Commit 98d8c9e4 authored by verwaest@chromium.org's avatar verwaest@chromium.org

Always check global property cells for readonliness before storing.

Add check when the global object is the last in the chain.

Review URL: https://chromiumcodereview.appspot.com/13730002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 36d3b1ef
...@@ -417,6 +417,26 @@ void StubCompiler::GenerateLoadFunctionPrototype(MacroAssembler* masm, ...@@ -417,6 +417,26 @@ void StubCompiler::GenerateLoadFunctionPrototype(MacroAssembler* masm,
} }
// Generate code to check that a global property cell is empty. Create
// the property cell at compilation time if no cell exists for the
// property.
static void GenerateCheckPropertyCell(MacroAssembler* masm,
Handle<GlobalObject> global,
Handle<Name> name,
Register scratch,
Label* miss) {
Handle<JSGlobalPropertyCell> cell =
GlobalObject::EnsurePropertyCell(global, name);
ASSERT(cell->value()->IsTheHole());
__ mov(scratch, Operand(cell));
__ ldr(scratch,
FieldMemOperand(scratch, JSGlobalPropertyCell::kValueOffset));
__ LoadRoot(ip, Heap::kTheHoleValueRootIndex);
__ cmp(scratch, ip);
__ b(ne, miss);
}
// Generate StoreField code, value is passed in r0 register. // Generate StoreField code, value is passed in r0 register.
// When leaving generated code after success, the receiver_reg and name_reg // When leaving generated code after success, the receiver_reg and name_reg
// may be clobbered. Upon branch to miss_label, the receiver and name // may be clobbered. Upon branch to miss_label, the receiver and name
...@@ -466,14 +486,20 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm, ...@@ -466,14 +486,20 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
// If no property was found, and the holder (the last object in the // If no property was found, and the holder (the last object in the
// prototype chain) is in slow mode, we need to do a negative lookup on the // prototype chain) is in slow mode, we need to do a negative lookup on the
// holder. // holder.
if (lookup->holder() == *object && if (lookup->holder() == *object) {
!holder->HasFastProperties() && if (holder->IsJSGlobalObject()) {
!holder->IsJSGlobalProxy() && GenerateCheckPropertyCell(
!holder->IsJSGlobalObject()) { masm,
Handle<GlobalObject>(GlobalObject::cast(holder)),
name,
scratch1,
miss_restore_name);
} else if (!holder->HasFastProperties() && !holder->IsJSGlobalProxy()) {
GenerateDictionaryNegativeLookup( GenerateDictionaryNegativeLookup(
masm, miss_restore_name, holder_reg, name, scratch1, scratch2); masm, miss_restore_name, holder_reg, name, scratch1, scratch2);
} }
} }
}
// Stub never generated for non-global objects that require access // Stub never generated for non-global objects that require access
// checks. // checks.
...@@ -926,26 +952,6 @@ class CallInterceptorCompiler BASE_EMBEDDED { ...@@ -926,26 +952,6 @@ class CallInterceptorCompiler BASE_EMBEDDED {
}; };
// Generate code to check that a global property cell is empty. Create
// the property cell at compilation time if no cell exists for the
// property.
static void GenerateCheckPropertyCell(MacroAssembler* masm,
Handle<GlobalObject> global,
Handle<Name> name,
Register scratch,
Label* miss) {
Handle<JSGlobalPropertyCell> cell =
GlobalObject::EnsurePropertyCell(global, name);
ASSERT(cell->value()->IsTheHole());
__ mov(scratch, Operand(cell));
__ ldr(scratch,
FieldMemOperand(scratch, JSGlobalPropertyCell::kValueOffset));
__ LoadRoot(ip, Heap::kTheHoleValueRootIndex);
__ cmp(scratch, ip);
__ b(ne, miss);
}
// Calls GenerateCheckPropertyCell for each global object in the prototype chain // Calls GenerateCheckPropertyCell for each global object in the prototype chain
// from object to (but not including) holder. // from object to (but not including) holder.
static void GenerateCheckPropertyCells(MacroAssembler* masm, static void GenerateCheckPropertyCells(MacroAssembler* masm,
......
