Version 4.2.77.11 (cherry-pick)

Merged 8b33fa6 X87: Disallow subclassing Arrays. [email protected] BUG= Review URL: https://codereview.chromium.org/1033463002 Cr-Commit-Position: refs/branch-heads/4.2@{crosswalk-project#12} Cr-Branched-From: 3dfd929-refs/heads/4.2.77@{crosswalk-project#2} Cr-Branched-From: e011092-refs/heads/master@{#26757}
Bysmyyr · Mar 23, 2015 · fb672f6 · fb672f6
1 parent 1236eaf
commit fb672f6
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 2 deletions.
diff --git a/include/v8-version.h b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 2
 #define V8_BUILD_NUMBER 77
-#define V8_PATCH_LEVEL 10
+#define V8_PATCH_LEVEL 11
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/src/x87/builtins-x87.cc b/src/x87/builtins-x87.cc
@@ -1192,6 +1192,7 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm) {
 
   // Get the Array function.
   __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, edi);
+  __ mov(edx, edi);
 
   if (FLAG_debug_code) {
     // Initial map for the builtin Array function should be a map.

diff --git a/src/x87/code-stubs-x87.cc b/src/x87/code-stubs-x87.cc
@@ -1939,6 +1939,7 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm) {
   __ j(not_equal, &miss);
 
   __ mov(ebx, ecx);
+  __ mov(edx, edi);
   ArrayConstructorStub stub(masm->isolate(), arg_count());
   __ TailCallStub(&stub);
 
@@ -4290,6 +4291,7 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
   //  -- eax : argc (only if argument_count() == ANY)
   //  -- ebx : AllocationSite or undefined
   //  -- edi : constructor
+  //  -- edx : Original constructor
   //  -- esp[0] : return address
   //  -- esp[4] : last argument
   // -----------------------------------
@@ -4309,12 +4311,20 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
     __ AssertUndefinedOrAllocationSite(ebx);
   }
 
+  Label subclassing;
+
+  __ cmp(edx, edi);
+  __ j(not_equal, &subclassing);
+
   Label no_info;
   // If the feedback vector is the undefined value call an array constructor
   // that doesn't use AllocationSites.
   __ cmp(ebx, isolate()->factory()->undefined_value());
   __ j(equal, &no_info);
 
+  __ cmp(edx, edi);
+  __ j(not_equal, &subclassing);
+
   // Only look at the lower 16 bits of the transition info.
   __ mov(edx, FieldOperand(ebx, AllocationSite::kTransitionInfoOffset));
   __ SmiUntag(edx);
@@ -4324,6 +4334,9 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
 
   __ bind(&no_info);
   GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
+
+  __ bind(&subclassing);
+  __ TailCallRuntime(Runtime::kThrowArrayNotSubclassableError, 0, 1);
 }
 
 

diff --git a/src/x87/full-codegen-x87.cc b/src/x87/full-codegen-x87.cc
@@ -4110,7 +4110,7 @@ void FullCodeGenerator::EmitDefaultConstructorCallSuper(CallRuntime* expr) {
   __ bind(&args_set_up);
 
   __ mov(edi, Operand(esp, eax, times_pointer_size, 0));
-
+  __ mov(ebx, Immediate(isolate()->factory()->undefined_value()));
   CallConstructStub stub(isolate(), SUPER_CONSTRUCTOR_CALL);
   __ call(stub.GetCode(), RelocInfo::CONSTRUCT_CALL);