MIPS: Fix `[proxies] fix access issue when having proxies on the...

MIPS: Fix `[proxies] fix access issue when having proxies on the prototype-chain of global objects.` Port 2c75e3d2 Original commit message: We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js). BUG= Review URL: https://codereview.chromium.org/1526253006 Cr-Commit-Position: refs/heads/master@{#32921}

MIPS: Fix `[proxies] fix access issue when having proxies on the...
MIPS: Fix `[proxies] fix access issue when having proxies on the prototype-chain of global objects.` Port 2c75e3d2 Original commit message: We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js). BUG= Review URL: https://codereview.chromium.org/1526253006 Cr-Commit-Position: refs/heads/master@{#32921}
bc55af3c · balazs.kilvady · Commit bot · c36a1b97 · bc55af3c · bc55af3c
Commit bc55af3c authored Dec 16, 2015 by balazs.kilvady Committed by Commit bot Dec 16, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

lithium-codegen-mips.cc src/crankshaft/mips/lithium-codegen-mips.cc +11 -0

lithium-codegen-mips64.cc src/crankshaft/mips64/lithium-codegen-mips64.cc +9 -0

No files found.
--- a/src/crankshaft/mips/lithium-codegen-mips.cc
+++ b/src/crankshaft/mips/lithium-codegen-mips.cc
@@ -2546,14 +2546,25 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
    __ SmiTst(object, at);
    EmitFalseBranch(instr, eq, at, Operand(zero_reg));
  }
+
  // Loop through the {object}s prototype chain looking for the {prototype}.
  __ lw(object_map, FieldMemOperand(object, HeapObject::kMapOffset));
  Label loop;
  __ bind(&loop);
+
+  // Deoptimize if the object needs to be access checked.
+  __ lbu(object_instance_type,
+         FieldMemOperand(object_map, Map::kBitFieldOffset));
+  __ And(object_instance_type, object_instance_type,
+         Operand(1 << Map::kIsAccessCheckNeeded));
+  DeoptimizeIf(ne, instr, Deoptimizer::kAccessCheck, object_instance_type,
+               Operand(zero_reg));
+  // Deoptimize for proxies.
  __ lbu(object_instance_type,
         FieldMemOperand(object_map, Map::kInstanceTypeOffset));
  DeoptimizeIf(eq, instr, Deoptimizer::kProxy, object_instance_type,
               Operand(JS_PROXY_TYPE));
+
  __ lw(object_prototype, FieldMemOperand(object_map, Map::kPrototypeOffset));
  EmitTrueBranch(instr, eq, object_prototype, Operand(prototype));
  __ LoadRoot(at, Heap::kNullValueRootIndex);

--- a/src/crankshaft/mips64/lithium-codegen-mips64.cc
+++ b/src/crankshaft/mips64/lithium-codegen-mips64.cc
@@ -2674,10 +2674,19 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
  __ ld(object_map, FieldMemOperand(object, HeapObject::kMapOffset));
  Label loop;
  __ bind(&loop);
+
+  // Deoptimize if the object needs to be access checked.
+  __ lbu(object_instance_type,
+         FieldMemOperand(object_map, Map::kBitFieldOffset));
+  __ And(object_instance_type, object_instance_type,
+         Operand(1 << Map::kIsAccessCheckNeeded));
+  DeoptimizeIf(ne, instr, Deoptimizer::kAccessCheck, object_instance_type,
+               Operand(zero_reg));
  __ lbu(object_instance_type,
         FieldMemOperand(object_map, Map::kInstanceTypeOffset));
  DeoptimizeIf(eq, instr, Deoptimizer::kProxy, object_instance_type,
               Operand(JS_PROXY_TYPE));
+
  __ ld(object_prototype, FieldMemOperand(object_map, Map::kPrototypeOffset));
  EmitTrueBranch(instr, eq, object_prototype, Operand(prototype));
  __ LoadRoot(at, Heap::kNullValueRootIndex);