...@@ -726,6 +726,29 @@ void BaseStoreStubCompiler::GenerateRestoreName(MacroAssembler* masm, ...@@ -726,6 +726,29 @@ void BaseStoreStubCompiler::GenerateRestoreName(MacroAssembler* masm,
} }
// Generate code to check that a global property cell is empty. Create
// the property cell at compilation time if no cell exists for the
// property.
static void GenerateCheckPropertyCell(MacroAssembler* masm,
Handle<GlobalObject> global,
Handle<Name> name,
Register scratch,
Label* miss) {
Handle<JSGlobalPropertyCell> cell =
GlobalObject::EnsurePropertyCell(global, name);
ASSERT(cell->value()->IsTheHole());
Handle<Oddball> the_hole = masm->isolate()->factory()->the_hole_value();
if (Serializer::enabled()) {
__ mov(scratch, Immediate(cell));
__ cmp(FieldOperand(scratch, JSGlobalPropertyCell::kValueOffset),
Immediate(the_hole));
} else {
__ cmp(Operand::Cell(cell), Immediate(the_hole));
}
__ j(not_equal, miss);
}
// Both name_reg and receiver_reg are preserved on jumps to miss_label, // Both name_reg and receiver_reg are preserved on jumps to miss_label,
// but may be destroyed if store is successful. // but may be destroyed if store is successful.
void StubCompiler::GenerateStoreField(MacroAssembler* masm, void StubCompiler::GenerateStoreField(MacroAssembler* masm,
...@@ -771,14 +794,20 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm, ...@@ -771,14 +794,20 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
// If no property was found, and the holder (the last object in the // If no property was found, and the holder (the last object in the
// prototype chain) is in slow mode, we need to do a negative lookup on the // prototype chain) is in slow mode, we need to do a negative lookup on the
// holder. // holder.
if (lookup->holder() == *object && if (lookup->holder() == *object) {
!holder->HasFastProperties() && if (holder->IsJSGlobalObject()) {
!holder->IsJSGlobalProxy() && GenerateCheckPropertyCell(
!holder->IsJSGlobalObject()) { masm,
Handle<GlobalObject>(GlobalObject::cast(holder)),
name,
scratch1,
miss_restore_name);
} else if (!holder->HasFastProperties() && !holder->IsJSGlobalProxy()) {
GenerateDictionaryNegativeLookup( GenerateDictionaryNegativeLookup(
masm, miss_restore_name, holder_reg, name, scratch1, scratch2); masm, miss_restore_name, holder_reg, name, scratch1, scratch2);
} }
} }
}
// Stub never generated for non-global objects that require access // Stub never generated for non-global objects that require access
// checks. // checks.
...@@ -864,29 +893,6 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm, ...@@ -864,29 +893,6 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
} }
// Generate code to check that a global property cell is empty. Create
// the property cell at compilation time if no cell exists for the
// property.
static void GenerateCheckPropertyCell(MacroAssembler* masm,
Handle<GlobalObject> global,
Handle<Name> name,
Register scratch,
Label* miss) {
Handle<JSGlobalPropertyCell> cell =
GlobalObject::EnsurePropertyCell(global, name);
ASSERT(cell->value()->IsTheHole());
Handle<Oddball> the_hole = masm->isolate()->factory()->the_hole_value();
if (Serializer::enabled()) {
__ mov(scratch, Immediate(cell));
__ cmp(FieldOperand(scratch, JSGlobalPropertyCell::kValueOffset),
Immediate(the_hole));
} else {
__ cmp(Operand::Cell(cell), Immediate(the_hole));
}
__ j(not_equal, miss);
}
// Calls GenerateCheckPropertyCell for each global object in the prototype chain // Calls GenerateCheckPropertyCell for each global object in the prototype chain
// from object to (but not including) holder. // from object to (but not including) holder.
static void GenerateCheckPropertyCells(MacroAssembler* masm, static void GenerateCheckPropertyCells(MacroAssembler* masm,
......
