Only dynamically perform access checks on the receiver if it's a...

Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. Proxies up the chain are guaranteed to provide access if we had access to the receiver, since otherwise we wouldn't have been able to compile the stub in the first place. If the security check would change, the window navigates, changing the map of the JSGlobalProxy. BUG= Review URL: https://codereview.chromium.org/958843002 Cr-Commit-Position: refs/heads/master@{#26875}

Only dynamically perform access checks on the receiver if it's a...
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. Proxies up the chain are guaranteed to provide access if we had access to the receiver, since otherwise we wouldn't have been able to compile the stub in the first place. If the security check would change, the window navigates, changing the map of the JSGlobalProxy. BUG= Review URL: https://codereview.chromium.org/958843002 Cr-Commit-Position: refs/heads/master@{#26875}
e9cdcb71 · verwaest · Commit bot · b5fc4b80 · e9cdcb71 · e9cdcb71
Commit e9cdcb71 authored Feb 26, 2015 by verwaest Committed by Commit bot Feb 26, 2015
4 changed files
--- a/src/ic/arm/handler-compiler-arm.cc
+++ b/src/ic/arm/handler-compiler-arm.cc
@@ -428,6 +428,17 @@ Register PropertyHandlerCompiler::CheckPrototypes(
  if (receiver_map->IsJSGlobalObjectMap()) {
    current = isolate()->global_object();
  }
+
+  // Check access rights to the global object.  This has to happen after
+  // the map check so that we know that the object is actually a global
+  // object.
+  // This allows us to install generated handlers for accesses to the
+  // global proxy (as opposed to using slow ICs). See corresponding code
+  // in LookupForRead().
+  if (receiver_map->IsJSGlobalProxyMap()) {
+    __ CheckAccessGlobalProxy(reg, scratch2, miss);
+  }
+
  Handle<JSObject> prototype = Handle<JSObject>::null();
  Handle<Map> current_map = receiver_map;
  Handle<Map> holder_map(holder()->map());
@@ -468,15 +479,7 @@ Register PropertyHandlerCompiler::CheckPrototypes(
        __ b(ne, miss);
      }

-      // Check access rights to the global object.  This has to happen after
-      // the map check so that we know that the object is actually a global
-      // object.
-      // This allows us to install generated handlers for accesses to the
-      // global proxy (as opposed to using slow ICs). See corresponding code
-      // in LookupForRead().
-      if (current_map->IsJSGlobalProxyMap()) {
-        __ CheckAccessGlobalProxy(reg, scratch2, miss);
-      } else if (current_map->IsJSGlobalObjectMap()) {
+      if (current_map->IsJSGlobalObjectMap()) {
        GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current),
                                  name, scratch2, miss);
      }
@@ -502,13 +505,6 @@ Register PropertyHandlerCompiler::CheckPrototypes(
    __ b(ne, miss);
  }

-  // Perform security check for access to the global object.
-  DCHECK(current_map->IsJSGlobalProxyMap() ||
-         !current_map->is_access_check_needed());
-  if (current_map->IsJSGlobalProxyMap()) {
-    __ CheckAccessGlobalProxy(reg, scratch1, miss);
-  }
-
  // Return the register containing the holder.
  return reg;
 }

--- a/src/ic/arm64/handler-compiler-arm64.cc
+++ b/src/ic/arm64/handler-compiler-arm64.cc
@@ -477,6 +477,18 @@ Register PropertyHandlerCompiler::CheckPrototypes(
  if (receiver_map->IsJSGlobalObjectMap()) {
    current = isolate()->global_object();
  }
+
+  // Check access rights to the global object.  This has to happen after
+  // the map check so that we know that the object is actually a global
+  // object.
+  // This allows us to install generated handlers for accesses to the
+  // global proxy (as opposed to using slow ICs). See corresponding code
+  // in LookupForRead().
+  if (receiver_map->IsJSGlobalProxyMap()) {
+    UseScratchRegisterScope temps(masm());
+    __ CheckAccessGlobalProxy(reg, scratch2, temps.AcquireX(), miss);
+  }
+
  Handle<JSObject> prototype = Handle<JSObject>::null();
  Handle<Map> current_map = receiver_map;
  Handle<Map> holder_map(holder()->map());
@@ -517,16 +529,7 @@ Register PropertyHandlerCompiler::CheckPrototypes(
        __ B(ne, miss);
      }

-      // Check access rights to the global object.  This has to happen after
-      // the map check so that we know that the object is actually a global
-      // object.
-      // This allows us to install generated handlers for accesses to the
-      // global proxy (as opposed to using slow ICs). See corresponding code
-      // in LookupForRead().
-      if (current_map->IsJSGlobalProxyMap()) {
-        UseScratchRegisterScope temps(masm());
-        __ CheckAccessGlobalProxy(reg, scratch2, temps.AcquireX(), miss);
-      } else if (current_map->IsJSGlobalObjectMap()) {
+      if (current_map->IsJSGlobalObjectMap()) {
        GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current),
                                  name, scratch2, miss);
      }
@@ -553,13 +556,6 @@ Register PropertyHandlerCompiler::CheckPrototypes(
    __ B(ne, miss);
  }

