphBuilder::BuildKeyedLoad(Node* object, Node* key, | 3583 Node* AstGraphBuilder::BuildKeyedLoad(Node* object, Node* key, |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3664 | 3669 |
| 3665 Node* AstGraphBuilder::BuildGlobalStore(Handle<Name> name, Node* value, | 3670 Node* AstGraphBuilder::BuildGlobalStore(Handle<Name> name, Node* value, |
| 3666 const VectorSlotPair& feedback) { | 3671 const VectorSlotPair& feedback) { |
| 3667 const Operator* op = | 3672 const Operator* op = |
| 3668 javascript()->StoreGlobal(language_mode(), name, feedback); | 3673 javascript()->StoreGlobal(language_mode(), name, feedback); |
| 3669 Node* node = NewNode(op, value, GetFunctionClosure()); | 3674 Node* node = NewNode(op, value, GetFunctionClosure()); |
| 3670 return node; | 3675 return node; |
| 3671 } | 3676 } |
| 3672 | 3677 |
| 3673 | 3678 |
| 3674 Node* AstGraphBuilder::BuildLoadImmutableObjectField(Node* object, int offset) { | |
| 3675 return graph()->NewNode(jsgraph()->machine()->Load(MachineType::AnyTagged()), | |
| 3676 object, | |
| 3677 jsgraph()->IntPtrConstant(offset - kHeapObjectTag), | |
| 3678 graph()->start(), graph()->start()); | |
| 3679 } | |
| 3680 | |
| 3681 | |
| 3682 Node* AstGraphBuilder::BuildLoadGlobalObject() { | 3679 Node* AstGraphBuilder::BuildLoadGlobalObject() { |
| 3683 return BuildLoadNativeContextField(Context::EXTENSION_INDEX); | 3680 return BuildLoadNativeContextField(Context::EXTENSION_INDEX); |
| 3684 } | 3681 } |
| 3685 | 3682 |
| 3686 | 3683 |
| 3687 Node* AstGraphBuilder::BuildLoadNativeContextField(int index) { | 3684 Node* AstGraphBuilder::BuildLoadNativeContextField(int index) { |
| 3688 const Operator* op = | 3685 const Operator* op = |
| 3689 javascript()->LoadContext(0, Context::NATIVE_CONTEXT_INDEX, true); | 3686 javascript()->LoadContext(0, Context::NATIVE_CONTEXT_INDEX, true); |
| 3690 Node* native_context = NewNode(op, current_context()); | 3687 Node* native_context = NewNode(op, current_context()); |
| 3691 return NewNode(javascript()->LoadContext(0, index, true), native_context); | 3688 return NewNode(javascript()->LoadContext(0, index, true), native_context); |
| 3692 } | 3689 } |
| 3693 | 3690 |
| 3694 | 3691 |
| 3695 Node* AstGraphBuilder::BuildLoadFeedbackVector() { | |
| 3696 if (!feedback_vector_.is_set()) { | |
| 3697 Node* closure = GetFunctionClosure(); | |
| 3698 Node* shared = BuildLoadImmutableObjectField( | |
| 3699 closure, JSFunction::kSharedFunctionInfoOffset); | |
| 3700 Node* vector = BuildLoadImmutableObjectField( | |
| 3701 shared, SharedFunctionInfo::kFeedbackVectorOffset); | |
| 3702 feedback_vector_.set(vector); | |
| 3703 } | |
| 3704 return feedback_vector_.get(); | |
| 3705 } | |
| 3706 | |
| 3707 | |
| 3708 Node* AstGraphBuilder::BuildToBoolean(Node* input, TypeFeedbackId feedback_id) { | 3692 Node* AstGraphBuilder::BuildToBoolean(Node* input, TypeFeedbackId feedback_id) { |
| 3709 if (Node* node = TryFastToBoolean(input)) return node; | 3693 if (Node* node = TryFastToBoolean(input)) return node; |
| 3710 ToBooleanHints hints; | 3694 ToBooleanHints hints; |
| 3711 if (!type_hint_analysis_ || | 3695 if (!type_hint_analysis_ || |
| 3712 !type_hint_analysis_->GetToBooleanHints(feedback_id, &hints)) { | 3696 !type_hint_analysis_->GetToBooleanHints(feedback_id, &hints)) { |
| 3713 hints = ToBooleanHint::kAny; | 3697 hints = ToBooleanHint::kAny; |
| 3714 } | 3698 } |
| 3715 return NewNode(javascript()->ToBoolean(hints), input); | 3699 return NewNode(javascript()->ToBoolean(hints), input); |
| 3716 } | 3700 } |
| 3717 | 3701 |
| (...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3916 // Perform global slot load. | 3900 // Perform global slot load. |
| 3917 Node* fast = BuildGlobalLoad(name, feedback, typeof_mode); | 3901 Node* fast = BuildGlobalLoad(name, feedback, typeof_mode); |
| 3918 states.AddToNode(fast, bailout_id, combine); | 3902 states.AddToNode(fast, bailout_id, combine); |
| 3919 environment()->Push(fast); | 3903 environment()->Push(fast); |
| 3920 } | 3904 } |
| 3921 slow_block.Break(); | 3905 slow_block.Break(); |
| 3922 environment()->Pop(); | 3906 environment()->Pop(); |
| 3923 fast_block.EndBlock(); | 3907 fast_block.EndBlock(); |
| 3924 | 3908 |
| 3925 // Slow case, because variable potentially shadowed. Perform dynamic lookup. | 3909 // Slow case, because variable potentially shadowed. Perform dynamic lookup. |
| 3926 const Operator* op = javascript()->LoadDynamic(name, typeof_mode); | 3910 const Operator* op = |
| 3927 Node* slow = NewNode(op, BuildLoadFeedbackVector(), current_context()); | 3911 javascript()->CallRuntime(typeof_mode == TypeofMode::NOT_INSIDE_TYPEOF |
| 3912 ? Runtime::kLoadLookupSlot | |
| 3913 : Runtime::kLoadLookupSlotInsideTypeof); | |
| 3914 Node* slow = NewNode(op, jsgraph()->Constant(name)); | |
|
Michael Starzinger
2016/02/10 19:48:16
nit: Use aforementioned helper.
