Commit 6cb999b9 authored by Igor Sheludko's avatar Igor Sheludko Committed by Commit Bot

[ic] Properly handle loads from global interceptor via prototype chain.

... when receiver is in dictionary mode.

Bug: v8:6490
Change-Id: Ic5a8d214adcc4efd4cb163cbc6b351c4e6b596af
Reviewed-on: https://chromium-review.googlesource.com/559548Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46428}
parent c4f6f3e5
...@@ -13,6 +13,11 @@ ...@@ -13,6 +13,11 @@
namespace v8 { namespace v8 {
namespace internal { namespace internal {
// Decodes kind from Smi-handler.
LoadHandler::Kind LoadHandler::GetHandlerKind(Smi* smi_handler) {
return KindBits::decode(smi_handler->value());
}
Handle<Smi> LoadHandler::LoadNormal(Isolate* isolate) { Handle<Smi> LoadHandler::LoadNormal(Isolate* isolate) {
int config = KindBits::encode(kNormal); int config = KindBits::encode(kNormal);
return handle(Smi::FromInt(config), isolate); return handle(Smi::FromInt(config), isolate);
......
...@@ -90,6 +90,9 @@ class LoadHandler { ...@@ -90,6 +90,9 @@ class LoadHandler {
static const int kHolderCellIndex = 2; static const int kHolderCellIndex = 2;
static const int kFirstPrototypeIndex = 3; static const int kFirstPrototypeIndex = 3;
// Decodes kind from Smi-handler.
static inline Kind GetHandlerKind(Smi* smi_handler);
// Creates a Smi-handler for loading a property from a slow object. // Creates a Smi-handler for loading a property from a slow object.
static inline Handle<Smi> LoadNormal(Isolate* isolate); static inline Handle<Smi> LoadNormal(Isolate* isolate);
......
...@@ -852,10 +852,15 @@ int GetPrototypeCheckCount(Isolate* isolate, Handle<Map> receiver_map, ...@@ -852,10 +852,15 @@ int GetPrototypeCheckCount(Isolate* isolate, Handle<Map> receiver_map,
Handle<FixedArray>(), 0); Handle<FixedArray>(), 0);
} }
enum class HolderCellRequest {
kGlobalPropertyCell,
kHolder,
};
Handle<WeakCell> HolderCell(Isolate* isolate, Handle<JSObject> holder, Handle<WeakCell> HolderCell(Isolate* isolate, Handle<JSObject> holder,
Handle<Name> name, Handle<Smi> smi_handler) { Handle<Name> name, HolderCellRequest request) {
if (holder->IsJSGlobalObject() && if (request == HolderCellRequest::kGlobalPropertyCell) {
*smi_handler != *LoadHandler::LoadInterceptor(isolate)) { DCHECK(holder->IsJSGlobalObject());
Handle<JSGlobalObject> global = Handle<JSGlobalObject>::cast(holder); Handle<JSGlobalObject> global = Handle<JSGlobalObject>::cast(holder);
GlobalDictionary* dict = global->global_dictionary(); GlobalDictionary* dict = global->global_dictionary();
int number = dict->FindEntry(name); int number = dict->FindEntry(name);
...@@ -891,8 +896,14 @@ Handle<Object> LoadIC::LoadFromPrototype(Handle<Map> receiver_map, ...@@ -891,8 +896,14 @@ Handle<Object> LoadIC::LoadFromPrototype(Handle<Map> receiver_map,
Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate()); Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate());
DCHECK(!validity_cell.is_null()); DCHECK(!validity_cell.is_null());
Handle<WeakCell> holder_cell = // LoadIC dispatcher expects PropertyCell as a "holder" in case of kGlobal
HolderCell(isolate(), holder, name, smi_handler); // handler kind.
HolderCellRequest request =
LoadHandler::GetHandlerKind(*smi_handler) == LoadHandler::kGlobal
? HolderCellRequest::kGlobalPropertyCell
: HolderCellRequest::kHolder;
Handle<WeakCell> holder_cell = HolderCell(isolate(), holder, name, request);
if (checks_count == 0) { if (checks_count == 0) {
return isolate()->factory()->NewTuple3(holder_cell, smi_handler, return isolate()->factory()->NewTuple3(holder_cell, smi_handler,
......
...@@ -1383,6 +1383,41 @@ THREADED_TEST(InterceptorLoadGlobalICGlobalWithInterceptor) { ...@@ -1383,6 +1383,41 @@ THREADED_TEST(InterceptorLoadGlobalICGlobalWithInterceptor) {
CHECK(value->BooleanValue(context.local()).FromJust()); CHECK(value->BooleanValue(context.local()).FromJust());
} }
// Test load of a non-existing global through prototype chain when a global
// object has an interceptor.
THREADED_TEST(InterceptorLoadICGlobalWithInterceptor) {
i::FLAG_allow_natives_syntax = true;
v8::Isolate* isolate = CcTest::isolate();
v8::HandleScope scope(isolate);
v8::Local<v8::ObjectTemplate> templ_global = v8::ObjectTemplate::New(isolate);
templ_global->SetHandler(v8::NamedPropertyHandlerConfiguration(
GenericInterceptorGetter, GenericInterceptorSetter));
LocalContext context(nullptr, templ_global);
i::Handle<i::JSReceiver> global_proxy =
v8::Utils::OpenHandle<Object, i::JSReceiver>(context->Global());
CHECK(global_proxy->IsJSGlobalProxy());
i::Handle<i::JSGlobalObject> global(
i::JSGlobalObject::cast(global_proxy->map()->prototype()));
CHECK(global->map()->has_named_interceptor());
ExpectInt32(
"(function() {"
" var f = function(obj) { "
" return obj.foo;"
" };"
" var obj = { __proto__: this, _str_foo: 42 };"
" for (var i = 0; i < 1500; i++) obj['p' + i] = 0;"
" /* Ensure that |obj| is in dictionary mode. */"
" if (%HasFastProperties(obj)) return -1;"
" for (var i = 0; i < 3; i++) {"
" f(obj);"
" };"
" return f(obj);"
"})();",
42);
}
static void InterceptorLoadICGetter0( static void InterceptorLoadICGetter0(
Local<Name> name, const v8::PropertyCallbackInfo<v8::Value>& info) { Local<Name> name, const v8::PropertyCallbackInfo<v8::Value>& info) {
ApiTestFuzzer::Fuzz(); ApiTestFuzzer::Fuzz();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment