Revision: 6773
Author: [email protected]
Date: Mon Feb 14 05:13:41 2011
Log: Fix a potential crash bug in keyed calls for non-string keys.
BUG=v8:1146
Review URL: http://codereview.chromium.org/6517010
http://code.google.com/p/v8/source/detail?r=6773
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-1146.js
Modified:
/branches/bleeding_edge/src/arm/ic-arm.cc
/branches/bleeding_edge/src/arm/macro-assembler-arm.cc
/branches/bleeding_edge/src/arm/macro-assembler-arm.h
/branches/bleeding_edge/src/ia32/ic-ia32.cc
/branches/bleeding_edge/src/x64/ic-x64.cc
/branches/bleeding_edge/src/x64/macro-assembler-x64.cc
/branches/bleeding_edge/src/x64/macro-assembler-x64.h
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-1146.js Mon Feb 14
05:13:41 2011
@@ -0,0 +1,48 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Test keyed calls with different key types.
+function F() {}
+var a = new F();
+function f(i) { return a[i](); }
+
+a.first = function() { return 11; }
+a[0] = function() { return 22; }
+var obj = {};
+a[obj] = function() { return 33; }
+
+// Make object slow-case.
+a.foo = 0;
+delete a.foo;
+// Do multiple calls for IC transitions.
+var b = "first";
+f(b);
+f(b);
+
+assertEquals(11, f(b));
+assertEquals(22, f(0));
+assertEquals(33, f(obj));
=======================================
--- /branches/bleeding_edge/src/arm/ic-arm.cc Sun Feb 13 08:19:53 2011
+++ /branches/bleeding_edge/src/arm/ic-arm.cc Mon Feb 14 05:13:41 2011
@@ -115,6 +115,9 @@
Register name,
Register scratch1,
Register scratch2) {
+ // Assert that name contains a string.
+ if (FLAG_debug_code) __ AbortIfNotString(name);
+
// Compute the capacity mask.
const int kCapacityOffset = StringDictionary::kHeaderSize +
StringDictionary::kCapacityIndex * kPointerSize;
@@ -843,7 +846,14 @@
// -- lr : return address
// -----------------------------------
+ // Check if the name is a string.
+ Label miss;
+ __ tst(r2, Operand(kSmiTagMask));
+ __ b(eq, &miss);
+ __ IsObjectJSStringType(r2, r0, &miss);
+
GenerateCallNormal(masm, argc);
+ __ bind(&miss);
GenerateMiss(masm, argc);
}
=======================================
--- /branches/bleeding_edge/src/arm/macro-assembler-arm.cc Thu Feb 10
12:04:54 2011
+++ /branches/bleeding_edge/src/arm/macro-assembler-arm.cc Mon Feb 14
05:13:41 2011
@@ -929,8 +929,8 @@
void MacroAssembler::IsObjectJSStringType(Register object,
- Register scratch,
- Label* fail) {
+ Register scratch,
+ Label* fail) {
ASSERT(kNotStringTag != 0);
ldr(scratch, FieldMemOperand(object, HeapObject::kMapOffset));
@@ -2122,6 +2122,19 @@
}
+void MacroAssembler::AbortIfNotString(Register object) {
+ STATIC_ASSERT(kSmiTag == 0);
+ tst(object, Operand(kSmiTagMask));
+ Assert(ne, "Operand is not a string");
+ push(object);
+ ldr(object, FieldMemOperand(object, HeapObject::kMapOffset));
+ CompareInstanceType(object, object, FIRST_NONSTRING_TYPE);
+ pop(object);
+ Assert(lo, "Operand is not a string");
+}
+
+
+
void MacroAssembler::AbortIfNotRootValue(Register src,
Heap::RootListIndex
root_value_index,
const char* message) {
=======================================
--- /branches/bleeding_edge/src/arm/macro-assembler-arm.h Thu Feb 10
12:04:54 2011
+++ /branches/bleeding_edge/src/arm/macro-assembler-arm.h Mon Feb 14
05:13:41 2011
@@ -791,6 +791,9 @@
void AbortIfSmi(Register object);
void AbortIfNotSmi(Register object);
+ // Abort execution if argument is a string. Used in debug code.
+ void AbortIfNotString(Register object);
+
// Abort execution if argument is not the root value with the given
index.
void AbortIfNotRootValue(Register src,
Heap::RootListIndex root_value_index,
=======================================
--- /branches/bleeding_edge/src/ia32/ic-ia32.cc Sun Feb 13 08:19:53 2011
+++ /branches/bleeding_edge/src/ia32/ic-ia32.cc Mon Feb 14 05:13:41 2011
@@ -108,6 +108,9 @@
Register name,
Register r0,
Register r1) {
+ // Assert that name contains a string.
+ if (FLAG_debug_code) __ AbortIfNotString(name);
+
// Compute the capacity mask.
const int kCapacityOffset =
StringDictionary::kHeaderSize +
@@ -1208,7 +1211,14 @@
// -- esp[(argc + 1) * 4] : receiver
// -----------------------------------
+ // Check if the name is a string.
+ Label miss;
+ __ test(ecx, Immediate(kSmiTagMask));
+ __ j(zero, &miss);
+ Condition cond = masm->IsObjectStringType(ecx, eax, eax);
+ __ j(NegateCondition(cond), &miss);
GenerateCallNormal(masm, argc);
+ __ bind(&miss);
GenerateMiss(masm, argc);
}
=======================================
--- /branches/bleeding_edge/src/x64/ic-x64.cc Sun Feb 13 08:19:53 2011
+++ /branches/bleeding_edge/src/x64/ic-x64.cc Mon Feb 14 05:13:41 2011
@@ -108,6 +108,9 @@
Register name,
Register r0,
Register r1) {
+ // Assert that name contains a string.
+ if (FLAG_debug_code) __ AbortIfNotString(name);
+
// Compute the capacity mask.
const int kCapacityOffset =
StringDictionary::kHeaderSize +
@@ -1233,7 +1236,13 @@
// rsp[(argc + 1) * 8] : argument 0 = receiver
// -----------------------------------
+ // Check if the name is a string.
+ Label miss;
+ __ JumpIfSmi(rcx, &miss);
+ Condition cond = masm->IsObjectStringType(rcx, rax, rax);
+ __ j(NegateCondition(cond), &miss);
GenerateCallNormal(masm, argc);
+ __ bind(&miss);
GenerateMiss(masm, argc);
}
=======================================
--- /branches/bleeding_edge/src/x64/macro-assembler-x64.cc Wed Feb 9
04:46:22 2011
+++ /branches/bleeding_edge/src/x64/macro-assembler-x64.cc Mon Feb 14
05:13:41 2011
@@ -1608,6 +1608,17 @@
Condition is_smi = CheckSmi(object);
Assert(is_smi, "Operand is not a smi");
}
+
+
+void MacroAssembler::AbortIfNotString(Register object) {
+ testb(object, Immediate(kSmiTagMask));
+ Assert(not_equal, "Operand is not a string");
+ push(object);
+ movq(object, FieldOperand(object, HeapObject::kMapOffset));
+ CmpInstanceType(object, FIRST_NONSTRING_TYPE);
+ pop(object);
+ Assert(below, "Operand is not a string");
+}
void MacroAssembler::AbortIfNotRootValue(Register src,
=======================================
--- /branches/bleeding_edge/src/x64/macro-assembler-x64.h Wed Feb 9
04:46:22 2011
+++ /branches/bleeding_edge/src/x64/macro-assembler-x64.h Mon Feb 14
05:13:41 2011
@@ -661,6 +661,9 @@
// Abort execution if argument is not a smi. Used in debug code.
void AbortIfNotSmi(Register object);
+ // Abort execution if argument is a string. Used in debug code.
+ void AbortIfNotString(Register object);
+
// Abort execution if argument is not the root value with the given
index.
void AbortIfNotRootValue(Register src,
Heap::RootListIndex root_value_index,
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
