[ic] Use validity cells to protect keyed element stores against object's prototype chain modificati…

src/ic/accessor-assembler.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ic/accessor-assembler.h"
 #include "src/ic/accessor-assembler-impl.h"
 
 #include "src/code-factory.h"
 #include "src/code-stubs.h"
 #include "src/ic/handler-configuration.h"
@@ skipping 452 matching lines @@
   Variable var_smi_handler(this, MachineRepresentation::kTagged);
   Label if_smi_handler(this);
   HandleLoadICProtoHandlerCase(&p, handler, &var_holder, &var_smi_handler,
                                &if_smi_handler, miss,
                                throw_reference_error_if_nonexistent);
   Bind(&if_smi_handler);
   HandleLoadICSmiHandlerCase(&p, var_holder.value(), var_smi_handler.value(),
                              miss, kOnlyProperties);
 }
 
-void AccessorAssemblerImpl::HandleStoreICHandlerCase(const StoreICParameters* p,
-                                                     Node* handler,
-                                                     Label* miss) {
-  Label if_smi_handler(this);
-  Label try_proto_handler(this), call_handler(this);
+void AccessorAssemblerImpl::HandleStoreICHandlerCase(
+    const StoreICParameters* p, Node* handler, Label* miss,
+    ElementSupport support_elements) {
+  Label if_smi_handler(this), if_nonsmi_handler(this);
+  Label if_proto_handler(this), if_element_handler(this), call_handler(this);
 
-  Branch(TaggedIsSmi(handler), &if_smi_handler, &try_proto_handler);
+  Branch(TaggedIsSmi(handler), &if_smi_handler, &if_nonsmi_handler);
 
   // |handler| is a Smi, encoding what to do. See SmiHandler methods
   // for the encoding format.
   Bind(&if_smi_handler);
   {
     Node* holder = p->receiver;
     Node* handler_word = SmiUntag(handler);
 
     // Handle non-transitioning field stores.
     HandleStoreICSmiHandlerCase(handler_word, holder, p->value, nullptr, miss);
   }
 
-  Bind(&try_proto_handler);
+  Bind(&if_nonsmi_handler);
   {
-    GotoIf(IsCodeMap(LoadMap(handler)), &call_handler);
+    Node* handler_map = LoadMap(handler);
+    if (support_elements == kSupportElements) {
+      GotoIf(IsTuple2Map(handler_map), &if_element_handler);
+    }
+    Branch(IsCodeMap(handler_map), &call_handler, &if_proto_handler);

[Igor Sheludko, 2016/12/02 09:32:36]

StoreIC still supports code handlers if IsTuple2() check fails.

+  }
+
+  if (support_elements == kSupportElements) {
+    Bind(&if_element_handler);
+    { HandleStoreICElementHandlerCase(p, handler, miss); }
+  }
+
+  Bind(&if_proto_handler);
+  {
     HandleStoreICProtoHandler(p, handler, miss);
   }
 
   // |handler| is a heap object. Must be code, call it.
   Bind(&call_handler);
   {
     StoreWithVectorDescriptor descriptor(isolate());
     TailCallStub(descriptor, handler, p->context, p->receiver, p->name,
                  p->value, p->slot, p->vector);
   }
 }
 
+void AccessorAssemblerImpl::HandleStoreICElementHandlerCase(
+    const StoreICParameters* p, Node* handler, Label* miss) {
+  Comment("HandleStoreICElementHandlerCase");
+  Node* validity_cell = LoadObjectField(handler, Tuple2::kValue1Offset);
+  Node* cell_value = LoadObjectField(validity_cell, Cell::kValueOffset);
+  GotoIf(WordNotEqual(cell_value,
+                      SmiConstant(Smi::FromInt(Map::kPrototypeChainValid))),
+         miss);
+
+  Node* code_handler = LoadObjectField(handler, Tuple2::kValue2Offset);
+  CSA_ASSERT(this, IsCodeMap(LoadMap(code_handler)));
+
+  StoreWithVectorDescriptor descriptor(isolate());
+  TailCallStub(descriptor, code_handler, p->context, p->receiver, p->name,
+               p->value, p->slot, p->vector);
+}
+
 void AccessorAssemblerImpl::HandleStoreICProtoHandler(
     const StoreICParameters* p, Node* handler, Label* miss) {
   // IC dispatchers rely on these assumptions to be held.
   STATIC_ASSERT(FixedArray::kLengthOffset ==
                 StoreHandler::kTransitionCellOffset);
   DCHECK_EQ(FixedArray::OffsetOfElementAt(StoreHandler::kSmiHandlerIndex),
             StoreHandler::kSmiHandlerOffset);
   DCHECK_EQ(FixedArray::OffsetOfElementAt(StoreHandler::kValidityCellIndex),
             StoreHandler::kValidityCellOffset);
 
