}
+// Helper function used to check that a value is either not a function
+// or is loaded if it is a function.
+static void GenerateCheckNonFunctionOrLoaded(MacroAssembler* masm,
+ Label* miss,
+ Register value,
+ Register scratch) {
+ Label done;
+ // Check if the value is a Smi.
+ __ tst(value, Operand(kSmiTagMask));
+ __ b(eq, &done);
+ // Check if the value is a function.
+ __ ldr(scratch, FieldMemOperand(value, HeapObject::kMapOffset));
+ __ ldrb(scratch, FieldMemOperand(scratch, Map::kInstanceTypeOffset));
+ __ cmp(scratch, Operand(JS_FUNCTION_TYPE));
+ __ b(ne, &done);
+ // Check if the function has been loaded.
+ __ ldr(scratch,
+ FieldMemOperand(value, JSFunction::kSharedFunctionInfoOffset));
+ __ ldr(scratch,
+ FieldMemOperand(scratch, SharedFunctionInfo::kLazyLoadDataOffset));
+ __ cmp(scratch, Operand(Factory::undefined_value()));
+ __ b(ne, miss);
+ __ bind(&done);
+}
+
+
void LoadIC::GenerateArrayLength(MacroAssembler* masm) {
// ----------- S t a t e -------------
// -- r2 : name
__ cmp(r0, Operand(JS_FUNCTION_TYPE));
__ b(ne, miss);
+ // Check that the function has been loaded.
+ __ ldr(r0, FieldMemOperand(r1, JSFunction::kSharedFunctionInfoOffset));
+ __ ldr(r0, FieldMemOperand(r0, SharedFunctionInfo::kLazyLoadDataOffset));
+ __ cmp(r0, Operand(Factory::undefined_value()));
+ __ b(ne, miss);
+
// Patch the receiver with the global proxy if necessary.
if (is_global_object) {
__ ldr(r2, MemOperand(sp, argc * kPointerSize));
__ bind(&probe);
GenerateDictionaryLoad(masm, &miss, r1, r0);
+ GenerateCheckNonFunctionOrLoaded(masm, &miss, r0, r1);
__ Ret();
// Global object access: Check access rights.
#define __ masm->
-// Helper function used from LoadIC/CallIC GenerateNormal.
+// Helper function used to load a property from a dictionary backing storage.
static void GenerateDictionaryLoad(MacroAssembler* masm, Label* miss_label,
Register r0, Register r1, Register r2,
Register name) {
}
+// Helper function used to check that a value is either not a function
+// or is loaded if it is a function.
+static void GenerateCheckNonFunctionOrLoaded(MacroAssembler* masm, Label* miss,
+ Register value, Register scratch) {
+ Label done;
+ // Check if the value is a Smi.
+ __ test(value, Immediate(kSmiTagMask));
+ __ j(zero, &done, not_taken);
+ // Check if the value is a function.
+ __ mov(scratch, FieldOperand(value, HeapObject::kMapOffset));
+ __ movzx_b(scratch, FieldOperand(scratch, Map::kInstanceTypeOffset));
+ __ cmp(scratch, JS_FUNCTION_TYPE);
+ __ j(not_equal, &done, taken);
+ // Check if the function has been loaded.
+ __ mov(scratch, FieldOperand(value, JSFunction::kSharedFunctionInfoOffset));
+ __ mov(scratch,
+ FieldOperand(scratch, SharedFunctionInfo::kLazyLoadDataOffset));
+ __ cmp(scratch, Factory::undefined_value());
+ __ j(not_equal, miss, not_taken);
+ __ bind(&done);
+}
+
+
void LoadIC::GenerateArrayLength(MacroAssembler* masm) {
// ----------- S t a t e -------------
// -- ecx : name
__ j(not_zero, &slow, not_taken);
// Probe the dictionary leaving result in ecx.
GenerateDictionaryLoad(masm, &slow, ebx, ecx, edx, eax);
+ GenerateCheckNonFunctionOrLoaded(masm, &slow, ecx, edx);
__ mov(eax, Operand(ecx));
__ IncrementCounter(&Counters::keyed_load_generic_symbol, 1);
__ ret(0);
__ cmp(edx, JS_FUNCTION_TYPE);
__ j(not_equal, miss, not_taken);
+ // Check that the function has been loaded.
+ __ mov(edx, FieldOperand(edi, JSFunction::kSharedFunctionInfoOffset));
+ __ mov(edx, FieldOperand(edx, SharedFunctionInfo::kLazyLoadDataOffset));
+ __ cmp(edx, Factory::undefined_value());
+ __ j(not_equal, miss, not_taken);
+
// Patch the receiver with the global proxy if necessary.
if (is_global_object) {
__ mov(edx, Operand(esp, (argc + 1) * kPointerSize));
// Search the dictionary placing the result in eax.
__ bind(&probe);
GenerateDictionaryLoad(masm, &miss, edx, eax, ebx, ecx);
+ GenerateCheckNonFunctionOrLoaded(masm, &miss, eax, edx);
__ ret(0);
// Global object access: Check access rights.
CHECK_NE(sd->Length(), 0);
CHECK_NE(sd->Data(), NULL);
}
+
+
+// This tests that we do not allow dictionary load/call inline caches
+// to use functions that have not yet been compiled. The potential
+// problem of loading a function that has not yet been compiled can
+// arise because we share code between contexts via the compilation
+// cache.
+THREADED_TEST(DictionaryICLoadedFunction) {
+ v8::HandleScope scope;
+ // Test LoadIC.
+ for (int i = 0; i < 2; i++) {
+ LocalContext context;
+ context->Global()->Set(v8_str("tmp"), v8::True());
+ context->Global()->Delete(v8_str("tmp"));
+ CompileRun("for (var j = 0; j < 10; j++) new RegExp('');");
+ }
+ // Test CallIC.
+ for (int i = 0; i < 2; i++) {
+ LocalContext context;
+ context->Global()->Set(v8_str("tmp"), v8::True());
+ context->Global()->Delete(v8_str("tmp"));
+ CompileRun("for (var j = 0; j < 10; j++) RegExp('')");
+ }
+}
projects / platform / upstream / v8.git / commitdiff