Commit bc55af3c authored by balazs.kilvady's avatar balazs.kilvady Committed by Commit bot

MIPS: Fix `[proxies] fix access issue when having proxies on the...

MIPS: Fix `[proxies] fix access issue when having proxies on the prototype-chain of global objects.`

Port 2c75e3d2

Original commit message:
We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1526253006

Cr-Commit-Position: refs/heads/master@{#32921}
parent c36a1b97
...@@ -2546,14 +2546,25 @@ void LCodeGen::DoHasInPrototypeChainAndBranch( ...@@ -2546,14 +2546,25 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
__ SmiTst(object, at); __ SmiTst(object, at);
EmitFalseBranch(instr, eq, at, Operand(zero_reg)); EmitFalseBranch(instr, eq, at, Operand(zero_reg));
} }
// Loop through the {object}s prototype chain looking for the {prototype}. // Loop through the {object}s prototype chain looking for the {prototype}.
__ lw(object_map, FieldMemOperand(object, HeapObject::kMapOffset)); __ lw(object_map, FieldMemOperand(object, HeapObject::kMapOffset));
Label loop; Label loop;
__ bind(&loop); __ bind(&loop);
// Deoptimize if the object needs to be access checked.
__ lbu(object_instance_type,
FieldMemOperand(object_map, Map::kBitFieldOffset));
__ And(object_instance_type, object_instance_type,
Operand(1 << Map::kIsAccessCheckNeeded));
DeoptimizeIf(ne, instr, Deoptimizer::kAccessCheck, object_instance_type,
Operand(zero_reg));
// Deoptimize for proxies.
__ lbu(object_instance_type, __ lbu(object_instance_type,
FieldMemOperand(object_map, Map::kInstanceTypeOffset)); FieldMemOperand(object_map, Map::kInstanceTypeOffset));
DeoptimizeIf(eq, instr, Deoptimizer::kProxy, object_instance_type, DeoptimizeIf(eq, instr, Deoptimizer::kProxy, object_instance_type,
Operand(JS_PROXY_TYPE)); Operand(JS_PROXY_TYPE));
__ lw(object_prototype, FieldMemOperand(object_map, Map::kPrototypeOffset)); __ lw(object_prototype, FieldMemOperand(object_map, Map::kPrototypeOffset));
EmitTrueBranch(instr, eq, object_prototype, Operand(prototype)); EmitTrueBranch(instr, eq, object_prototype, Operand(prototype));
__ LoadRoot(at, Heap::kNullValueRootIndex); __ LoadRoot(at, Heap::kNullValueRootIndex);
......
...@@ -2674,10 +2674,19 @@ void LCodeGen::DoHasInPrototypeChainAndBranch( ...@@ -2674,10 +2674,19 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
__ ld(object_map, FieldMemOperand(object, HeapObject::kMapOffset)); __ ld(object_map, FieldMemOperand(object, HeapObject::kMapOffset));
Label loop; Label loop;
__ bind(&loop); __ bind(&loop);
// Deoptimize if the object needs to be access checked.
__ lbu(object_instance_type,
FieldMemOperand(object_map, Map::kBitFieldOffset));
__ And(object_instance_type, object_instance_type,
Operand(1 << Map::kIsAccessCheckNeeded));
DeoptimizeIf(ne, instr, Deoptimizer::kAccessCheck, object_instance_type,
Operand(zero_reg));
__ lbu(object_instance_type, __ lbu(object_instance_type,
FieldMemOperand(object_map, Map::kInstanceTypeOffset)); FieldMemOperand(object_map, Map::kInstanceTypeOffset));
DeoptimizeIf(eq, instr, Deoptimizer::kProxy, object_instance_type, DeoptimizeIf(eq, instr, Deoptimizer::kProxy, object_instance_type,
Operand(JS_PROXY_TYPE)); Operand(JS_PROXY_TYPE));
__ ld(object_prototype, FieldMemOperand(object_map, Map::kPrototypeOffset)); __ ld(object_prototype, FieldMemOperand(object_map, Map::kPrototypeOffset));
EmitTrueBranch(instr, eq, object_prototype, Operand(prototype)); EmitTrueBranch(instr, eq, object_prototype, Operand(prototype));
__ LoadRoot(at, Heap::kNullValueRootIndex); __ LoadRoot(at, Heap::kNullValueRootIndex);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment