Reviewers: arv, rossberg,
Message:
PTAL: emergency fix for Array subclassing.
I will take a stab at a proper fix on Monday. It might actually be possible
to
make a proper fix non-invasive.
Description:
Disallow subclassing Arrays.
[email protected],[email protected]
BUG=v8:3930
LOG=Y
Please review this at https://codereview.chromium.org/962263002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+73, -1 lines):
M src/arm/builtins-arm.cc
M src/arm/code-stubs-arm.cc
M src/arm64/builtins-arm64.cc
M src/arm64/code-stubs-arm64.cc
M src/ia32/builtins-ia32.cc
M src/ia32/code-stubs-ia32.cc
M src/messages.js
M src/mips/builtins-mips.cc
M src/mips/code-stubs-mips.cc
M src/mips64/builtins-mips64.cc
M src/mips64/code-stubs-mips64.cc
M src/runtime/runtime.h
M src/runtime/runtime-classes.cc
M src/x64/builtins-x64.cc
M src/x64/code-stubs-x64.cc
Index: src/arm/builtins-arm.cc
diff --git a/src/arm/builtins-arm.cc b/src/arm/builtins-arm.cc
index
ba92ff8e34f326c483d710f4d6f16482e343e746..d13d4ffa25fd2a054ffe3835dbdf487932dc77ff
100644
--- a/src/arm/builtins-arm.cc
+++ b/src/arm/builtins-arm.cc
@@ -129,6 +129,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm)
{
__ Assert(eq, kUnexpectedInitialMapForArrayFunction);
}
+ __ mov(r3, r1);
// Run the native code for the Array function called as a normal
function.
// tail call a stub
__ LoadRoot(r2, Heap::kUndefinedValueRootIndex);
Index: src/arm/code-stubs-arm.cc
diff --git a/src/arm/code-stubs-arm.cc b/src/arm/code-stubs-arm.cc
index
ad04cb5454adff449c9d3236ce65ae0aa80330a7..56a93274abe130fe453cd2ac1ec57f30f8184d13
100644
--- a/src/arm/code-stubs-arm.cc
+++ b/src/arm/code-stubs-arm.cc
@@ -2663,6 +2663,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
__ b(ne, &miss);
__ mov(r2, r4);
+ __ mov(r3, r1);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -4573,6 +4574,7 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- r0 : argc (only if argument_count() == ANY)
// -- r1 : constructor
// -- r2 : AllocationSite or undefined
+ // -- r3 : original constructor
// -- sp[0] : return address
// -- sp[4] : last argument
// -----------------------------------
@@ -4593,6 +4595,10 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ AssertUndefinedOrAllocationSite(r2, r4);
}
+ Label subclassing;
+ __ cmp(r3, r1);
+ __ b(ne, &subclassing);
+
Label no_info;
// Get the elements kind and case on that.
__ CompareRoot(r2, Heap::kUndefinedValueRootIndex);
@@ -4606,6 +4612,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
Index: src/arm64/builtins-arm64.cc
diff --git a/src/arm64/builtins-arm64.cc b/src/arm64/builtins-arm64.cc
index
8adec6a51e08ccfe644737fe2671afe75c810cb3..89e304051abf6b426a7eff0505c5f68d1349271d
100644
--- a/src/arm64/builtins-arm64.cc
+++ b/src/arm64/builtins-arm64.cc
@@ -126,6 +126,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm)
{
// Run the native code for the Array function called as a normal
function.
