Reviewers: Dmitry Lomov (chromium),
Description:
Version 4.2.77.11 (cherry-pick)
Merged 8b33fa60691fe3d0d0e2ee6b751b89de6abec626
X87: Disallow subclassing Arrays.
[email protected]
BUG=
Please review this at https://codereview.chromium.org/1033463002/
Base URL: https://chromium.googlesource.com/v8/[email protected]
Affected files (+16, -2 lines):
M include/v8-version.h
M src/x87/builtins-x87.cc
M src/x87/code-stubs-x87.cc
M src/x87/full-codegen-x87.cc
Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index
865f038bfecd0440e84ed761e5484b73d49f60dc..46e584d346177ff856a2d196b4e616bf774aedc7
100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 4
#define V8_MINOR_VERSION 2
#define V8_BUILD_NUMBER 77
-#define V8_PATCH_LEVEL 10
+#define V8_PATCH_LEVEL 11
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Index: src/x87/builtins-x87.cc
diff --git a/src/x87/builtins-x87.cc b/src/x87/builtins-x87.cc
index
0a80998047c85e56b9534ef9f068b8b04cf8bdc5..9fda5a71888e6438dcd0121db006c708080e7bc9
100644
--- a/src/x87/builtins-x87.cc
+++ b/src/x87/builtins-x87.cc
@@ -1192,6 +1192,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler*
masm) {
// Get the Array function.
__ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, edi);
+ __ mov(edx, edi);
if (FLAG_debug_code) {
// Initial map for the builtin Array function should be a map.
Index: src/x87/code-stubs-x87.cc
diff --git a/src/x87/code-stubs-x87.cc b/src/x87/code-stubs-x87.cc
index
5e69b809b05cbd9abcd70b33ea481acacf5cdb76..5da200d66e8c6b60d66dd9deeaabb10197981820
100644
--- a/src/x87/code-stubs-x87.cc
+++ b/src/x87/code-stubs-x87.cc
@@ -1939,6 +1939,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm)
{
__ j(not_equal, &miss);
__ mov(ebx, ecx);
+ __ mov(edx, edi);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
@@ -4290,6 +4291,7 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
// -- eax : argc (only if argument_count() == ANY)
// -- ebx : AllocationSite or undefined
// -- edi : constructor
+ // -- edx : Original constructor
// -- esp[0] : return address
// -- esp[4] : last argument
// -----------------------------------
@@ -4309,12 +4311,20 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ AssertUndefinedOrAllocationSite(ebx);
}
+ Label subclassing;
+
+ __ cmp(edx, edi);
+ __ j(not_equal, &subclassing);
+
Label no_info;
// If the feedback vector is the undefined value call an array
constructor
// that doesn't use AllocationSites.
__ cmp(ebx, isolate()->factory()->undefined_value());
__ j(equal, &no_info);
+ __ cmp(edx, edi);
+ __ j(not_equal, &subclassing);
+
// Only look at the lower 16 bits of the transition info.
__ mov(edx, FieldOperand(ebx, AllocationSite::kTransitionInfoOffset));
__ SmiUntag(edx);
@@ -4324,6 +4334,9 @@ void ArrayConstructorStub::Generate(MacroAssembler*
masm) {
__ bind(&no_info);
GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+ __ bind(&subclassing);
+ __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
}
Index: src/x87/full-codegen-x87.cc
diff --git a/src/x87/full-codegen-x87.cc b/src/x87/full-codegen-x87.cc
index
b6e5c221a3b3ced9d17a0a9dd5f18c1ba1fc8718..4ec21ae09c3067d14cbafc246659f2576bfc1f62
100644
--- a/src/x87/full-codegen-x87.cc
+++ b/src/x87/full-codegen-x87.cc
@@ -4110,7 +4110,7 @@ void
FullCodeGenerator::EmitDefaultConstructorCallSuper(CallRuntime* expr) {
__ bind(&args_set_up);
__ mov(edi, Operand(esp, eax, times_pointer_size, 0));
-
+ __ mov(ebx, Immediate(isolate()->factory()->undefined_value()));
CallConstructStub stub(isolate(), SUPER_CONSTRUCTOR_CALL);
__ call(stub.GetCode(), RelocInfo::CONSTRUCT_CALL);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