Benedikt Meurer
2016/02/11 05:25:05
Done.
| |
| 3928 states.AddToNode(slow, bailout_id, combine); | 3915 states.AddToNode(slow, bailout_id, combine); |
| 3929 environment()->Push(slow); | 3916 environment()->Push(slow); |
| 3930 slow_block.EndBlock(); | 3917 slow_block.EndBlock(); |
| 3931 | 3918 |
| 3932 return environment()->Pop(); | 3919 return environment()->Pop(); |
| 3933 } | 3920 } |
| 3934 | 3921 |
| 3935 if (mode == DYNAMIC_LOCAL) { | 3922 if (mode == DYNAMIC_LOCAL) { |
| 3936 uint32_t bitset = ComputeBitsetForDynamicContext(variable); | 3923 uint32_t bitset = ComputeBitsetForDynamicContext(variable); |
| 3937 if (bitset == kFullCheckRequired) return nullptr; | 3924 if (bitset == kFullCheckRequired) return nullptr; |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 3960 Variable* local = variable->local_if_not_shadowed(); | 3947 Variable* local = variable->local_if_not_shadowed(); |
| 3961 DCHECK(local->location() == VariableLocation::CONTEXT); // Must be context. | 3948 DCHECK(local->location() == VariableLocation::CONTEXT); // Must be context. |
| 3962 Node* fast = BuildVariableLoad(local, bailout_id, states, feedback, combine, | 3949 Node* fast = BuildVariableLoad(local, bailout_id, states, feedback, combine, |
| 3963 typeof_mode); | 3950 typeof_mode); |
| 3964 environment()->Push(fast); | 3951 environment()->Push(fast); |
| 3965 slow_block.Break(); | 3952 slow_block.Break(); |
| 3966 environment()->Pop(); | 3953 environment()->Pop(); |
| 3967 fast_block.EndBlock(); | 3954 fast_block.EndBlock(); |
| 3968 | 3955 |
| 3969 // Slow case, because variable potentially shadowed. Perform dynamic lookup. | 3956 // Slow case, because variable potentially shadowed. Perform dynamic lookup. |
| 3970 const Operator* op = javascript()->LoadDynamic(name, typeof_mode); | 3957 const Operator* op = |
| 3971 Node* slow = NewNode(op, BuildLoadFeedbackVector(), current_context()); | 3958 javascript()->CallRuntime(typeof_mode == TypeofMode::NOT_INSIDE_TYPEOF |
| 3959 ? Runtime::kLoadLookupSlot | |
| 3960 : Runtime::kLoadLookupSlotInsideTypeof); | |
| 3961 Node* slow = NewNode(op, jsgraph()->Constant(name)); | |
|
Michael Starzinger
2016/02/10 19:48:16
nit: Use aforementioned helper.
Benedikt Meurer
2016/02/11 05:25:04
Done.
| |
| 3972 states.AddToNode(slow, bailout_id, combine); | 3962 states.AddToNode(slow, bailout_id, combine); |
| 3973 environment()->Push(slow); | 3963 environment()->Push(slow); |
| 3974 slow_block.EndBlock(); | 3964 slow_block.EndBlock(); |
| 3975 | 3965 |
| 3976 return environment()->Pop(); | 3966 return environment()->Pop(); |
| 3977 } | 3967 } |
| 3978 | 3968 |
| 3979 return nullptr; | 3969 return nullptr; |
| 3980 } | 3970 } |
| 3981 | 3971 |
| (...skipping 373 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 4355 // Phi does not exist yet, introduce one. | 4345 // Phi does not exist yet, introduce one. |
| 4356 value = NewPhi(inputs, value, control); | 4346 value = NewPhi(inputs, value, control); |
| 4357 value->ReplaceInput(inputs - 1, other); | 4347 value->ReplaceInput(inputs - 1, other); |
| 4358 } | 4348 } |
| 4359 return value; | 4349 return value; |
| 4360 } | 4350 } |
| 4361 | 4351 |
| 4362 } // namespace compiler | 4352 } // namespace compiler |
| 4363 } // namespace internal | 4353 } // namespace internal |
| 4364 } // namespace v8 | 4354 } // namespace v8 |
| OLD | NEW |