-  // Perform security check for access to the global object.
-  DCHECK(current_map->IsJSGlobalProxyMap() ||
-         !current_map->is_access_check_needed());
-  if (current_map->IsJSGlobalProxyMap()) {
-    __ CheckAccessGlobalProxy(reg, scratch1, scratch2, miss);
-  }
-
  // Return the register containing the holder.
  return reg;
 }

--- a/src/ic/ia32/handler-compiler-ia32.cc
+++ b/src/ic/ia32/handler-compiler-ia32.cc
@@ -431,6 +431,17 @@ Register PropertyHandlerCompiler::CheckPrototypes(
  if (receiver_map->IsJSGlobalObjectMap()) {
    current = isolate()->global_object();
  }
+
+  // Check access rights to the global object.  This has to happen after
+  // the map check so that we know that the object is actually a global
+  // object.
+  // This allows us to install generated handlers for accesses to the
+  // global proxy (as opposed to using slow ICs). See corresponding code
+  // in LookupForRead().
+  if (receiver_map->IsJSGlobalProxyMap()) {
+    __ CheckAccessGlobalProxy(reg, scratch1, scratch2, miss);
+  }
+
  Handle<JSObject> prototype = Handle<JSObject>::null();
  Handle<Map> current_map = receiver_map;
  Handle<Map> holder_map(holder()->map());
@@ -471,17 +482,7 @@ Register PropertyHandlerCompiler::CheckPrototypes(
        __ j(not_equal, miss);
      }

-      // Check access rights to the global object.  This has to happen after
-      // the map check so that we know that the object is actually a global
-      // object.
-      // This allows us to install generated handlers for accesses to the
-      // global proxy (as opposed to using slow ICs). See corresponding code
-      // in LookupForRead().
-      if (current_map->IsJSGlobalProxyMap()) {
-        __ CheckAccessGlobalProxy(reg, map_reg, scratch2, miss);
-        // Restore map_reg.
-        __ mov(map_reg, FieldOperand(reg, HeapObject::kMapOffset));
-      } else if (current_map->IsJSGlobalObjectMap()) {
+      if (current_map->IsJSGlobalObjectMap()) {
        GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current),
                                  name, scratch2, miss);
      }
@@ -505,13 +506,6 @@ Register PropertyHandlerCompiler::CheckPrototypes(
    __ j(not_equal, miss);
  }

-  // Perform security check for access to the global object.
-  DCHECK(current_map->IsJSGlobalProxyMap() ||
-         !current_map->is_access_check_needed());
-  if (current_map->IsJSGlobalProxyMap()) {
-    __ CheckAccessGlobalProxy(reg, scratch1, scratch2, miss);
-  }
-
  // Return the register containing the holder.
  return reg;
 }

--- a/src/ic/x64/handler-compiler-x64.cc
+++ b/src/ic/x64/handler-compiler-x64.cc
@@ -431,6 +431,17 @@ Register PropertyHandlerCompiler::CheckPrototypes(
  if (receiver_map->IsJSGlobalObjectMap()) {
    current = isolate()->global_object();
  }
+
+  // Check access rights to the global object.  This has to happen after
+  // the map check so that we know that the object is actually a global
+  // object.
+  // This allows us to install generated handlers for accesses to the
+  // global proxy (as opposed to using slow ICs). See corresponding code
+  // in LookupForRead().
+  if (receiver_map->IsJSGlobalProxyMap()) {
+    __ CheckAccessGlobalProxy(reg, scratch2, miss);
+  }
+
  Handle<JSObject> prototype = Handle<JSObject>::null();
  Handle<Map> current_map = receiver_map;
  Handle<Map> holder_map(holder()->map());
@@ -472,15 +483,7 @@ Register PropertyHandlerCompiler::CheckPrototypes(
        __ j(not_equal, miss);
      }

-      // Check access rights to the global object.  This has to happen after
-      // the map check so that we know that the object is actually a global
-      // object.
-      // This allows us to install generated handlers for accesses to the
-      // global proxy (as opposed to using slow ICs). See corresponding code
-      // in LookupForRead().
-      if (current_map->IsJSGlobalProxyMap()) {
-        __ CheckAccessGlobalProxy(reg, scratch2, miss);
-      } else if (current_map->IsJSGlobalObjectMap()) {
+      if (current_map->IsJSGlobalObjectMap()) {
        GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current),
                                  name, scratch2, miss);
      }
@@ -504,13 +507,6 @@ Register PropertyHandlerCompiler::CheckPrototypes(
    __ j(not_equal, miss);
  }

-  // Perform security check for access to the global object.
-  DCHECK(current_map->IsJSGlobalProxyMap() ||
-         !current_map->is_access_check_needed());
-  if (current_map->IsJSGlobalProxyMap()) {
-    __ CheckAccessGlobalProxy(reg, scratch1, miss);
-  }
-
  // Return the register containing the holder.
  return reg;
 }