AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Remove new.target value from construct stub frames.

Browse Source 
This drops the specific slot containing the new.target value from our
construct stub frames. This side-channel has been deprecated and will
no longer be accessed by any consumers.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1489353004

Cr-Commit-Position: refs/heads/master@{#32550}
This commit is contained in:
mstarzinger 2015-12-03 03:33:15 -08:00 committed by Commit bot
parent 0e95683376
commit eaa0e59611
8 changed files with 31 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/arm/builtins-arm.cc
View File

@ -499,10 +499,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ SmiUntag(r0);
// Push new.target onto the construct frame. This is stored just below the
// receiver on the stack.
__ push(r3);
if (create_implicit_receiver) {
// Push the allocated receiver to the stack. We need two copies
// because we may have to return the original one and the calling
@ -524,8 +520,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// r4: number of arguments (smi-tagged)
// sp[0]: receiver
// sp[1]: receiver
// sp[2]: new.target
// sp[3]: number of arguments (smi-tagged)
// sp[2]: number of arguments (smi-tagged)
Label loop, entry;
__ SmiTag(r4, r0);
__ b(&entry);
@ -559,8 +554,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// Restore context from the frame.
// r0: result
// sp[0]: receiver
// sp[1]: new.target
// sp[2]: number of arguments (smi-tagged)
// sp[1]: number of arguments (smi-tagged)
__ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
if (create_implicit_receiver) {
@ -572,8 +566,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// If the result is a smi, it is *not* an object in the ECMA sense.
// r0: result
// sp[0]: receiver
// sp[1]: new.target
// sp[2]: number of arguments (smi-tagged)
// sp[1]: number of arguments (smi-tagged)
__ JumpIfSmi(r0, &use_receiver);
// If the type of the result (stored in its map) is less than
@ -591,11 +584,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ bind(&exit);
// r0: result
// sp[0]: receiver (newly allocated object)
// sp[1]: new target
// sp[2]: number of arguments (smi-tagged)
__ ldr(r1, MemOperand(sp, 2 * kPointerSize));
// sp[1]: number of arguments (smi-tagged)
__ ldr(r1, MemOperand(sp, 1 * kPointerSize));
} else {
__ ldr(r1, MemOperand(sp, kPointerSize));
__ ldr(r1, MemOperand(sp));
}
// Leave construct frame.

18
src/arm64/builtins-arm64.cc
View File

@ -506,15 +506,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ SmiUntag(argc);
// Push new.target onto the construct frame. This is stored just below the
// receiver on the stack.
if (create_implicit_receiver) {
// Push the allocated receiver to the stack. We need two copies
// because we may have to return the original one and the calling
// conventions dictate that the called function pops the receiver.
__ Push(new_target, x4, x4);
__ Push(x4, x4);
} else {
__ push(new_target);
__ PushRoot(Heap::kTheHoleValueRootIndex);
}
@ -529,8 +526,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// x3: new target
// jssp[0]: receiver
// jssp[1]: receiver
// jssp[2]: new.target
// jssp[3]: number of arguments (smi-tagged)
// jssp[2]: number of arguments (smi-tagged)
// Compute the start address of the copy in x3.
__ Add(x4, x2, Operand(argc, LSL, kPointerSizeLog2));
Label loop, entry, done_copying_arguments;
@ -570,8 +566,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// Restore the context from the frame.
// x0: result
// jssp[0]: receiver
// jssp[1]: new.target
// jssp[2]: number of arguments (smi-tagged)
// jssp[1]: number of arguments (smi-tagged)
__ Ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
if (create_implicit_receiver) {
@ -600,11 +595,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ Bind(&exit);
// x0: result
// jssp[0]: receiver (newly allocated object)
// jssp[1]: new target
// jssp[2]: number of arguments (smi-tagged)
__ Peek(x1, 2 * kXRegSize);
// jssp[1]: number of arguments (smi-tagged)
__ Peek(x1, 1 * kXRegSize);
} else {
__ Peek(x1, kXRegSize);
__ Peek(x1, 0);
}
// Leave construct frame.

6
src/deoptimizer.cc
View File

@ -1235,12 +1235,6 @@ void Deoptimizer::DoComputeConstructStubFrame(int frame_index) {
PrintF(trace_scope_->file(), "(%d)\n", height - 1);
}
// The new target.
output_offset -= kPointerSize;
value = reinterpret_cast<intptr_t>(isolate_->heap()->undefined_value());
output_frame->SetFrameSlot(output_offset, value);
DebugPrintOutputSlot(value, frame_index, output_offset, "new.target\n");
// The newly allocated object was passed as receiver in the artificial
// constructor stub environment created by HEnvironment::CopyForInlining().
output_offset -= kPointerSize;

4
src/frames.h
View File

@ -161,8 +161,6 @@ class ConstructFrameConstants : public AllStatic {
public:
// FP-relative.
static const int kImplicitReceiverOffset =
StandardFrameConstants::kExpressionsOffset - 4 * kPointerSize;
static const int kNewTargetOffset =
StandardFrameConstants::kExpressionsOffset - 3 * kPointerSize;
static const int kLengthOffset =
StandardFrameConstants::kExpressionsOffset - 2 * kPointerSize;
@ -172,7 +170,7 @@ class ConstructFrameConstants : public AllStatic {
StandardFrameConstants::kExpressionsOffset - 0 * kPointerSize;
static const int kFrameSize =
StandardFrameConstants::kFixedFrameSize + 5 * kPointerSize;
StandardFrameConstants::kFixedFrameSize + 4 * kPointerSize;
};

11
src/ia32/builtins-ia32.cc
View File

@ -280,10 +280,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ SmiUntag(eax);
// Push new.target onto the construct frame. This is stored just below the
// receiver on the stack.
__ push(edx);
if (create_implicit_receiver) {
// Push the allocated receiver to the stack. We need two copies
// because we may have to return the original one and the calling
@ -347,12 +343,11 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ mov(eax, Operand(esp, 0));
// Restore the arguments count and leave the construct frame. The
// arguments
// count is stored below the reciever and the new.target.
// arguments count is stored below the receiver.
__ bind(&exit);
__ mov(ebx, Operand(esp, 2 * kPointerSize));
__ mov(ebx, Operand(esp, 1 * kPointerSize));
} else {
__ mov(ebx, Operand(esp, kPointerSize));
__ mov(ebx, Operand(esp, 0));
}
// Leave construct frame.

18
src/mips/builtins-mips.cc
View File

@ -498,15 +498,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ SmiUntag(a0);
// Push new.target onto the construct frame. This is stored just below the
// receiver on the stack.
if (create_implicit_receiver) {
// Push the allocated receiver to the stack. We need two copies
// because we may have to return the original one and the calling
// conventions dictate that the called function pops the receiver.
__ Push(a3, t4, t4);
__ Push(t4, t4);
} else {
__ push(a3);
__ PushRoot(Heap::kTheHoleValueRootIndex);
}
@ -521,8 +518,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// t4: number of arguments (smi-tagged)
// sp[0]: receiver
// sp[1]: receiver
// sp[2]: new.target
// sp[3]: number of arguments (smi-tagged)
// sp[2]: number of arguments (smi-tagged)
Label loop, entry;
__ SmiTag(t4, a0);
__ jmp(&entry);
@ -567,8 +563,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// If the result is a smi, it is *not* an object in the ECMA sense.
// v0: result
// sp[0]: receiver (newly allocated object)
// sp[1]: new.target
// sp[2]: number of arguments (smi-tagged)
// sp[1]: number of arguments (smi-tagged)
__ JumpIfSmi(v0, &use_receiver);
// If the type of the result (stored in its map) is less than
@ -586,11 +581,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ bind(&exit);
// v0: result
// sp[0]: receiver (newly allocated object)
// sp[1]: new target
// sp[2]: number of arguments (smi-tagged)
__ lw(a1, MemOperand(sp, 2 * kPointerSize));
// sp[1]: number of arguments (smi-tagged)
__ lw(a1, MemOperand(sp, 1 * kPointerSize));
} else {
__ lw(a1, MemOperand(sp, kPointerSize));
__ lw(a1, MemOperand(sp));
}
// Leave construct frame.

18
src/mips64/builtins-mips64.cc
View File

@ -492,15 +492,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
}
__ SmiUntag(a0);
// Push new.target onto the construct frame. This is stored just below the
// receiver on the stack.
if (create_implicit_receiver) {
// Push the allocated receiver to the stack. We need two copies
// because we may have to return the original one and the calling
// conventions dictate that the called function pops the receiver.
__ Push(a3, t0, t0);
__ Push(t0, t0);
} else {
__ push(a3);
__ PushRoot(Heap::kTheHoleValueRootIndex);
}
@ -515,8 +512,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// t0: number of arguments (smi-tagged)
// sp[0]: receiver
// sp[1]: receiver
// sp[2]: new.target
// sp[3]: number of arguments (smi-tagged)
// sp[2]: number of arguments (smi-tagged)
Label loop, entry;
__ mov(t0, a0);
__ jmp(&entry);
@ -561,8 +557,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
// If the result is a smi, it is *not* an object in the ECMA sense.
// v0: result
// sp[0]: receiver (newly allocated object)
// sp[1]: new.target
// sp[2]: number of arguments (smi-tagged)
// sp[1]: number of arguments (smi-tagged)
__ JumpIfSmi(v0, &use_receiver);
// If the type of the result (stored in its map) is less than
@ -580,11 +575,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ bind(&exit);
// v0: result
// sp[0]: receiver (newly allocated object)
// sp[1]: new target
// sp[2]: number of arguments (smi-tagged)
__ ld(a1, MemOperand(sp, 2 * kPointerSize));
// sp[1]: number of arguments (smi-tagged)
__ ld(a1, MemOperand(sp, 1 * kPointerSize));
} else {
__ ld(a1, MemOperand(sp, kPointerSize));
__ ld(a1, MemOperand(sp));
}
// Leave construct frame.

10
src/x64/builtins-x64.cc
View File

@ -278,10 +278,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ SmiToInteger32(rax, rax);
}
// Push new.target onto the construct frame. This is stored just below the
// receiver on the stack.
__ Push(rdx);
if (create_implicit_receiver) {
// Push the allocated receiver to the stack. We need two copies
// because we may have to return the original one and the calling
@ -345,11 +341,11 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
__ movp(rax, Operand(rsp, 0));
// Restore the arguments count and leave the construct frame. The
// arguments count is stored below the reciever and the new.target.
// arguments count is stored below the receiver.
__ bind(&exit);
__ movp(rbx, Operand(rsp, 2 * kPointerSize));
__ movp(rbx, Operand(rsp, 1 * kPointerSize));
} else {
__ movp(rbx, Operand(rsp, kPointerSize));
__ movp(rbx, Operand(rsp, 0));
}
// Leave construct frame.