[ic] Fix 'prototype chain checks' where the holder is the receiver

We use LoadFromPrototype also for direct global loads. InitPrototypeChecks did not support this though, and would create a prototype chain check for objects beyond the direct global. This tries to ensure the property on the global itself doesn't exist, which is invalid. Additionally this CL deletes duplicate code. BUG=chromium:702798,v8:5561 Change-Id: I318a5b6cd5f7c3efdb3a003e34edd37d5d3f880b Reviewed-on: https://chromium-review.googlesource.com/457369 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#43935}
2017-03-20 14:19:20 +01:00 · 2017-03-20 14:19:20 +01:00 · 6f52dfd7f0
commit 6f52dfd7f0
parent cb903e3173
2 changed files with 10 additions and 25 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -870,9 +870,7 @@ template <bool fill_array = true>
 int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map,
                        Handle<JSObject> holder, Handle<Name> name,
                        Handle<FixedArray> array, int first_index) {
-  // We don't encode the requirement to check access rights because we already
-  // passed the access check for current native context and the access
-  // can't be revoked.
+  if (!holder.is_null() && holder->map() == *receiver_map) return 0;

  HandleScope scope(isolate);
  int checks_count = 0;
@ -891,8 +889,7 @@ int InitPrototypeChecks(Isolate* isolate, Handle<Map> receiver_map,
    }
    checks_count++;

-  } else if (receiver_map->IsJSGlobalObjectMap() &&
-             (holder.is_null() || holder->map() != *receiver_map)) {
+  } else if (receiver_map->IsJSGlobalObjectMap()) {
    // If we are creating a handler for [Load/Store]GlobalIC then we need to
    // check that the property did not appear in the global object.
    if (fill_array) {
@ -1294,26 +1291,6 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) {
          return slow_stub();
        }

-        if (!holder->HasFastProperties()) {
-          // Global loads always need the extended data handler since it embeds
-          // the PropertyCell.
-          if (receiver_is_holder && !holder->IsJSGlobalObject()) {
-            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
-            return LoadHandler::LoadNormal(isolate());
-          }
-
-          Handle<Smi> smi_handler;
-          if (holder->IsJSGlobalObject()) {
-            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadGlobalFromPrototypeDH);
-            smi_handler = LoadHandler::LoadGlobal(isolate());
-          } else {
-            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalFromPrototypeDH);
-            smi_handler = LoadHandler::LoadNormal(isolate());
-          }
-
-          return LoadFromPrototype(map, holder, lookup->name(), smi_handler);
-        }
-
        Handle<Object> getter(AccessorPair::cast(*accessors)->getter(),
                              isolate());
        if (getter->IsJSFunction()) {
--- a/test/mjsunit/regress/regress-crbug-702798.js
+++ b/test/mjsunit/regress/regress-crbug-702798.js
@ -0,0 +1,8 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Access any property that's also available on the global of the other realm.
+__defineGetter__("Object", ()=>0);
+__proto__ = Realm.global(Realm.create());
+Object;