| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/v8.h" | 5 #include "src/v8.h" |
| 6 | 6 |
| 7 #if V8_TARGET_ARCH_X87 | 7 #if V8_TARGET_ARCH_X87 |
| 8 | 8 |
| 9 #include "src/ic/call-optimization.h" | 9 #include "src/ic/call-optimization.h" |
| 10 #include "src/ic/handler-compiler.h" | 10 #include "src/ic/handler-compiler.h" |
| (...skipping 413 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 424 !scratch2.is(scratch1)); | 424 !scratch2.is(scratch1)); |
| 425 | 425 |
| 426 // Keep track of the current object in register reg. | 426 // Keep track of the current object in register reg. |
| 427 Register reg = object_reg; | 427 Register reg = object_reg; |
| 428 int depth = 0; | 428 int depth = 0; |
| 429 | 429 |
| 430 Handle<JSObject> current = Handle<JSObject>::null(); | 430 Handle<JSObject> current = Handle<JSObject>::null(); |
| 431 if (receiver_map->IsJSGlobalObjectMap()) { | 431 if (receiver_map->IsJSGlobalObjectMap()) { |
| 432 current = isolate()->global_object(); | 432 current = isolate()->global_object(); |
| 433 } | 433 } |
| 434 |
| 435 // Check access rights to the global object. This has to happen after |
| 436 // the map check so that we know that the object is actually a global |
| 437 // object. |
| 438 // This allows us to install generated handlers for accesses to the |
| 439 // global proxy (as opposed to using slow ICs). See corresponding code |
| 440 // in LookupForRead(). |
| 441 if (receiver_map->IsJSGlobalProxyMap()) { |
| 442 __ CheckAccessGlobalProxy(reg, scratch1, scratch2, miss); |
| 443 } |
| 444 |
| 434 Handle<JSObject> prototype = Handle<JSObject>::null(); | 445 Handle<JSObject> prototype = Handle<JSObject>::null(); |
| 435 Handle<Map> current_map = receiver_map; | 446 Handle<Map> current_map = receiver_map; |
| 436 Handle<Map> holder_map(holder()->map()); | 447 Handle<Map> holder_map(holder()->map()); |
| 437 // Traverse the prototype chain and check the maps in the prototype chain for | 448 // Traverse the prototype chain and check the maps in the prototype chain for |
| 438 // fast and global objects or do negative lookup for normal objects. | 449 // fast and global objects or do negative lookup for normal objects. |
| 439 while (!current_map.is_identical_to(holder_map)) { | 450 while (!current_map.is_identical_to(holder_map)) { |
| 440 ++depth; | 451 ++depth; |
| 441 | 452 |
| 442 // Only global objects and objects that do not require access | 453 // Only global objects and objects that do not require access |
| 443 // checks are allowed in stubs. | 454 // checks are allowed in stubs. |
| (...skipping 20 matching lines...) Expand all Loading... |
| 464 __ mov(reg, FieldOperand(scratch1, Map::kPrototypeOffset)); | 475 __ mov(reg, FieldOperand(scratch1, Map::kPrototypeOffset)); |
| 465 } else { | 476 } else { |
| 466 Register map_reg = scratch1; | 477 Register map_reg = scratch1; |
| 467 __ mov(map_reg, FieldOperand(reg, HeapObject::kMapOffset)); | 478 __ mov(map_reg, FieldOperand(reg, HeapObject::kMapOffset)); |
| 468 if (depth != 1 || check == CHECK_ALL_MAPS) { | 479 if (depth != 1 || check == CHECK_ALL_MAPS) { |
| 469 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 480 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 470 __ CmpWeakValue(map_reg, cell, scratch2); | 481 __ CmpWeakValue(map_reg, cell, scratch2); |
| 471 __ j(not_equal, miss); | 482 __ j(not_equal, miss); |
| 472 } | 483 } |
| 473 | 484 |
| 474 // Check access rights to the global object. This has to happen after | 485 if (current_map->IsJSGlobalObjectMap()) { |
| 475 // the map check so that we know that the object is actually a global | |
