| OLD | NEW |
|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/v8.h" | 5 #include "src/v8.h" |
| 6 | 6 |
| 7 #if V8_TARGET_ARCH_X64 | 7 #if V8_TARGET_ARCH_X64 |
| 8 | 8 |
| 9 #include "src/ic/call-optimization.h" | 9 #include "src/ic/call-optimization.h" |
| 10 #include "src/ic/handler-compiler.h" | 10 #include "src/ic/handler-compiler.h" |
| (...skipping 413 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 424 // Keep track of the current object in register reg. On the first | 424 // Keep track of the current object in register reg. On the first |
| 425 // iteration, reg is an alias for object_reg, on later iterations, | 425 // iteration, reg is an alias for object_reg, on later iterations, |
| 426 // it is an alias for holder_reg. | 426 // it is an alias for holder_reg. |
| 427 Register reg = object_reg; | 427 Register reg = object_reg; |
| 428 int depth = 0; | 428 int depth = 0; |
| 429 | 429 |
| 430 Handle<JSObject> current = Handle<JSObject>::null(); | 430 Handle<JSObject> current = Handle<JSObject>::null(); |
| 431 if (receiver_map->IsJSGlobalObjectMap()) { | 431 if (receiver_map->IsJSGlobalObjectMap()) { |
| 432 current = isolate()->global_object(); | 432 current = isolate()->global_object(); |
| 433 } | 433 } |
| 434 |
| 435 // Check access rights to the global object. This has to happen after |
| 436 // the map check so that we know that the object is actually a global |
| 437 // object. |
| 438 // This allows us to install generated handlers for accesses to the |
| 439 // global proxy (as opposed to using slow ICs). See corresponding code |
| 440 // in LookupForRead(). |
| 441 if (receiver_map->IsJSGlobalProxyMap()) { |
| 442 __ CheckAccessGlobalProxy(reg, scratch2, miss); |
| 443 } |
| 444 |
| 434 Handle<JSObject> prototype = Handle<JSObject>::null(); | 445 Handle<JSObject> prototype = Handle<JSObject>::null(); |
| 435 Handle<Map> current_map = receiver_map; | 446 Handle<Map> current_map = receiver_map; |
| 436 Handle<Map> holder_map(holder()->map()); | 447 Handle<Map> holder_map(holder()->map()); |
| 437 // Traverse the prototype chain and check the maps in the prototype chain for | 448 // Traverse the prototype chain and check the maps in the prototype chain for |
| 438 // fast and global objects or do negative lookup for normal objects. | 449 // fast and global objects or do negative lookup for normal objects. |
| 439 while (!current_map.is_identical_to(holder_map)) { | 450 while (!current_map.is_identical_to(holder_map)) { |
| 440 ++depth; | 451 ++depth; |
| 441 | 452 |
| 442 // Only global objects and objects that do not require access | 453 // Only global objects and objects that do not require access |
| 443 // checks are allowed in stubs. | 454 // checks are allowed in stubs. |
| (...skipping 21 matching lines...) Expand all Loading... |
| 465 } else { | 476 } else { |
| 466 Register map_reg = scratch1; | 477 Register map_reg = scratch1; |
| 467 __ movp(map_reg, FieldOperand(reg, HeapObject::kMapOffset)); | 478 __ movp(map_reg, FieldOperand(reg, HeapObject::kMapOffset)); |
| 468 | 479 |
| 469 if (depth != 1 || check == CHECK_ALL_MAPS) { | 480 if (depth != 1 || check == CHECK_ALL_MAPS) { |
| 470 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 481 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 471 __ CmpWeakValue(map_reg, cell, scratch2); | 482 __ CmpWeakValue(map_reg, cell, scratch2); |
| 472 __ j(not_equal, miss); | 483 __ j(not_equal, miss); |
| 473 } | 484 } |
| 474 | 485 |
| 475 // Check access rights to the global object. This has to happen after | 486 if (current_map->IsJSGlobalObjectMap()) { |
| 476 // the map check so that we know that the object is actually a global | |
| 477 // object. | |
| 478 // This allows us to install generated handlers for accesses to the | |
| 479 // global proxy (as opposed to using slow ICs). See corresponding code | |
| 480 // in LookupForRead(). | |
| 481 if (current_map->IsJSGlobalProxyMap()) { | |
| 482 __ CheckAccessGlobalProxy(reg, scratch2, miss); | |
| 483 } else if (current_map->IsJSGlobalObjectMap()) { | |
| 484 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), | 487 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), |
| 485 name, scratch2, miss); | 488 name, scratch2, miss); |
| 486 } | 489 } |
| 487 reg = holder_reg; // From now on the object will be in holder_reg. | 490 reg = holder_reg; // From now on the object will be in holder_reg. |
| 488 | 491 |
| 489 __ movp(reg, FieldOperand(map_reg, Map::kPrototypeOffset)); | 492 __ movp(reg, FieldOperand(map_reg, Map::kPrototypeOffset)); |
| 490 } | 493 } |
| 491 | 494 |
| 492 // Go to the next object in the prototype chain. | 495 // Go to the next object in the prototype chain. |
| 493 current = prototype; | 496 current = prototype; |
| 494 current_map = handle(current->map()); | 497 current_map = handle(current->map()); |
| 495 } | 498 } |
| 496 | 499 |
| 497 // Log the check depth. | 500 // Log the check depth. |
| 498 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); | 501 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); |
| 499 | 502 |
| 500 if (depth != 0 || check == CHECK_ALL_MAPS) { | 503 if (depth != 0 || check == CHECK_ALL_MAPS) { |
| 501 __ movp(scratch1, FieldOperand(reg, HeapObject::kMapOffset)); | 504 __ movp(scratch1, FieldOperand(reg, HeapObject::kMapOffset)); |
| 502 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 505 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 503 __ CmpWeakValue(scratch1, cell, scratch2); | 506 __ CmpWeakValue(scratch1, cell, scratch2); |
| 504 __ j(not_equal, miss); | 507 __ j(not_equal, miss); |
| 505 } | 508 } |
| 506 | 509 |
| 507 // Perform security check for access to the global object. | |
| 508 DCHECK(current_map->IsJSGlobalProxyMap() || | |
| 509 !current_map->is_access_check_needed()); | |
| 510 if (current_map->IsJSGlobalProxyMap()) { | |
| 511 __ CheckAccessGlobalProxy(reg, scratch1, miss); | |
| 512 } | |
| 513 | |
| 514 // Return the register containing the holder. | 510 // Return the register containing the holder. |
| 515 return reg; | 511 return reg; |
| 516 } | 512 } |
| 517 | 513 |
| 518 | 514 |
| 519 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { | 515 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { |
| 520 if (!miss->is_unused()) { | 516 if (!miss->is_unused()) { |
| 521 Label success; | 517 Label success; |
| 522 __ jmp(&success); | 518 __ jmp(&success); |
| 523 __ bind(miss); | 519 __ bind(miss); |
| (...skipping 239 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 763 // Return the generated code. | 759 // Return the generated code. |
| 764 return GetCode(kind(), Code::NORMAL, name); | 760 return GetCode(kind(), Code::NORMAL, name); |
| 765 } | 761 } |
| 766 | 762 |
| 767 | 763 |
| 768 #undef __ | 764 #undef __ |
| 769 } | 765 } |
| 770 } // namespace v8::internal | 766 } // namespace v8::internal |
| 771 | 767 |
| 772 #endif // V8_TARGET_ARCH_X64 | 768 #endif // V8_TARGET_ARCH_X64 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 958843002:
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. Proxies up the chai… (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master