[v8-dev] MIPS: Only dynamically perform access checks on the receiver if it's a JSGlobalProxy. (issue 958923002 by [email protected])

Thu, 26 Feb 2015 05:29:40 -0800

Reviewers: danno, Toon Verwaest, paul.l..., akos.palfi.imgtec, gergely.kis.imgtec, dusmil.imgtec, 

Description:
MIPS: Only dynamically perform access checks on the receiver if it's a
JSGlobalProxy.

Port e9cdcb71743200e7dd18b0be62f764aa53729c63

Original commit message:
Proxies up the chain are guaranteed to provide access if we had access to the receiver, since otherwise we wouldn't have been able to compile the stub in the first place. If the security check would change, the window navigates, changing 
the map of the JSGlobalProxy.

BUG=

Please review this at https://codereview.chromium.org/958923002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+24, -32 lines):
  M src/ic/mips/handler-compiler-mips.cc
  M src/ic/mips64/handler-compiler-mips64.cc


Index: src/ic/mips/handler-compiler-mips.cc
diff --git a/src/ic/mips/handler-compiler-mips.cc b/src/ic/mips/handler-compiler-mips.cc index 93106ea0e15c8f0d6ac3f069c89938bed190d752..4f22c19581f7f7f32b35831849525e16703d8219 100644 
--- a/src/ic/mips/handler-compiler-mips.cc
+++ b/src/ic/mips/handler-compiler-mips.cc
@@ -418,6 +418,17 @@ Register PropertyHandlerCompiler::CheckPrototypes(
   if (receiver_map->IsJSGlobalObjectMap()) {
     current = isolate()->global_object();
   }
+
+  // Check access rights to the global object.  This has to happen after
+  // the map check so that we know that the object is actually a global
+  // object.
+  // This allows us to install generated handlers for accesses to the
+  // global proxy (as opposed to using slow ICs). See corresponding code
+  // in LookupForRead().
+  if (receiver_map->IsJSGlobalProxyMap()) {
+    __ CheckAccessGlobalProxy(reg, scratch2, miss);
+  }
+
   Handle<JSObject> prototype = Handle<JSObject>::null();
   Handle<Map> current_map = receiver_map;
   Handle<Map> holder_map(holder()->map());
@@ -458,15 +469,7 @@ Register PropertyHandlerCompiler::CheckPrototypes(
         __ Branch(miss, ne, scratch2, Operand(map_reg));
       }
- // Check access rights to the global object. This has to happen after 
-      // the map check so that we know that the object is actually a global
-      // object.
-      // This allows us to install generated handlers for accesses to the
- // global proxy (as opposed to using slow ICs). See corresponding code 
-      // in LookupForRead().
-      if (current_map->IsJSGlobalProxyMap()) {
-        __ CheckAccessGlobalProxy(reg, scratch2, miss);
-      } else if (current_map->IsJSGlobalObjectMap()) {
+      if (current_map->IsJSGlobalObjectMap()) {
GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), 
                                   name, scratch2, miss);
       }
@@ -492,13 +495,6 @@ Register PropertyHandlerCompiler::CheckPrototypes(
     __ Branch(miss, ne, scratch2, Operand(scratch1));
   }

-  // Perform security check for access to the global object.
-  DCHECK(current_map->IsJSGlobalProxyMap() ||
-         !current_map->is_access_check_needed());
-  if (current_map->IsJSGlobalProxyMap()) {
-    __ CheckAccessGlobalProxy(reg, scratch1, miss);
-  }
-
   // Return the register containing the holder.
   return reg;
 }
Index: src/ic/mips64/handler-compiler-mips64.cc
diff --git a/src/ic/mips64/handler-compiler-mips64.cc b/src/ic/mips64/handler-compiler-mips64.cc index a68a418fa2795ddee817c301d1c15e3bcfbd7c88..52204dd563355e139969bdb6d2e46a989ba74749 100644 
--- a/src/ic/mips64/handler-compiler-mips64.cc
+++ b/src/ic/mips64/handler-compiler-mips64.cc
@@ -419,6 +419,17 @@ Register PropertyHandlerCompiler::CheckPrototypes(
   if (receiver_map->IsJSGlobalObjectMap()) {
     current = isolate()->global_object();
   }
+
+  // Check access rights to the global object.  This has to happen after
+  // the map check so that we know that the object is actually a global
+  // object.
+  // This allows us to install generated handlers for accesses to the
+  // global proxy (as opposed to using slow ICs). See corresponding code
+  // in LookupForRead().
+  if (receiver_map->IsJSGlobalProxyMap()) {
+    __ CheckAccessGlobalProxy(reg, scratch2, miss);
+  }
+
   Handle<JSObject> prototype = Handle<JSObject>::null();
   Handle<Map> current_map = receiver_map;
   Handle<Map> holder_map(holder()->map());
@@ -459,15 +470,7 @@ Register PropertyHandlerCompiler::CheckPrototypes(
         __ Branch(miss, ne, scratch2, Operand(map_reg));
       }
- // Check access rights to the global object. This has to happen after 
-      // the map check so that we know that the object is actually a global
-      // object.
-      // This allows us to install generated handlers for accesses to the
- // global proxy (as opposed to using slow ICs). See corresponding code 
-      // in LookupForRead().
-      if (current_map->IsJSGlobalProxyMap()) {
-        __ CheckAccessGlobalProxy(reg, scratch2, miss);
-      } else if (current_map->IsJSGlobalObjectMap()) {
+      if (current_map->IsJSGlobalObjectMap()) {
GenerateCheckPropertyCell(masm(), Handle<JSGlobalObject>::cast(current), 
                                   name, scratch2, miss);
       }
@@ -493,13 +496,6 @@ Register PropertyHandlerCompiler::CheckPrototypes(
     __ Branch(miss, ne, scratch2, Operand(scratch1));
   }

-  // Perform security check for access to the global object.
-  DCHECK(current_map->IsJSGlobalProxyMap() ||
-         !current_map->is_access_check_needed());
-  if (current_map->IsJSGlobalProxyMap()) {
-    __ CheckAccessGlobalProxy(reg, scratch1, miss);
-  }
-
   // Return the register containing the holder.
   return reg;
 }


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to