| 476 // object. | |
| 477 // This allows us to install generated handlers for accesses to the | |
| 478 // global proxy (as opposed to using slow ICs). See corresponding code | |
| 479 // in LookupForRead(). | |
| 480 if (current_map->IsJSGlobalProxyMap()) { | |
| 481 __ CheckAccessGlobalProxy(reg, map_reg, scratch2, miss); | |
| 482 // Restore map_reg. | |
| 483 __ mov(map_reg, FieldOperand(reg, HeapObject::kMapOffset)); | |
| 484 } else if (current_map->IsJSGlobalObjectMap()) { | |
| 485 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), | 486 GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), |
| 486 name, scratch2, miss); | 487 name, scratch2, miss); |
| 487 } | 488 } |
| 488 reg = holder_reg; // From now on the object will be in holder_reg. | 489 reg = holder_reg; // From now on the object will be in holder_reg. |
| 489 __ mov(reg, FieldOperand(map_reg, Map::kPrototypeOffset)); | 490 __ mov(reg, FieldOperand(map_reg, Map::kPrototypeOffset)); |
| 490 } | 491 } |
| 491 | 492 |
| 492 // Go to the next object in the prototype chain. | 493 // Go to the next object in the prototype chain. |
| 493 current = prototype; | 494 current = prototype; |
| 494 current_map = handle(current->map()); | 495 current_map = handle(current->map()); |
| 495 } | 496 } |
| 496 | 497 |
| 497 // Log the check depth. | 498 // Log the check depth. |
| 498 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); | 499 LOG(isolate(), IntEvent("check-maps-depth", depth + 1)); |
| 499 | 500 |
| 500 if (depth != 0 || check == CHECK_ALL_MAPS) { | 501 if (depth != 0 || check == CHECK_ALL_MAPS) { |
| 501 // Check the holder map. | 502 // Check the holder map. |
| 502 __ mov(scratch1, FieldOperand(reg, HeapObject::kMapOffset)); | 503 __ mov(scratch1, FieldOperand(reg, HeapObject::kMapOffset)); |
| 503 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); | 504 Handle<WeakCell> cell = Map::WeakCellForMap(current_map); |
| 504 __ CmpWeakValue(scratch1, cell, scratch2); | 505 __ CmpWeakValue(scratch1, cell, scratch2); |
| 505 __ j(not_equal, miss); | 506 __ j(not_equal, miss); |
| 506 } | 507 } |
| 507 | 508 |
| 508 // Perform security check for access to the global object. | |
| 509 DCHECK(current_map->IsJSGlobalProxyMap() || | |
| 510 !current_map->is_access_check_needed()); | |
| 511 if (current_map->IsJSGlobalProxyMap()) { | |
| 512 __ CheckAccessGlobalProxy(reg, scratch1, scratch2, miss); | |
| 513 } | |
| 514 | |
| 515 // Return the register containing the holder. | 509 // Return the register containing the holder. |
| 516 return reg; | 510 return reg; |
| 517 } | 511 } |
| 518 | 512 |
| 519 | 513 |
| 520 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { | 514 void NamedLoadHandlerCompiler::FrontendFooter(Handle<Name> name, Label* miss) { |
| 521 if (!miss->is_unused()) { | 515 if (!miss->is_unused()) { |
| 522 Label success; | 516 Label success; |
| 523 __ jmp(&success); | 517 __ jmp(&success); |
| 524 __ bind(miss); | 518 __ bind(miss); |
| (...skipping 247 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 772 // Return the generated code. | 766 // Return the generated code. |
| 773 return GetCode(kind(), Code::NORMAL, name); | 767 return GetCode(kind(), Code::NORMAL, name); |
| 774 } | 768 } |
| 775 | 769 |
| 776 | 770 |
| 777 #undef __ | 771 #undef __ |
| 778 } | 772 } |
| 779 } // namespace v8::internal | 773 } // namespace v8::internal |
| 780 | 774 |
| 781 #endif // V8_TARGET_ARCH_X87 | 775 #endif // V8_TARGET_ARCH_X87 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 964813002:
X87: Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master