Commit 6f52dfd7 authored by Toon Verwaest's avatar Toon Verwaest Committed by Commit Bot

[ic] Fix 'prototype chain checks' where the holder is the receiver

We use LoadFromPrototype also for direct global loads. InitPrototypeChecks did not support this though, and would create a prototype chain check for objects beyond the direct global. This tries to ensure the property on the global itself doesn't exist, which is invalid.

Additionally this CL deletes duplicate code.

BUG=chromium:702798,v8:5561

Change-Id: I318a5b6cd5f7c3efdb3a003e34edd37d5d3f880b
Reviewed-on: https://chromium-review.googlesource.com/457369
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43935}
parent cb903e31
...@@ -870,9 +870,7 @@ template <bool fill_array = true> ...@@ -870,9 +870,7 @@ template <bool fill_array = true>
int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map, int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map,
Handle<JSObject> holder, Handle<Name> name, Handle<JSObject> holder, Handle<Name> name,
Handle<FixedArray> array, int first_index) { Handle<FixedArray> array, int first_index) {
// We don't encode the requirement to check access rights because we already if (!holder.is_null() && holder->map() == *receiver_map) return 0;
// passed the access check for current native context and the access
// can't be revoked.
HandleScope scope(isolate); HandleScope scope(isolate);
int checks_count = 0; int checks_count = 0;
...@@ -891,8 +889,7 @@ int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map, ...@@ -891,8 +889,7 @@ int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map,
} }
checks_count++; checks_count++;
} else if (receiver_map->IsJSGlobalObjectMap() && } else if (receiver_map->IsJSGlobalObjectMap()) {
(holder.is_null() || holder->map() != *receiver_map)) {
// If we are creating a handler for [Load/Store]GlobalIC then we need to // If we are creating a handler for [Load/Store]GlobalIC then we need to
// check that the property did not appear in the global object. // check that the property did not appear in the global object.
if (fill_array) { if (fill_array) {
...@@ -1294,26 +1291,6 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) { ...@@ -1294,26 +1291,6 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) {
return slow_stub(); return slow_stub();
} }
if (!holder->HasFastProperties()) {
// Global loads always need the extended data handler since it embeds
// the PropertyCell.
if (receiver_is_holder && !holder->IsJSGlobalObject()) {
TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
return LoadHandler::LoadNormal(isolate());
}
Handle<Smi> smi_handler;
if (holder->IsJSGlobalObject()) {
TRACE_HANDLER_STATS(isolate(), LoadIC_LoadGlobalFromPrototypeDH);
smi_handler = LoadHandler::LoadGlobal(isolate());
} else {
TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalFromPrototypeDH);
smi_handler = LoadHandler::LoadNormal(isolate());
}
return LoadFromPrototype(map, holder, lookup->name(), smi_handler);
}
Handle<Object> getter(AccessorPair::cast(*accessors)->getter(), Handle<Object> getter(AccessorPair::cast(*accessors)->getter(),
isolate()); isolate());
if (getter->IsJSFunction()) { if (getter->IsJSFunction()) {
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Access any property that's also available on the global of the other realm.
__defineGetter__("Object", ()=>0);
__proto__ = Realm.global(Realm.create());
Object;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment