| Index: src/ia32/stub-cache-ia32.cc
|
| diff --git a/src/ia32/stub-cache-ia32.cc b/src/ia32/stub-cache-ia32.cc
|
| index e148e2f525c34959d492ba838e5666b392da9f33..2040fa98eb4e864544d66588ccfd692bf969b0fc 100644
|
| --- a/src/ia32/stub-cache-ia32.cc
|
| +++ b/src/ia32/stub-cache-ia32.cc
|
| @@ -745,10 +745,22 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
|
| Handle<JSObject> object,
|
| int index,
|
| Handle<Map> transition,
|
| + Handle<String> name,
|
| Register receiver_reg,
|
| Register name_reg,
|
| - Register scratch,
|
| + Register scratch1,
|
| + Register scratch2,
|
| Label* miss_label) {
|
| + LookupResult lookup(masm->isolate());
|
| + object->Lookup(*name, &lookup);
|
| + if (lookup.IsFound() && (lookup.IsReadOnly() || !lookup.IsCacheable())) {
|
| + // In sloppy mode, we could just return the value and be done. However, we
|
| + // might be in strict mode, where we have to throw. Since we cannot tell,
|
| + // go into slow case unconditionally.
|
| + __ jmp(miss_label);
|
| + return;
|
| + }
|
| +
|
| // Check that the map of the object hasn't changed.
|
| CompareMapMode mode = transition.is_null() ? ALLOW_ELEMENT_TRANSITION_MAPS
|
| : REQUIRE_EXACT_MAP;
|
| @@ -757,7 +769,32 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
|
|
|
| // Perform global security token check if needed.
|
| if (object->IsJSGlobalProxy()) {
|
| - __ CheckAccessGlobalProxy(receiver_reg, scratch, miss_label);
|
| + __ CheckAccessGlobalProxy(receiver_reg, scratch1, miss_label);
|
| + }
|
| +
|
| + // Check that we are allowed to write this.
|
| + if (!transition.is_null() && object->GetPrototype()->IsJSObject()) {
|
| + JSObject* holder;
|
| + if (lookup.IsFound()) {
|
| + holder = lookup.holder();
|
| + } else {
|
| + // Find the top object.
|
| + holder = *object;
|
| + do {
|
| + holder = JSObject::cast(holder->GetPrototype());
|
| + } while (holder->GetPrototype()->IsJSObject());
|
| + }
|
| + // We need an extra register, push
|
| + __ push(name_reg);
|
| + Label miss_pop, done_check;
|
| + CheckPrototypes(object, receiver_reg, Handle<JSObject>(holder), name_reg,
|
| + scratch1, scratch2, name, &miss_pop);
|
| + __ jmp(&done_check);
|
| + __ bind(&miss_pop);
|
| + __ pop(name_reg);
|
| + __ jmp(miss_label);
|
| + __ bind(&done_check);
|
| + __ pop(name_reg);
|
| }
|
|
|
| // Stub never generated for non-global objects that require access
|
| @@ -768,11 +805,11 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
|
| if (!transition.is_null() && (object->map()->unused_property_fields() == 0)) {
|
| // The properties must be extended before we can store the value.
|
| // We jump to a runtime call that extends the properties array.
|
| - __ pop(scratch); // Return address.
|
| + __ pop(scratch1); // Return address.
|
| __ push(receiver_reg);
|
| __ push(Immediate(transition));
|
| __ push(eax);
|
| - __ push(scratch);
|
| + __ push(scratch1);
|
| __ TailCallExternalReference(
|
| ExternalReference(IC_Utility(IC::kSharedStoreIC_ExtendStorage),
|
| masm->isolate()),
|
| @@ -804,19 +841,19 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
|
| __ RecordWriteField(receiver_reg,
|
| offset,
|
| name_reg,
|
| - scratch,
|
| + scratch1,
|
| kDontSaveFPRegs);
|
| } else {
|
| // Write to the properties array.
|
| int offset = index * kPointerSize + FixedArray::kHeaderSize;
|
| // Get the properties array (optimistically).
|
| - __ mov(scratch, FieldOperand(receiver_reg, JSObject::kPropertiesOffset));
|
| - __ mov(FieldOperand(scratch, offset), eax);
|
| + __ mov(scratch1, FieldOperand(receiver_reg, JSObject::kPropertiesOffset));
|
| + __ mov(FieldOperand(scratch1, offset), eax);
|
|
|
| // Update the write barrier for the array address.
|
| // Pass the value being stored in the now unused name_reg.
|
| __ mov(name_reg, eax);
|
| - __ RecordWriteField(scratch,
|
| + __ RecordWriteField(scratch1,
|
| offset,
|
| name_reg,
|
| receiver_reg,
|
| @@ -2460,8 +2497,13 @@ Handle<Code> StoreStubCompiler::CompileStoreField(Handle<JSObject> object,
|
| Label miss;
|
|
|
| // Generate store field code. Trashes the name register.
|
| - GenerateStoreField(masm(), object, index, transition, edx, ecx, ebx, &miss);
|
| -
|
| + GenerateStoreField(masm(),
|
| + object,
|
| + index,
|
| + transition,
|
| + name,
|
| + edx, ecx, ebx, edi,
|
| + &miss);
|
| // Handle store cache miss.
|
| __ bind(&miss);
|
| __ mov(ecx, Immediate(name)); // restore name
|
| @@ -2634,7 +2676,13 @@ Handle<Code> KeyedStoreStubCompiler::CompileStoreField(Handle<JSObject> object,
|
| __ j(not_equal, &miss);
|
|
|
| // Generate store field code. Trashes the name register.
|
| - GenerateStoreField(masm(), object, index, transition, edx, ecx, ebx, &miss);
|
| + GenerateStoreField(masm(),
|
| + object,
|
| + index,
|
| + transition,
|
| + name,
|
| + edx, ecx, ebx, edi,
|
| + &miss);
|
|
|
| // Handle store cache miss.
|
| __ bind(&miss);
|
|
|
Chromium Code Reviews
Issue 10388047:
Implement correct checking for inherited readonliness on assignment. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge