| OLD | NEW |
|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/v8.h" | 5 #include "src/v8.h" |
| 6 | 6 |
| 7 #if V8_TARGET_ARCH_ARM64 | 7 #if V8_TARGET_ARCH_ARM64 |
| 8 | 8 |
| 9 #include "src/ic/call-optimization.h" | 9 #include "src/ic/call-optimization.h" |
| 10 #include "src/ic/handler-compiler.h" | 10 #include "src/ic/handler-compiler.h" |
| (...skipping 459 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 470 DCHECK(!AreAliased(holder_reg, scratch1, scratch2)); | 470 DCHECK(!AreAliased(holder_reg, scratch1, scratch2)); |
| 471 | 471 |
| 472 // Keep track of the current object in register reg. | 472 // Keep track of the current object in register reg. |
| 473 Register reg = object_reg; | 473 Register reg = object_reg; |
| 474 int depth = 0; | 474 int depth = 0; |
| 475 | 475 |
| 476 Handle<JSObject> current = Handle<JSObject>::null(); | 476 Handle<JSObject> current = Handle<JSObject>::null(); |
| 477 if (receiver_map->IsJSGlobalObjectMap()) { | 477 if (receiver_map->IsJSGlobalObjectMap()) { |
| 478 current = isolate()->global_object(); | 478 current = isolate()->global_object(); |
| 479 } | 479 } |
| 480 |
| 481 // Check access rights to the global object. This has to happen after |
| 482 // the map check so that we know that the object is actually a global |
| 483 // object. |
| 484 // This allows us to install generated handlers for accesses to the |
| 485 // global proxy (as opposed to using slow ICs). See corresponding code |
| 486 // in LookupForRead(). |
| 487 if (receiver_map->IsJSGlobalProxyMap()) { |
| 488 UseScratchRegisterScope temps(masm()); |
| 489 __ CheckAccessGlobalProxy(reg, scratch2, temps.AcquireX(), miss); |
| 490 } |
| 491 |
| 480 Handle<JSObject> prototype = Handle<JSObject>::null(); | 492 Handle<JSObject> prototype = Handle<JSObject>::null(); |
| 481 Handle<Map> current_map = receiver_map; | 493 Handle<Map> current_map = receiver_map; |
| 482 Handle<Map> holder_map(holder()->map()); | 494 Handle<Map> holder_map(holder()->map()); |
| 483 // Traverse the prototype chain and check the maps in the prototype chain for | 495 // Traverse the prototype chain and check the maps in the prototype chain for |
| 484 // fast and global objects or do negative lookup for normal objects. | 496 // fast and global objects or do negative lookup for normal objects. |
| 485 while (!current_map.is_identical_to(holder_map)) { | 497 while (!current_map.is_identical_to(holder_map)) { |
| 486 ++depth; | 498 ++depth; |
| 487 | 499 |
| 488 // Only global objects and objects that do not require access | 500 // Only global objects and objects that do not require access |
| 489 // checks are allowed in stubs. | 501 // checks are allowed in stubs. |
| (...skipping 20 matching lines...) Expand all Loading... |
| 510 } else { | 522 } else { |
| 511 Register map_reg = scratch1; | 523 Register map_reg = scratch1; |
| 512 __ Ldr(map_reg, FieldMemOperand(reg, HeapObject::kMapOffset)); | 524 __ Ldr(map_reg, FieldMemOperand(reg, HeapObject::kMapOffset)); |
| 513 | 525 |
| 514 if (depth != 1 || check == CHECK_ALL_MAPS) { | 526 if (depth != 1 || check == CHECK_ALL_MAPS) { |
| 515 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 527 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 516 __ CmpWeakValue(map_reg, cell, scratch2); | 528 __ CmpWeakValue(map_reg, cell, scratch2); |
| 517 __ B(ne, miss); | 529 __ B(ne, miss); |
| 518 } | 530 } |
| 519 | 531 |
| 520 // Check access rights to the global object. This has to happen after | 532 if (current_map->IsJSGlobalObjectMap()) { |
| 521 // the map check so that we know that the object is actually a global | |