__ LoadRoot(x2, Heap::kUndefinedValueRootIndex);
+ __ Mov(x3, x1);
ArrayConstructorStub stub(masm->isolate());
__ TailCallStub(&stub);
}
Index: src/arm64/code-stubs-arm64.cc
diff --git a/src/arm64/code-stubs-arm64.cc b/src/arm64/code-stubs-arm64.cc
index
3179972d4bdbdd3a91b5e401819654b3d227b559..b8f63b40801644ca205cf26f6483cc55b8191818
100644
--- a/src/arm64/code-stubs-arm64.cc
+++ b/src/arm64/code-stubs-arm64.cc
@@ -3071,6 +3071,9 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
Register allocation_site = feedback_vector;
__ Mov(allocation_site, scratch);
+
+ Register original_constructor = x3;
+ __ Mov(original_constructor, function);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -5006,11 +5009,13 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- x0 : argc (only if argument_count() == ANY)
// -- x1 : constructor
// -- x2 : AllocationSite or undefined
+ // -- x3 : original constructor
// -- sp[0] : return address
// -- sp[4] : last argument
// -----------------------------------
Register constructor = x1;
Register allocation_site = x2;
+ Register original_constructor = x3;
if (FLAG_debug_code) {
// The array construct code is only set for the global and natives
@@ -5032,6 +5037,10 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ AssertUndefinedOrAllocationSite(allocation_site, x10);
}
+ Label subclassing;
+ __ Cmp(original_constructor, constructor);
+ __ B(ne, &subclassing);
+
Register kind = x3;
Label no_info;
// Get the elements kind and case on that.
@@ -5045,6 +5054,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ Bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ Bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
Index: src/ia32/builtins-ia32.cc
diff --git a/src/ia32/builtins-ia32.cc b/src/ia32/builtins-ia32.cc
index
537ffcd129c40551e61b6c5f0f063d4586c7303e..9aa4e073f7fa54473e38ed6d6ab2b1a0d803ca8a
100644
--- a/src/ia32/builtins-ia32.cc
+++ b/src/ia32/builtins-ia32.cc
@@ -1192,6 +1192,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler*
masm) {
// Get the Array function.
__ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, edi);
+ __ mov(edx, edi);
if (FLAG_debug_code) {
// Initial map for the builtin Array function should be a map.
Index: src/ia32/code-stubs-ia32.cc
diff --git a/src/ia32/code-stubs-ia32.cc b/src/ia32/code-stubs-ia32.cc
index
b5cf5cec5c1ac71ca6f14e4fed3f68e0d57fbd9b..472070123a0fd14f5ac62b423d03801f1ceff164
100644
--- a/src/ia32/code-stubs-ia32.cc
+++ b/src/ia32/code-stubs-ia32.cc
@@ -2252,6 +2252,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
__ j(not_equal, &miss);
__ mov(ebx, ecx);
+ __ mov(edx, edi);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -4630,6 +4631,7 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- eax : argc (only if argument_count() == ANY)
// -- ebx : AllocationSite or undefined
// -- edi : constructor
+ // -- edx : Original constructor
// -- esp[0] : return address
// -- esp[4] : last argument
// -----------------------------------
@@ -4650,11 +4652,15 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
}
Label no_info;
+ Label subclassing;
// If the feedback vector is the undefined value call an array
constructor
// that doesn't use AllocationSites.
__ cmp(ebx, isolate()->factory()->undefined_value());
__ j(equal, &no_info);
+ __ cmp(edx, edi);
+ __ j(not_equal, &subclassing);
+
// Only look at the lower 16 bits of the transition info.
__ mov(edx, FieldOperand(ebx, AllocationSite::kTransitionInfoOffset));
__ SmiUntag(edx);
@@ -4664,6 +4670,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
Index: src/messages.js
diff --git a/src/messages.js b/src/messages.js
index
19cc6edc5500ce4301cdfc9c5ba096a0f0a8c164..37182414ec11802a939030e7cfe75f1a5e1d8df2
100644
--- a/src/messages.js
+++ b/src/messages.js
@@ -187,7 +187,8 @@ var kMessages = {
super_constructor_call: ["A 'super' constructor call may only
appear as the first statement of a function, and its arguments may not
access 'this'. Other forms are not yet supported."],
duplicate_proto: ["Duplicate __proto__ fields are not
allowed in object literals"],
param_after_rest: ["Rest parameter must be last formal
parameter"],
- constructor_noncallable: ["Class constructors cannot be invoked
without 'new'"]
+ constructor_noncallable: ["Class constructors cannot be invoked
without 'new'"],
+ array_not_subclassable: ["Subclassing Arrays is not currently
supported."]