@@ skipping 979 matching lines @@
 
   Node* receiver_map = LoadReceiverMap(p->receiver);
 
   // Check monomorphic case.
   Node* feedback =
       TryMonomorphicCase(p->slot, p->vector, receiver_map, &if_handler,
                          &var_handler, &try_polymorphic);
   Bind(&if_handler);
   {
     Comment("KeyedStoreIC_if_handler");
-    HandleStoreICHandlerCase(p, var_handler.value(), &miss);
+    HandleStoreICHandlerCase(p, var_handler.value(), &miss, kSupportElements);
   }
 
   Bind(&try_polymorphic);
   {
     // CheckPolymorphic case.
     Comment("KeyedStoreIC_try_polymorphic");
     GotoUnless(
         WordEqual(LoadMap(feedback), LoadRoot(Heap::kFixedArrayMapRootIndex)),
         &try_megamorphic);
     Label if_transition_handler(this);
     Variable var_transition_map_cell(this, MachineRepresentation::kTagged);
     HandleKeyedStorePolymorphicCase(receiver_map, feedback, &if_handler,
                                     &var_handler, &if_transition_handler,
                                     &var_transition_map_cell, &miss);
     Bind(&if_transition_handler);
     Comment("KeyedStoreIC_polymorphic_transition");
-    Node* transition_map =
-        LoadWeakCellValue(var_transition_map_cell.value(), &miss);
-    StoreTransitionDescriptor descriptor(isolate());
-    TailCallStub(descriptor, var_handler.value(), p->context, p->receiver,
-                 p->name, transition_map, p->value, p->slot, p->vector);
+    {
+      Node* handler = var_handler.value();
+
+      Label call_handler(this);
+      Variable var_code_handler(this, MachineRepresentation::kTagged);
+      var_code_handler.Bind(handler);
+      GotoUnless(IsTuple2Map(LoadMap(handler)), &call_handler);
+      {
+        CSA_ASSERT(this, IsTuple2Map(LoadMap(handler)));
+
+        // Check validity cell.
+        Node* validity_cell = LoadObjectField(handler, Tuple2::kValue1Offset);
+        Node* cell_value = LoadObjectField(validity_cell, Cell::kValueOffset);
+        GotoIf(WordNotEqual(cell_value, SmiConstant(Map::kPrototypeChainValid)),
+               &miss);
+
+        var_code_handler.Bind(LoadObjectField(handler, Tuple2::kValue2Offset));
+        Goto(&call_handler);
+      }
+
+      Bind(&call_handler);
+      {
+        Node* code_handler = var_code_handler.value();
+        CSA_ASSERT(this, IsCodeMap(LoadMap(code_handler)));
+
+        Node* transition_map =
+            LoadWeakCellValue(var_transition_map_cell.value(), &miss);
+        StoreTransitionDescriptor descriptor(isolate());
+        TailCallStub(descriptor, code_handler, p->context, p->receiver, p->name,
+                     transition_map, p->value, p->slot, p->vector);
+      }
+    }
   }
 
   Bind(&try_megamorphic);
   {
     // Check megamorphic case.
     Comment("KeyedStoreIC_try_megamorphic");
     GotoUnless(
         WordEqual(feedback, LoadRoot(Heap::kmegamorphic_symbolRootIndex)),
         &try_polymorphic_name);
     TailCallStub(
@@ skipping 226 matching lines @@
 void AccessorAssembler::GenerateKeyedStoreICTrampolineTF(
     CodeAssemblerState* state, LanguageMode language_mode) {
   AccessorAssemblerImpl assembler(state);
   assembler.GenerateKeyedStoreICTrampolineTF(language_mode);
 }
 
 #undef ACCESSOR_ASSEMBLER_PUBLIC_INTERFACE
 
 }  // namespace internal
 }  // namespace v8