X87: [proxies] fix access issue when having proxies on the prototype-chain of global objects.

port 2c75e3d2 (r32903) original commit message: We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js). BUG= Review URL: https://codereview.chromium.org/1534663002 Cr-Commit-Position: refs/heads/master@{#32924}

X87: [proxies] fix access issue when having proxies on the prototype-chain of global objects.
port 2c75e3d2 (r32903) original commit message: We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js). BUG= Review URL: https://codereview.chromium.org/1534663002 Cr-Commit-Position: refs/heads/master@{#32924}
e0a3ff0f · zhengxing.li · Commit bot · 23384259 · e0a3ff0f · e0a3ff0f
Commit e0a3ff0f authored Dec 17, 2015 by zhengxing.li Committed by Commit bot Dec 17, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

lithium-codegen-x87.cc src/crankshaft/x87/lithium-codegen-x87.cc +7 -0

code-stubs-x87.cc src/x87/code-stubs-x87.cc +4 -1

No files found.
--- a/src/crankshaft/x87/lithium-codegen-x87.cc
+++ b/src/crankshaft/x87/lithium-codegen-x87.cc
@@ -2823,8 +2823,15 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
  __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
  Label loop;
  __ bind(&loop);
+
+  // Deoptimize if the object needs to be access checked.
+  __ test_b(FieldOperand(object_map, Map::kBitFieldOffset),
+            1 << Map::kIsAccessCheckNeeded);
+  DeoptimizeIf(not_zero, instr, Deoptimizer::kAccessCheck);
+  // Deoptimize for proxies.
  __ CmpInstanceType(object_map, JS_PROXY_TYPE);
  DeoptimizeIf(equal, instr, Deoptimizer::kProxy);
+
  __ mov(object_prototype, FieldOperand(object_map, Map::kPrototypeOffset));
  __ cmp(object_prototype, prototype);
  EmitTrueBranch(instr, equal);

--- a/src/x87/code-stubs-x87.cc
+++ b/src/x87/code-stubs-x87.cc
@@ -2280,19 +2280,22 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
  __ mov(eax, isolate()->factory()->true_value());
  __ bind(&loop);

+  // Check if the object needs to be access checked.
  __ test_b(FieldOperand(object_map, Map::kBitFieldOffset),
            1 << Map::kIsAccessCheckNeeded);
  __ j(not_zero, &fast_runtime_fallback, Label::kNear);
+  // Check if the current object is a Proxy.
  __ CmpInstanceType(object_map, JS_PROXY_TYPE);
  __ j(equal, &fast_runtime_fallback, Label::kNear);

  __ mov(object, FieldOperand(object_map, Map::kPrototypeOffset));
  __ cmp(object, function_prototype);
  __ j(equal, &done, Label::kNear);
-  __ cmp(object, isolate()->factory()->null_value());
  __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
+  __ cmp(object, isolate()->factory()->null_value());
  __ j(not_equal, &loop);
  __ mov(eax, isolate()->factory()->false_value());
+
  __ bind(&done);
  __ StoreRoot(eax, scratch, Heap::kInstanceofCacheAnswerRootIndex);
  __ ret(0);