};
Index: src/mips/builtins-mips.cc
diff --git a/src/mips/builtins-mips.cc b/src/mips/builtins-mips.cc
index
f4a34591961f987200f6f2d33530000ed7b000ee..42a0bbe58bc12a2689f49586a577e2046b1a2ee1
100644
--- a/src/mips/builtins-mips.cc
+++ b/src/mips/builtins-mips.cc
@@ -138,6 +138,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm)
{
// Run the native code for the Array function called as a normal
function.
// Tail call a stub.
+ __ mov(a3, a1);
__ LoadRoot(a2, Heap::kUndefinedValueRootIndex);
ArrayConstructorStub stub(masm->isolate());
__ TailCallStub(&stub);
Index: src/mips/code-stubs-mips.cc
diff --git a/src/mips/code-stubs-mips.cc b/src/mips/code-stubs-mips.cc
index
74705f97efdd8947c992589abb81974d574a789d..795469998372545bfe05ac0d0f58c1ea4c7bd947
100644
--- a/src/mips/code-stubs-mips.cc
+++ b/src/mips/code-stubs-mips.cc
@@ -2808,6 +2808,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
__ Branch(&miss, ne, t1, Operand(at));
__ mov(a2, t0);
+ __ mov(a3, a1);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -4799,6 +4800,7 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- a0 : argc (only if argument_count() == ANY)
// -- a1 : constructor
// -- a2 : AllocationSite or undefined
+ // -- a3 : Original constructor
// -- sp[0] : return address
// -- sp[4] : last argument
// -----------------------------------
@@ -4821,6 +4823,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ AssertUndefinedOrAllocationSite(a2, t0);
}
+ Label subclassing;
+ __ Branch(&subclassing, ne, a1, Operand(a3));
+
Label no_info;
// Get the elements kind and case on that.
__ LoadRoot(at, Heap::kUndefinedValueRootIndex);
@@ -4834,6 +4839,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
Index: src/mips64/builtins-mips64.cc
diff --git a/src/mips64/builtins-mips64.cc b/src/mips64/builtins-mips64.cc
index
2d676a1fa9600e39d80323e793f91a553bab80b4..89fda10b0596e28bbac4ff7cd40e8df50f1c26d7
100644
--- a/src/mips64/builtins-mips64.cc
+++ b/src/mips64/builtins-mips64.cc
@@ -137,6 +137,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm)
{
// Run the native code for the Array function called as a normal
function.
// Tail call a stub.
+ __ mov(a3, a1);
__ LoadRoot(a2, Heap::kUndefinedValueRootIndex);
ArrayConstructorStub stub(masm->isolate());
__ TailCallStub(&stub);
Index: src/mips64/code-stubs-mips64.cc
diff --git a/src/mips64/code-stubs-mips64.cc
b/src/mips64/code-stubs-mips64.cc
index
c952a8acf0cac59650fe7177c30756d419f2a6fd..5509dde33b9852c51a1c08c60cc01be7535db397
100644
--- a/src/mips64/code-stubs-mips64.cc
+++ b/src/mips64/code-stubs-mips64.cc
@@ -2886,6 +2886,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
__ Branch(&miss, ne, a5, Operand(at));
__ mov(a2, a4);
+ __ mov(a3, a1);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -4842,6 +4843,7 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- a0 : argc (only if argument_count() == ANY)
// -- a1 : constructor
// -- a2 : AllocationSite or undefined
+ // -- a3 : original constructor
// -- sp[0] : return address
// -- sp[4] : last argument
// -----------------------------------
@@ -4864,6 +4866,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ AssertUndefinedOrAllocationSite(a2, a4);
}
+ Label subclassing;
+ __ Branch(&subclassing, ne, a1, Operand(a3));
+
Label no_info;
// Get the elements kind and case on that.