...@@ -712,6 +712,24 @@ void BaseStoreStubCompiler::GenerateRestoreName(MacroAssembler* masm, ...@@ -712,6 +712,24 @@ void BaseStoreStubCompiler::GenerateRestoreName(MacroAssembler* masm,
} }
// Generate code to check that a global property cell is empty. Create
// the property cell at compilation time if no cell exists for the
// property.
static void GenerateCheckPropertyCell(MacroAssembler* masm,
Handle<GlobalObject> global,
Handle<Name> name,
Register scratch,
Label* miss) {
Handle<JSGlobalPropertyCell> cell =
GlobalObject::EnsurePropertyCell(global, name);
ASSERT(cell->value()->IsTheHole());
__ Move(scratch, cell);
__ Cmp(FieldOperand(scratch, JSGlobalPropertyCell::kValueOffset),
masm->isolate()->factory()->the_hole_value());
__ j(not_equal, miss);
}
// Both name_reg and receiver_reg are preserved on jumps to miss_label, // Both name_reg and receiver_reg are preserved on jumps to miss_label,
// but may be destroyed if store is successful. // but may be destroyed if store is successful.
void StubCompiler::GenerateStoreField(MacroAssembler* masm, void StubCompiler::GenerateStoreField(MacroAssembler* masm,
...@@ -756,14 +774,20 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm, ...@@ -756,14 +774,20 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
// If no property was found, and the holder (the last object in the // If no property was found, and the holder (the last object in the
// prototype chain) is in slow mode, we need to do a negative lookup on the // prototype chain) is in slow mode, we need to do a negative lookup on the
// holder. // holder.
if (lookup->holder() == *object && if (lookup->holder() == *object) {
!holder->HasFastProperties() && if (holder->IsJSGlobalObject()) {
!holder->IsJSGlobalProxy() && GenerateCheckPropertyCell(
!holder->IsJSGlobalObject()) { masm,
Handle<GlobalObject>(GlobalObject::cast(holder)),
name,
scratch1,
miss_restore_name);
} else if (!holder->HasFastProperties() && !holder->IsJSGlobalProxy()) {
GenerateDictionaryNegativeLookup( GenerateDictionaryNegativeLookup(
masm, miss_restore_name, holder_reg, name, scratch1, scratch2); masm, miss_restore_name, holder_reg, name, scratch1, scratch2);
} }
} }
}
// Stub never generated for non-global objects that require access // Stub never generated for non-global objects that require access
// checks. // checks.
...@@ -842,24 +866,6 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm, ...@@ -842,24 +866,6 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
} }
// Generate code to check that a global property cell is empty. Create
// the property cell at compilation time if no cell exists for the
// property.
static void GenerateCheckPropertyCell(MacroAssembler* masm,
Handle<GlobalObject> global,
Handle<Name> name,
Register scratch,
Label* miss) {
Handle<JSGlobalPropertyCell> cell =
GlobalObject::EnsurePropertyCell(global, name);
ASSERT(cell->value()->IsTheHole());
__ Move(scratch, cell);
__ Cmp(FieldOperand(scratch, JSGlobalPropertyCell::kValueOffset),
masm->isolate()->factory()->the_hole_value());
__ j(not_equal, miss);
}
// Calls GenerateCheckPropertyCell for each global object in the prototype chain // Calls GenerateCheckPropertyCell for each global object in the prototype chain
// from object to (but not including) holder. // from object to (but not including) holder.
static void GenerateCheckPropertyCells(MacroAssembler* masm, static void GenerateCheckPropertyCells(MacroAssembler* masm,
......
// Copyright 2013 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
this.__proto__ = null;
this.x = 10;
delete this.x;
function s(v) {
return v.x = 1;
}
function s_strict(v) {
"use strict";
return v.x = 1;
}
function c() {
var o = {__proto__:this};
return o;
}
var o1 = c();
var o2 = c();
var o1_strict = c();
var o2_strict = c();
var o3 = c();
var o4 = c();
// Initialize the store IC.
s(o1);
s(o2);
s_strict(o1_strict);
s_strict(o2_strict);
Object.defineProperty(this, "x", {writable:false, configurable:true});
// Verify that directly setting x fails.
o3.x = 1;
assertEquals(undefined, o3.x);
// Verify that setting x through the IC fails.
assertThrows("s_strict(o4)", TypeError);
s(o4);
assertEquals(undefined, o4.x);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment