[compiler] Sanitize entry points to LookupSlot access.

src/compiler/ast-graph-builder.cc

Index: src/compiler/ast-graph-builder.cc
diff --git a/src/compiler/ast-graph-builder.cc b/src/compiler/ast-graph-builder.cc
index 9cf95702ceec203eda14956635344ed874b03fac..6b9f8e4407d5bc5123af6b57828f14525ec2b428 100644
--- a/src/compiler/ast-graph-builder.cc
+++ b/src/compiler/ast-graph-builder.cc
@@ -2338,8 +2338,9 @@ void AstGraphBuilder::VisitCall(Call* expr) {
       Variable* variable = callee->AsVariableProxy()->var();
       DCHECK(variable->location() == VariableLocation::LOOKUP);
       Node* name = jsgraph()->Constant(variable->name());
-      const Operator* op = javascript()->CallRuntime(Runtime::kLoadLookupSlot);
-      Node* pair = NewNode(op, current_context(), name);
+      const Operator* op =
+          javascript()->CallRuntime(Runtime::kLoadLookupSlotForCall);
+      Node* pair = NewNode(op, name);
       callee_value = NewNode(common()->Projection(0), pair);
       receiver_value = NewNode(common()->Projection(1), pair);
       PrepareFrameState(pair, expr->LookupId(),
@@ -2434,8 +2435,8 @@ void AstGraphBuilder::VisitCall(Call* expr) {
         Variable* variable = callee->AsVariableProxy()->var();
         Node* name = jsgraph()->Constant(variable->name());
         const Operator* op =
-            javascript()->CallRuntime(Runtime::kLoadLookupSlot);
-        Node* pair = NewNode(op, current_context(), name);
+            javascript()->CallRuntime(Runtime::kLoadLookupSlotForCall);
+        Node* pair = NewNode(op, name);
         callee_value = NewNode(common()->Projection(0), pair);
         receiver_value = NewNode(common()->Projection(1), pair);
         PrepareFrameState(pair, expr->LookupId(),
@@ -3402,8 +3403,11 @@ Node* AstGraphBuilder::BuildVariableLoad(Variable* variable,
                                      feedback, combine, typeof_mode)) {
         return node;
       }
-      const Operator* op = javascript()->LoadDynamic(name, typeof_mode);
-      Node* value = NewNode(op, BuildLoadFeedbackVector(), current_context());
+      const Operator* op =
+          javascript()->CallRuntime(typeof_mode == TypeofMode::NOT_INSIDE_TYPEOF
+                                        ? Runtime::kLoadLookupSlot
+                                        : Runtime::kLoadLookupSlotInsideTypeof);
+      Node* value = NewNode(op, jsgraph()->Constant(name));

[Michael Starzinger, 2016/02/10 19:48:16]

nit: Can we wrap this into a helper with the following signature?
Node* BuildDynamicLoad(Handle<Name> name, TypeofMode typeof_mode);

[Benedikt Meurer, 2016/02/11 05:25:04]

Done.

       states.AddToNode(value, bailout_id, combine);
       return value;
     }
@@ -3561,11 +3565,12 @@ Node* AstGraphBuilder::BuildVariableAssignment(
     case VariableLocation::LOOKUP: {
       // Dynamic lookup of context variable (anywhere in the chain).
       Node* name = jsgraph()->Constant(variable->name());
-      Node* language = jsgraph()->Constant(language_mode());
       // TODO(mstarzinger): Use Runtime::kInitializeLegacyConstLookupSlot for
       // initializations of const declarations.
-      const Operator* op = javascript()->CallRuntime(Runtime::kStoreLookupSlot);
-      Node* store = NewNode(op, value, current_context(), name, language);
+      const Operator* op = javascript()->CallRuntime(
+          is_strict(language_mode()) ? Runtime::kStoreLookupSlot_Strict
+                                     : Runtime::kStoreLookupSlot_Sloppy);
+      Node* store = NewNode(op, name, value);

[Michael Starzinger, 2016/02/10 19:48:16]

nit: Can we wrap this into a helper with the following signature?
Node* BuildDynamicStore(Handle<Name> name, Node* value);

[Benedikt Meurer, 2016/02/11 05:25:04]

Done.

       PrepareFrameState(store, bailout_id, combine);
       return store;
     }
@@ -3671,14 +3676,6 @@ Node* AstGraphBuilder::BuildGlobalStore(Handle<Name> name, Node* value,
 }
 
 
-Node* AstGraphBuilder::BuildLoadImmutableObjectField(Node* object, int offset) {
-  return graph()->NewNode(jsgraph()->machine()->Load(MachineType::AnyTagged()),
-                          object,
-                          jsgraph()->IntPtrConstant(offset - kHeapObjectTag),
-                          graph()->start(), graph()->start());
-}
-
-
 Node* AstGraphBuilder::BuildLoadGlobalObject() {
   return BuildLoadNativeContextField(Context::EXTENSION_INDEX);
 }
@@ -3692,19 +3689,6 @@ Node* AstGraphBuilder::BuildLoadNativeContextField(int index) {
 }
 
 
-Node* AstGraphBuilder::BuildLoadFeedbackVector() {
-  if (!feedback_vector_.is_set()) {
-    Node* closure = GetFunctionClosure();
-    Node* shared = BuildLoadImmutableObjectField(
-        closure, JSFunction::kSharedFunctionInfoOffset);
-    Node* vector = BuildLoadImmutableObjectField(
-        shared, SharedFunctionInfo::kFeedbackVectorOffset);
-    feedback_vector_.set(vector);
-  }
-  return feedback_vector_.get();
-}
-
-
 Node* AstGraphBuilder::BuildToBoolean(Node* input, TypeFeedbackId feedback_id) {
   if (Node* node = TryFastToBoolean(input)) return node;
   ToBooleanHints hints;
@@ -3923,8 +3907,11 @@ Node* AstGraphBuilder::TryLoadDynamicVariable(
     fast_block.EndBlock();
 
     // Slow case, because variable potentially shadowed. Perform dynamic lookup.
-    const Operator* op = javascript()->LoadDynamic(name, typeof_mode);
-    Node* slow = NewNode(op, BuildLoadFeedbackVector(), current_context());
+    const Operator* op =
+        javascript()->CallRuntime(typeof_mode == TypeofMode::NOT_INSIDE_TYPEOF
+                                      ? Runtime::kLoadLookupSlot
+                                      : Runtime::kLoadLookupSlotInsideTypeof);
+    Node* slow = NewNode(op, jsgraph()->Constant(name));

[Michael Starzinger, 2016/02/10 19:48:16]

nit: Use aforementioned helper.

[Benedikt Meurer, 2016/02/11 05:25:05]

Done.

     states.AddToNode(slow, bailout_id, combine);
     environment()->Push(slow);
     slow_block.EndBlock();
@@ -3967,8 +3954,11 @@ Node* AstGraphBuilder::TryLoadDynamicVariable(
     fast_block.EndBlock();
 
     // Slow case, because variable potentially shadowed. Perform dynamic lookup.
-    const Operator* op = javascript()->LoadDynamic(name, typeof_mode);
-    Node* slow = NewNode(op, BuildLoadFeedbackVector(), current_context());
+    const Operator* op =
+        javascript()->CallRuntime(typeof_mode == TypeofMode::NOT_INSIDE_TYPEOF
+                                      ? Runtime::kLoadLookupSlot
+                                      : Runtime::kLoadLookupSlotInsideTypeof);
+    Node* slow = NewNode(op, jsgraph()->Constant(name));

[Michael Starzinger, 2016/02/10 19:48:16]

nit: Use aforementioned helper.

[Benedikt Meurer, 2016/02/11 05:25:04]

Done.

     states.AddToNode(slow, bailout_id, combine);
     environment()->Push(slow);
     slow_block.EndBlock();