[ic] Resurrect access checks for primitive and global proxy receivers.

src/code-stub-assembler.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "src/code-stub-assembler.h"
 #include "src/code-factory.h"
 #include "src/frames-inl.h"
 #include "src/frames.h"
 #include "src/ic/handler-configuration.h"
 #include "src/ic/stub-cache.h"
 
@@ skipping 2676 matching lines @@
   STATIC_ASSERT(LAST_JS_OBJECT_TYPE == LAST_TYPE);
   return IsJSReceiverInstanceType(LoadInstanceType(object));
 }
 
 Node* CodeStubAssembler::IsJSObject(Node* object) {
   STATIC_ASSERT(LAST_JS_OBJECT_TYPE == LAST_TYPE);
   return Int32GreaterThanOrEqual(LoadInstanceType(object),
                                  Int32Constant(FIRST_JS_RECEIVER_TYPE));
 }
 
+Node* CodeStubAssembler::IsJSGlobalProxy(Node* object) {
+  return Word32Equal(LoadInstanceType(object),
+                     Int32Constant(JS_GLOBAL_PROXY_TYPE));
+}
+
 Node* CodeStubAssembler::IsMap(Node* map) {
   return HasInstanceType(map, MAP_TYPE);
 }
 
 Node* CodeStubAssembler::IsJSValue(Node* map) {
   return HasInstanceType(map, JS_VALUE_TYPE);
 }
 
 Node* CodeStubAssembler::IsJSArray(Node* object) {
   return HasInstanceType(object, JS_ARRAY_TYPE);
@@ skipping 2933 matching lines @@
          &validity_cell_check_done);
   Node* cell_value = LoadObjectField(validity_cell, Cell::kValueOffset);
   GotoIf(WordNotEqual(cell_value,
                       SmiConstant(Smi::FromInt(Map::kPrototypeChainValid))),
          miss);
   Goto(&validity_cell_check_done);
 
   Bind(&validity_cell_check_done);
   Node* smi_handler = LoadObjectField(handler, LoadHandler::kSmiHandlerOffset);
   CSA_ASSERT(TaggedIsSmi(smi_handler));
+  Node* handler_flags = SmiUntag(smi_handler);
 
   Label check_prototypes(this);
-  GotoUnless(IsSetWord<LoadHandler::DoNegativeLookupOnReceiverBits>(
-                 SmiUntag(smi_handler)),
-             &check_prototypes);
+  GotoUnless(
+      IsSetWord<LoadHandler::DoNegativeLookupOnReceiverBits>(handler_flags),
+      &check_prototypes);
   {
     // We have a dictionary receiver, do a negative lookup check.
     NameDictionaryNegativeLookup(p->receiver, p->name, miss);
     Goto(&check_prototypes);
   }
 
   Bind(&check_prototypes);
   Node* maybe_holder_cell =
       LoadObjectField(handler, LoadHandler::kHolderCellOffset);
   Label array_handler(this), tuple_handler(this);
@@ skipping 13 matching lines @@
     CSA_ASSERT(WordNotEqual(holder, IntPtrConstant(0)));
 
     var_holder->Bind(holder);
     var_smi_handler->Bind(smi_handler);
     Goto(if_smi_handler);
   }
 
   Bind(&array_handler);
   {
     Node* length = SmiUntag(maybe_holder_cell);
-    BuildFastLoop(MachineType::PointerRepresentation(),
-                  IntPtrConstant(LoadHandler::kFirstPrototypeIndex), length,
+
+    Variable start_index(this, MachineType::PointerRepresentation());
+    start_index.Bind(IntPtrConstant(LoadHandler::kFirstPrototypeIndex));
+
+    Label can_access(this);
+    GotoUnless(
+        IsSetWord<LoadHandler::DoAccessCheckOnReceiverBits>(handler_flags),
+        &can_access);
+    {
+      // Skip this entry of a handler.
+      start_index.Bind(IntPtrConstant(LoadHandler::kFirstPrototypeIndex + 1));
+
+      int offset =
+          FixedArray::OffsetOfElementAt(LoadHandler::kFirstPrototypeIndex);
+      Node* expected_native_context =
+          LoadWeakCellValue(LoadObjectField(handler, offset), miss);
+      CSA_ASSERT(IsNativeContext(expected_native_context));
+
+      Node* native_context = LoadNativeContext(p->context);
+      GotoIf(WordEqual(expected_native_context, native_context), &can_access);
+      // If the receiver is not a JSGlobalProxy then we miss.
+      GotoUnless(IsJSGlobalProxy(p->receiver), miss);
+      // For JSGlobalProxy receiver try to compare security tokens of current
+      // and expected native contexts.
+      Node* expected_token = LoadContextElement(expected_native_context,
+                                                Context::SECURITY_TOKEN_INDEX);
+      Node* current_token =
+          LoadContextElement(native_context, Context::SECURITY_TOKEN_INDEX);
+      Branch(WordEqual(expected_token, current_token), &can_access, miss);
+    }
+    Bind(&can_access);
+
+    BuildFastLoop(MachineType::PointerRepresentation(), start_index.value(),
+                  length,
                   [this, p, handler, miss](CodeStubAssembler*, Node* current) {
                     Node* prototype_cell = LoadFixedArrayElement(
                         handler, current, 0, INTPTR_PARAMETERS);
                     CheckPrototype(prototype_cell, p->name, miss);
                   },
                   1, IndexAdvanceMode::kPost);
 
     Node* maybe_holder_cell = LoadFixedArrayElement(
         handler, IntPtrConstant(LoadHandler::kHolderCellIndex), 0,
         INTPTR_PARAMETERS);
@@ skipping 22 matching lines @@
   Label done(this);
   Label if_property_cell(this), if_dictionary_object(this);
 
   // |maybe_prototype| is either a PropertyCell or a slow-mode prototype.
   Branch(WordEqual(LoadMap(maybe_prototype),
                    LoadRoot(Heap::kGlobalPropertyCellMapRootIndex)),
          &if_property_cell, &if_dictionary_object);
 
   Bind(&if_dictionary_object);
   {
+    CSA_ASSERT(IsDictionaryMap(LoadMap(maybe_prototype)));
     NameDictionaryNegativeLookup(maybe_prototype, name, miss);
     Goto(&done);
   }
 
   Bind(&if_property_cell);
   {
     // Ensure the property cell still contains the hole.
     Node* value = LoadObjectField(maybe_prototype, PropertyCell::kValueOffset);
     GotoIf(WordNotEqual(value, LoadRoot(Heap::kTheHoleValueRootIndex)), miss);
     Goto(&done);
@@ skipping 3098 matching lines @@
 }
 
 void CodeStubArguments::PopAndReturn(compiler::Node* value) {
   assembler_->PopAndReturn(
       assembler_->IntPtrAddFoldConstants(argc_, assembler_->IntPtrConstant(1)),
       value);
 }
 
 }  // namespace internal
 }  // namespace v8