src/compiler/js-native-context-specialization.cc - Issue 2231683002: [turbofan] Properly guard keyed stores wrt. setters in the prototype chain.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/compiler/js-native-context-specialization.cc

Issue 2231683002: [turbofan] Properly guard keyed stores wrt. setters in the prototype chain. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@2232483002

Patch Set: REBASE Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/compiler/js-native-context-specialization.cc

diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc

index 26793cc85185ea395bf134c0a6395df17f475b7e..0f6724ba2811af3da1e43c22cb565a2a486e93f6 100644

--- a/src/compiler/js-native-context-specialization.cc

+++ b/src/compiler/js-native-context-specialization.cc

@@ -472,6 +472,43 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(

DeoptimizeReason::kInsufficientTypeFeedbackForGenericKeyedAccess);

}

+ // For holey stores or growing stores, we need to check that the prototype

+ // chain contains no setters for elements, and we need to guard those checks

+ // via code dependencies on the relevant prototype maps.

+ if (access_mode == AccessMode::kStore) {

+ // TODO(turbofan): We could have a fast path here, that checks for the

+ // common case of Array or Object prototype only and therefore avoids

+ // the zone allocation of this vector.

+ ZoneVector<Handle<Map>> prototype_maps(zone());

+ for (ElementAccessInfo const& access_info : access_infos) {

+ for (Handle<Map> receiver_map : access_info.receiver_maps()) {

+ // If the {receiver_map} has a prototype and it's elements backing

+ // store is either holey, or we have a potentially growing store,

+ // then we need to check that all prototypes have stable maps with

+ // fast elements (and we need to guard against changes to that below).

+ if (IsHoleyElementsKind(receiver_map->elements_kind()) ||

+ IsGrowStoreMode(store_mode)) {

+ // Make sure all prototypes are stable and have fast elements.

+ for (Handle<Map> map = receiver_map;;) {

+ Handle<Object> map_prototype(map->prototype(), isolate());

+ if (map_prototype->IsNull(isolate())) break;

+ if (!map_prototype->IsJSObject()) return NoChange();

+ map = handle(Handle<JSObject>::cast(map_prototype)->map(),

+ isolate());

+ if (!map->is_stable()) return NoChange();

+ if (!IsFastElementsKind(map->elements_kind())) return NoChange();

+ prototype_maps.push_back(map);

+ }

+ // Install dependencies on the relevant prototype maps.

+ for (Handle<Map> prototype_map : prototype_maps) {

+ dependencies()->AssumeMapStable(prototype_map);

+ }

// Ensure that {receiver} is a heap object.

effect = BuildCheckTaggedPointer(receiver, effect, control);

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-5275-1.js » ('j') | no next file with comments »