__ LoadRoot(at, Heap::kUndefinedValueRootIndex);
@@ -4877,6 +4882,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
Index: src/runtime/runtime-classes.cc
diff --git a/src/runtime/runtime-classes.cc b/src/runtime/runtime-classes.cc
index
fc2f4a0ece516cae71428e3d350b0fe5511dcc24..25c9f72f8ceb871c4a30301464baf9aa73e08e95
100644
--- a/src/runtime/runtime-classes.cc
+++ b/src/runtime/runtime-classes.cc
@@ -47,6 +47,15 @@
RUNTIME_FUNCTION(Runtime_ThrowConstructorNonCallableError) {
}
+RUNTIME_FUNCTION(Runtime_ThrowArrayNotSubclassableError) {
+ HandleScope scope(isolate);
+ DCHECK(args.length() == 0);
+ THROW_NEW_ERROR_RETURN_FAILURE(
+ isolate,
+ NewTypeError("array_not_subclassable", HandleVector<Object>(NULL,
0)));
+}
+
+
RUNTIME_FUNCTION(Runtime_ToMethod) {
HandleScope scope(isolate);
DCHECK(args.length() == 2);
Index: src/runtime/runtime.h
diff --git a/src/runtime/runtime.h b/src/runtime/runtime.h
index
88feca21b35ff11a23d83b9df188b3b282332f53..8587303e13a4ab47baf6d3d3766522cec9e825c7
100644
--- a/src/runtime/runtime.h
+++ b/src/runtime/runtime.h
@@ -192,6 +192,7 @@ namespace internal {
F(LoadFromSuper, 3, 1) \
F(LoadKeyedFromSuper, 3, 1) \
F(ThrowConstructorNonCallableError, 0, 1) \
+ F(ThrowArrayNotSubclassableError, 0, 1) \
F(ThrowNonMethodError, 0, 1) \
F(ThrowUnsupportedSuperError, 0, 1) \
F(HandleStepInForDerivedConstructors, 1, 1) \
Index: src/x64/builtins-x64.cc
diff --git a/src/x64/builtins-x64.cc b/src/x64/builtins-x64.cc
index
60a291acf5a27c070349ffcdb3bd532d206911b8..f43084b13f6bd6011a3d81a6970c1a8206ce35f9
100644
--- a/src/x64/builtins-x64.cc
+++ b/src/x64/builtins-x64.cc
@@ -1272,6 +1272,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler*
masm) {
__ Check(equal, kUnexpectedInitialMapForArrayFunction);
}
+ __ movp(rdx, rdi);
// Run the native code for the Array function called as a normal
function.
// tail call a stub
__ LoadRoot(rbx, Heap::kUndefinedValueRootIndex);
Index: src/x64/code-stubs-x64.cc
diff --git a/src/x64/code-stubs-x64.cc b/src/x64/code-stubs-x64.cc
index
23565140bf890caf77a23ab2f313b9125754f19f..eabb22690ab7843ce198eb23a805ff384b1ccea1
100644
--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@@ -2122,6 +2122,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
__ j(not_equal, &miss);
__ movp(rbx, rcx);
+ __ movp(rdx, rdi);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -4572,6 +4573,7 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- rax : argc
// -- rbx : AllocationSite or undefined
// -- rdi : constructor
+ // -- rdx : original constructor
// -- rsp[0] : return address
// -- rsp[8] : last argument
// -----------------------------------
@@ -4592,6 +4594,10 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ AssertUndefinedOrAllocationSite(rbx);
}
+ Label subclassing;
+ __ cmpp(rdi, rdx);
+ __ j(not_equal, &subclassing);
+
Label no_info;
// If the feedback vector is the undefined value call an array
constructor
// that doesn't use AllocationSites.
@@ -4607,6 +4613,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
