Fix a potential crash bug in keyed calls for non-string keys.

BUG=v8:1146 Review URL: http://codereview.chromium.org/6517010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6773 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix a potential crash bug in keyed calls for non-string keys.
BUG=v8:1146 Review URL: http://codereview.chromium.org/6517010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6773 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
ad70b7de · fschneider@chromium.org · c73ce4f1 · ad70b7de · ad70b7de · ad70b7de
Commit ad70b7de authored Feb 14, 2011 by fschneider@chromium.org
8 changed files
--- a/src/arm/ic-arm.cc
+++ b/src/arm/ic-arm.cc
@@ -115,6 +115,9 @@ static void GenerateStringDictionaryProbes(MacroAssembler* masm,
                                           Register name,
                                           Register scratch1,
                                           Register scratch2) {
+  // Assert that name contains a string.
+  if (FLAG_debug_code) __ AbortIfNotString(name);
+
  // Compute the capacity mask.
  const int kCapacityOffset = StringDictionary::kHeaderSize +
      StringDictionary::kCapacityIndex * kPointerSize;
@@ -843,7 +846,14 @@ void KeyedCallIC::GenerateNormal(MacroAssembler* masm, int argc) {
  //  -- lr    : return address
  // -----------------------------------

+  // Check if the name is a string.
+  Label miss;
+  __ tst(r2, Operand(kSmiTagMask));
+  __ b(eq, &miss);
+  __ IsObjectJSStringType(r2, r0, &miss);
+
  GenerateCallNormal(masm, argc);
+  __ bind(&miss);
  GenerateMiss(masm, argc);
 }


--- a/src/arm/macro-assembler-arm.cc
+++ b/src/arm/macro-assembler-arm.cc
@@ -929,8 +929,8 @@ void MacroAssembler::IsInstanceJSObjectType(Register map,


 void MacroAssembler::IsObjectJSStringType(Register object,
-                                           Register scratch,
-                                           Label* fail) {
+                                          Register scratch,
+                                          Label* fail) {
  ASSERT(kNotStringTag != 0);

  ldr(scratch, FieldMemOperand(object, HeapObject::kMapOffset));
@@ -2122,6 +2122,19 @@ void MacroAssembler::AbortIfNotSmi(Register object) {
 }


+void MacroAssembler::AbortIfNotString(Register object) {
+  STATIC_ASSERT(kSmiTag == 0);
+  tst(object, Operand(kSmiTagMask));
+  Assert(ne, "Operand is not a string");
+  push(object);
+  ldr(object, FieldMemOperand(object, HeapObject::kMapOffset));
+  CompareInstanceType(object, object, FIRST_NONSTRING_TYPE);
+  pop(object);
+  Assert(lo, "Operand is not a string");
+}
+
+
+
 void MacroAssembler::AbortIfNotRootValue(Register src,
                                         Heap::RootListIndex root_value_index,
                                         const char* message) {

--- a/src/arm/macro-assembler-arm.h
+++ b/src/arm/macro-assembler-arm.h
@@ -791,6 +791,9 @@ class MacroAssembler: public Assembler {
  void AbortIfSmi(Register object);
  void AbortIfNotSmi(Register object);

+  // Abort execution if argument is a string. Used in debug code.
+  void AbortIfNotString(Register object);
+
  // Abort execution if argument is not the root value with the given index.
  void AbortIfNotRootValue(Register src,
                           Heap::RootListIndex root_value_index,

--- a/src/ia32/ic-ia32.cc
+++ b/src/ia32/ic-ia32.cc
@@ -108,6 +108,9 @@ static void GenerateStringDictionaryProbes(MacroAssembler* masm,
                                           Register name,
                                           Register r0,
                                           Register r1) {
+  // Assert that name contains a string.
+  if (FLAG_debug_code) __ AbortIfNotString(name);
+
  // Compute the capacity mask.
  const int kCapacityOffset =
      StringDictionary::kHeaderSize +
@@ -1208,7 +1211,14 @@ void KeyedCallIC::GenerateNormal(MacroAssembler* masm, int argc) {
  //  -- esp[(argc + 1) * 4] : receiver
  // -----------------------------------

+  // Check if the name is a string.
+  Label miss;
+  __ test(ecx, Immediate(kSmiTagMask));
+  __ j(zero, &miss);
+  Condition cond = masm->IsObjectStringType(ecx, eax, eax);
+  __ j(NegateCondition(cond), &miss);
  GenerateCallNormal(masm, argc);
+  __ bind(&miss);
  GenerateMiss(masm, argc);
 }


--- a/src/x64/ic-x64.cc
+++ b/src/x64/ic-x64.cc
@@ -108,6 +108,9 @@ static void GenerateStringDictionaryProbes(MacroAssembler* masm,
                                           Register name,
                                           Register r0,
                                           Register r1) {
+  // Assert that name contains a string.
+  if (FLAG_debug_code) __ AbortIfNotString(name);
+
  // Compute the capacity mask.
  const int kCapacityOffset =
      StringDictionary::kHeaderSize +
@@ -1233,7 +1236,13 @@ void KeyedCallIC::GenerateNormal(MacroAssembler* masm, int argc) {
  // rsp[(argc + 1) * 8]      : argument 0 = receiver
  // -----------------------------------

+  // Check if the name is a string.
+  Label miss;
+  __ JumpIfSmi(rcx, &miss);
+  Condition cond = masm->IsObjectStringType(rcx, rax, rax);
+  __ j(NegateCondition(cond), &miss);
  GenerateCallNormal(masm, argc);
+  __ bind(&miss);
  GenerateMiss(masm, argc);
 }


--- a/src/x64/macro-assembler-x64.cc
+++ b/src/x64/macro-assembler-x64.cc
@@ -1610,6 +1610,17 @@ void MacroAssembler::AbortIfNotSmi(Register object) {
 }


+void MacroAssembler::AbortIfNotString(Register object) {
+  testb(object, Immediate(kSmiTagMask));
+  Assert(not_equal, "Operand is not a string");
+  push(object);
+  movq(object, FieldOperand(object, HeapObject::kMapOffset));
+  CmpInstanceType(object, FIRST_NONSTRING_TYPE);
+  pop(object);
+  Assert(below, "Operand is not a string");
+}
+
+
 void MacroAssembler::AbortIfNotRootValue(Register src,
                                         Heap::RootListIndex root_value_index,
                                         const char* message) {

--- a/src/x64/macro-assembler-x64.h
+++ b/src/x64/macro-assembler-x64.h
@@ -661,6 +661,9 @@ class MacroAssembler: public Assembler {
  // Abort execution if argument is not a smi. Used in debug code.
  void AbortIfNotSmi(Register object);

+  // Abort execution if argument is a string. Used in debug code.
+  void AbortIfNotString(Register object);
+
  // Abort execution if argument is not the root value with the given index.
  void AbortIfNotRootValue(Register src,
                           Heap::RootListIndex root_value_index,

--- a/test/mjsunit/regress/regress-1146.js
+++ b/test/mjsunit/regress/regress-1146.js
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Test keyed calls with different key types.
+function F() {}
+var a = new F();
+function f(i) { return a[i](); }
+
+a.first = function() { return 11; }
+a[0] = function() { return 22; }
+var obj = {};
+a[obj] = function() { return 33; }
+
+// Make object slow-case.
+a.foo = 0;
+delete a.foo;
+// Do multiple calls for IC transitions.
+var b = "first";
+f(b);
+f(b);
+
+assertEquals(11, f(b));
+assertEquals(22, f(0));
+assertEquals(33, f(obj));