| 522 // object. | |
| 523 // This allows us to install generated handlers for accesses to the | |
| 524 // global proxy (as opposed to using slow ICs). See corresponding code | |
| 525 // in LookupForRead(). | |
| 526 if (current_map->IsJSGlobalProxyMap()) { | |
| 527 UseScratchRegisterScope temps(masm()); | |
| 528 __ CheckAccessGlobalProxy(reg, scratch2, temps.AcquireX(), miss); | |
| 529 } else if (current_map->IsJSGlobalObjectMap()) { | |
| 530 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), | 533 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), |
| 531 name, scratch2, miss); | 534 name, scratch2, miss); |
| 532 } | 535 } |
| 533 | 536 |
| 534 reg = holder_reg; // From now on the object will be in holder_reg. | 537 reg = holder_reg; // From now on the object will be in holder_reg. |
| 535 | 538 |
| 536 __ Ldr(reg, FieldMemOperand(map_reg, Map::kPrototypeOffset)); | 539 __ Ldr(reg, FieldMemOperand(map_reg, Map::kPrototypeOffset)); |
| 537 } | 540 } |
| 538 | 541 |
| 539 // Go to the next object in the prototype chain. | 542 // Go to the next object in the prototype chain. |
| 540 current = prototype; | 543 current = prototype; |
| 541 current_map = handle(current->map()); | 544 current_map = handle(current->map()); |
| 542 } | 545 } |
| 543 | 546 |
| 544 // Log the check depth. | 547 // Log the check depth. |
| 545 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); | 548 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); |
| 546 | 549 |
| 547 // Check the holder map. | 550 // Check the holder map. |
| 548 if (depth != 0 || check == CHECK_ALL_MAPS) { | 551 if (depth != 0 || check == CHECK_ALL_MAPS) { |
| 549 // Check the holder map. | 552 // Check the holder map. |
| 550 __ Ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset)); | 553 __ Ldr(scratch1, FieldMemOperand(reg, HeapObject::kMapOffset)); |
| 551 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 554 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 552 __ CmpWeakValue(scratch1, cell, scratch2); | 555 __ CmpWeakValue(scratch1, cell, scratch2); |
| 553 __ B(ne, miss); | 556 __ B(ne, miss); |
| 554 } | 557 } |
| 555 | 558 |
| 556 // Perform security check for access to the global object. | |
| 557 DCHECK(current_map->IsJSGlobalProxyMap() || | |
| 558 !current_map->is_access_check_needed()); | |
| 559 if (current_map->IsJSGlobalProxyMap()) { | |
| 560 __ CheckAccessGlobalProxy(reg, scratch1, scratch2, miss); | |
| 561 } | |
| 562 | |
| 563 // Return the register containing the holder. | 559 // Return the register containing the holder. |
| 564 return reg; | 560 return reg; |
| 565 } | 561 } |
| 566 | 562 |
| 567 | 563 |
| 568 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { | 564 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { |
| 569 if (!miss->is_unused()) { | 565 if (!miss->is_unused()) { |
| 570 Label success; | 566 Label success; |
| 571 __ B(&success); | 567 __ B(&success); |
| 572 | 568 |
| (...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 765 // Return the generated code. | 761 // Return the generated code. |
| 766 return GetCode(kind(), Code::FAST, name); | 762 return GetCode(kind(), Code::FAST, name); |
| 767 } | 763 } |
| 768 | 764 |
| 769 | 765 |
| 770 #undef __ | 766 #undef __ |
| 771 } | 767 } |
| 772 } // namespace v8::internal | 768 } // namespace v8::internal |
| 773 | 769 |
| 774 #endif // V8_TARGET_ARCH_IA32 | 770 #endif // V8_TARGET_ARCH_IA32 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 958843002:
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. Proxies up the chai… (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master