| OLD | NEW |
|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/v8.h" | 5 #include "src/v8.h" |
| 6 | 6 |
| 7 #if V8_TARGET_ARCH_ARM | 7 #if V8_TARGET_ARCH_ARM |
| 8 | 8 |
| 9 #include "src/ic/call-optimization.h" | 9 #include "src/ic/call-optimization.h" |
| 10 #include "src/ic/handler-compiler.h" | 10 #include "src/ic/handler-compiler.h" |
| (...skipping 410 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 421 !scratch2.is(scratch1)); | 421 !scratch2.is(scratch1)); |
| 422 | 422 |
| 423 // Keep track of the current object in register reg. | 423 // Keep track of the current object in register reg. |
| 424 Register reg = object_reg; | 424 Register reg = object_reg; |
| 425 int depth = 0; | 425 int depth = 0; |
| 426 | 426 |
| 427 Handle<JSObject> current = Handle<JSObject>::null(); | 427 Handle<JSObject> current = Handle<JSObject>::null(); |
| 428 if (receiver_map->IsJSGlobalObjectMap()) { | 428 if (receiver_map->IsJSGlobalObjectMap()) { |
| 429 current = isolate()->global_object(); | 429 current = isolate()->global_object(); |
| 430 } | 430 } |
| 431 |
| 432 // Check access rights to the global object. This has to happen after |
| 433 // the map check so that we know that the object is actually a global |
| 434 // object. |
| 435 // This allows us to install generated handlers for accesses to the |
| 436 // global proxy (as opposed to using slow ICs). See corresponding code |
| 437 // in LookupForRead(). |
| 438 if (receiver_map->IsJSGlobalProxyMap()) { |
| 439 __ CheckAccessGlobalProxy(reg, scratch2, miss); |
| 440 } |
| 441 |
| 431 Handle<JSObject> prototype = Handle<JSObject>::null(); | 442 Handle<JSObject> prototype = Handle<JSObject>::null(); |
| 432 Handle<Map> current_map = receiver_map; | 443 Handle<Map> current_map = receiver_map; |
| 433 Handle<Map> holder_map(holder()->map()); | 444 Handle<Map> holder_map(holder()->map()); |
| 434 // Traverse the prototype chain and check the maps in the prototype chain for | 445 // Traverse the prototype chain and check the maps in the prototype chain for |
| 435 // fast and global objects or do negative lookup for normal objects. | 446 // fast and global objects or do negative lookup for normal objects. |
| 436 while (!current_map.is_identical_to(holder_map)) { | 447 while (!current_map.is_identical_to(holder_map)) { |
| 437 ++depth; | 448 ++depth; |
| 438 | 449 |
| 439 // Only global objects and objects that do not require access | 450 // Only global objects and objects that do not require access |
| 440 // checks are allowed in stubs. | 451 // checks are allowed in stubs. |
| (...skipping 20 matching lines...) Expand all Loading... |
| 461 __ ldr(reg, FieldMemOperand(scratch1, Map::kPrototypeOffset)); | 472 __ ldr(reg, FieldMemOperand(scratch1, Map::kPrototypeOffset)); |
| 462 } else { | 473 } else { |
| 463 Register map_reg = scratch1; | 474 Register map_reg = scratch1; |
| 464 __ ldr(map_reg, FieldMemOperand(reg, HeapObject::kMapOffset)); | 475 __ ldr(map_reg, FieldMemOperand(reg, HeapObject::kMapOffset)); |
| 465 if (depth != 1 || check == CHECK_ALL_MAPS) { | 476 if (depth != 1 || check == CHECK_ALL_MAPS) { |
| 466 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 477 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 467 __ CmpWeakValue(map_reg, cell, scratch2); | 478 __ CmpWeakValue(map_reg, cell, scratch2); |
| 468 __ b(ne, miss); | 479 __ b(ne, miss); |
| 469 } | 480 } |
| 470 | 481 |
| 471 // Check access rights to the global object. This has to happen after | 482 if (current_map->IsJSGlobalObjectMap()) { |
| 472 // the map check so that we know that the object is actually a global | |
| 473 // object. | |
| 474 // This allows us to install generated handlers for accesses to the | |
| 475 // global proxy (as opposed to using slow ICs). See corresponding code | |
| 476 // in LookupForRead(). | |
| 477 if (current_map->IsJSGlobalProxyMap()) { | |
| 478 __ CheckAccessGlobalProxy(reg, scratch2, miss); | |
| 479 } else if (current_map->IsJSGlobalObjectMap()) { | |
| 480 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), | 483 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), |
| 481 name, scratch2, miss); | 484 name, scratch2, miss); |
| 482 } | 485 } |
| 483 | 486 |
| 484 reg = holder_reg; // From now on the object will be in holder_reg. | 487 reg = holder_reg; // From now on the object will be in holder_reg. |
| 485 | 488 |
| 486 __ ldr(reg, FieldMemOperand(map_reg, Map::kPrototypeOffset)); | 489 __ ldr(reg, FieldMemOperand(map_reg, Map::kPrototypeOffset)); |
| 487 } | 490 } |
| 488 | 491 |
| 489 // Go to the next object in the prototype chain. | 492 // Go to the next object in the prototype chain. |
| 490 current = prototype; | 493 current = prototype; |
| 491 current_map = handle(current->map()); | 494 current_map = handle(current->map()); |
| 492 } | 495 } |
| 493 | 496 |
| 494 // Log the check depth. | 497 // Log the check depth. |
| 495 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); | 498 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); |
| 496 | 499 |
| 497 if (depth != 0 || check == CHECK_ALL_MAPS) { | 500 if (depth != 0 || check == CHECK_ALL_MAPS) { |
| 498 // Check the holder map. | 501 // Check the holder map. |
| 499 __ ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset)); | 502 __ ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset)); |
| 500 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 503 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 501 __ CmpWeakValue(scratch1, cell, scratch2); | 504 __ CmpWeakValue(scratch1, cell, scratch2); |
| 502 __ b(ne, miss); | 505 __ b(ne, miss); |
| 503 } | 506 } |
| 504 | 507 |
| 505 // Perform security check for access to the global object. | |
| 506 DCHECK(current_map->IsJSGlobalProxyMap() || | |
| 507 !current_map->is_access_check_needed()); | |
| 508 if (current_map->IsJSGlobalProxyMap()) { | |
| 509 __ CheckAccessGlobalProxy(reg, scratch1, miss); | |
| 510 } | |
| 511 | |
| 512 // Return the register containing the holder. | 508 // Return the register containing the holder. |
| 513 return reg; | 509 return reg; |
| 514 } | 510 } |
| 515 | 511 |
| 516 | 512 |
| 517 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { | 513 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { |
| 518 if (!miss->is_unused()) { | 514 if (!miss->is_unused()) { |
| 519 Label success; | 515 Label success; |
| 520 __ b(&success); | 516 __ b(&success); |
| 521 __ bind(miss); | 517 __ bind(miss); |
| (...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 752 // Return the generated code. | 748 // Return the generated code. |
| 753 return GetCode(kind(), Code::NORMAL, name); | 749 return GetCode(kind(), Code::NORMAL, name); |
| 754 } | 750 } |
| 755 | 751 |
| 756 | 752 |
| 757 #undef __ | 753 #undef __ |
| 758 } | 754 } |
| 759 } // namespace v8::internal | 755 } // namespace v8::internal |
| 760 | 756 |
| 761 #endif // V8_TARGET_ARCH_ARM | 757 #endif // V8_TARGET_ARCH_ARM |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 958843002:
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. Proxies up the chai… (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master