AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

X87: [proxies] fix access issue when having proxies on the prototype-chain of global objects.

Browse Source 
port 2c75e3d2ab (r32903)

  original commit message:
  We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code
  without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1534663002

Cr-Commit-Position: refs/heads/master@{#32924}
This commit is contained in:
zhengxing.li 2015-12-16 20:48:10 -08:00 committed by Commit bot
parent 23384259d5
commit e0a3ff0f5c
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/crankshaft/x87/lithium-codegen-x87.cc
View File

@ -2823,8 +2823,15 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
__ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
Label loop;
__ bind(&loop);
// Deoptimize if the object needs to be access checked.
__ test_b(FieldOperand(object_map, Map::kBitFieldOffset),
1 << Map::kIsAccessCheckNeeded);
DeoptimizeIf(not_zero, instr, Deoptimizer::kAccessCheck);
// Deoptimize for proxies.
__ CmpInstanceType(object_map, JS_PROXY_TYPE);
DeoptimizeIf(equal, instr, Deoptimizer::kProxy);
__ mov(object_prototype, FieldOperand(object_map, Map::kPrototypeOffset));
__ cmp(object_prototype, prototype);
EmitTrueBranch(instr, equal);

5
src/x87/code-stubs-x87.cc
View File

@ -2280,19 +2280,22 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
__ mov(eax, isolate()->factory()->true_value());
__ bind(&loop);
// Check if the object needs to be access checked.
__ test_b(FieldOperand(object_map, Map::kBitFieldOffset),
1 << Map::kIsAccessCheckNeeded);
__ j(not_zero, &fast_runtime_fallback, Label::kNear);
// Check if the current object is a Proxy.
__ CmpInstanceType(object_map, JS_PROXY_TYPE);
__ j(equal, &fast_runtime_fallback, Label::kNear);
__ mov(object, FieldOperand(object_map, Map::kPrototypeOffset));
__ cmp(object, function_prototype);
__ j(equal, &done, Label::kNear);
__ cmp(object, isolate()->factory()->null_value());
__ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
__ cmp(object, isolate()->factory()->null_value());
__ j(not_equal, &loop);
__ mov(eax, isolate()->factory()->false_value());
__ bind(&done);
__ StoreRoot(eax, scratch, Heap::kInstanceofCacheAnswerRootIndex);
__ ret(0);