[ic] Resurrect access checks for primitive and global proxy receivers.

src/ic/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ic/ic.h"
 
 #include <iostream>
 
 #include "src/accessors.h"
 #include "src/api-arguments-inl.h"
@@ skipping 850 matching lines @@
   if (receiver_map->IsJSGlobalObjectMap()) {
     return -1;
   }
   // We don't encode the requirement to check access rights because we already
   // passed the access check for current native context and the access
   // can't be revoked.
 
   HandleScope scope(isolate);
   int checks_count = 0;
 
+  if (receiver_map->IsPrimitiveMap() || receiver_map->IsJSGlobalProxyMap()) {
+    // The validity cell check for primitive and global proxy receivers does
+    // not guarantee that certain native context ever had access to other
+    // native context. However, a handler created for one native context could
+    // be used in other native context through the megamorphic stub cache.
+    // So we record the original native context to which this handler
+    // corresponds.
+    if (fill_array) {
+      Handle<Context> native_context = isolate->native_context();
+      array->set(LoadHandler::kFirstPrototypeIndex + checks_count,
+                 native_context->self_weak_cell());
+    }
+    checks_count++;
+  }
+
   // Create/count entries for each global or dictionary prototype appeared in
   // the prototype chain contains from receiver till holder.
   for (PrototypeIterator iter(receiver_map); !iter.IsAtEnd(); iter.Advance()) {
     Handle<JSObject> current = PrototypeIterator::GetCurrent<JSObject>(iter);
     if (holder.is_identical_to(current)) break;
     Handle<Map> current_map(current->map(), isolate);
 
     if (current_map->IsJSGlobalObjectMap()) {
       if (fill_array) {
         Handle<JSGlobalObject> global = Handle<JSGlobalObject>::cast(current);
@@ skipping 29 matching lines @@
   return InitPrototypeChecks<false>(isolate(), receiver_map, holder,
                                     Handle<FixedArray>(), Handle<Name>());
 }
 
 Handle<Object> LoadIC::LoadFromPrototype(Handle<Map> receiver_map,
                                          Handle<JSObject> holder,
                                          Handle<Name> name,
                                          Handle<Object> smi_handler) {
   int checks_count = GetPrototypeCheckCount(receiver_map, holder);
   DCHECK_LE(0, checks_count);
+  DCHECK(!receiver_map->IsJSGlobalObjectMap());
 
-  if (receiver_map->IsJSGlobalObjectMap()) {
-    UNREACHABLE();
+  if (receiver_map->IsPrimitiveMap() || receiver_map->IsJSGlobalProxyMap()) {
+    DCHECK(!receiver_map->is_dictionary_map());
+    DCHECK_LE(1, checks_count);  // For native context.
+    smi_handler =
+        LoadHandler::EnableAccessCheckOnReceiver(isolate(), smi_handler);
   } else if (receiver_map->is_dictionary_map()) {
     smi_handler =
         LoadHandler::EnableNegativeLookupOnReceiver(isolate(), smi_handler);
   }
 
   Handle<Cell> validity_cell =
       Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate());
   DCHECK(!validity_cell.is_null());
 
   Handle<WeakCell> holder_cell =
@@ skipping 16 matching lines @@
 Handle<Object> LoadIC::LoadNonExistent(Handle<Map> receiver_map,
                                        Handle<Name> name) {
   Handle<JSObject> holder;  // null handle
   int checks_count = GetPrototypeCheckCount(receiver_map, holder);
   DCHECK_LE(0, checks_count);
   DCHECK(!receiver_map->IsJSGlobalObjectMap());
 
   Handle<Object> smi_handler = LoadHandler::LoadNonExistent(
       isolate(), receiver_map->is_dictionary_map());
 
+  if (receiver_map->IsPrimitiveMap() || receiver_map->IsJSGlobalProxyMap()) {
+    DCHECK(!receiver_map->is_dictionary_map());
+    DCHECK_LE(1, checks_count);  // For native context.
+    smi_handler =
+        LoadHandler::EnableAccessCheckOnReceiver(isolate(), smi_handler);
+  }
+
   Handle<Object> validity_cell =
       Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate());
   if (validity_cell.is_null()) {
     // This must be a case when receiver's prototype is null.
     DCHECK_EQ(*isolate()->factory()->null_value(),
               receiver_map->GetPrototypeChainRootMap(isolate())->prototype());
     DCHECK_EQ(0, checks_count);
     validity_cell = handle(Smi::FromInt(0), isolate());
   }
 
@@ skipping 2203 matching lines @@
     DCHECK_EQ(LookupIterator::INTERCEPTOR, it.state());
     it.Next();
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result,
                                        Object::GetProperty(&it));
   }
 
   return *result;
 }
 }  // namespace internal
 }  // namespace v8