Bug 1496847 - Restrict GetElem generic stub to access on sparse indexes only. r=tcampbell

2018-10-16 09:24:42 -04:00 · 2018-10-16 09:24:42 -04:00 · 634aca703e
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@ -2361,6 +2361,7 @@ GetPropIRGenerator::tryAttachGenericElement(HandleObject obj, ObjOperandId objId
        NativeObject* nobj = &obj->as<NativeObject>();
        TestMatchingNativeReceiver(writer, nobj, objId);
    }
+    writer.guardIndexGreaterThanDenseInitLength(objId, indexId);
    writer.callNativeGetElementResult(objId, indexId);
    writer.typeMonitorResult();

--- a/js/src/jit/CacheIR.h
+++ b/js/src/jit/CacheIR.h
@ -222,6 +222,7 @@ extern const char* const CacheKindNames[];
    _(GuardHasGetterSetter)               \
    _(GuardGroupHasUnanalyzedNewScript)   \
    _(GuardIndexIsNonNegative)            \
+    _(GuardIndexGreaterThanDenseInitLength) \
    _(GuardTagNotEqual)                   \
    _(GuardXrayExpandoShapeAndDefaultProto) \
    _(GuardFunctionPrototype)             \
@ -806,6 +807,10 @@ class MOZ_RAII CacheIRWriter : public JS::CustomAutoRooter
    void guardIndexIsNonNegative(Int32OperandId index) {
        writeOpWithOperandId(CacheOp::GuardIndexIsNonNegative, index);
    }
+    void guardIndexGreaterThanDenseInitLength(ObjOperandId obj, Int32OperandId index) {
+        writeOpWithOperandId(CacheOp::GuardIndexGreaterThanDenseInitLength, obj);
+        writeOperandId(index);
+    }
    void guardTagNotEqual(ValueTagOperandId lhs, ValueTagOperandId rhs) {
        writeOpWithOperandId(CacheOp::GuardTagNotEqual, lhs);
        writeOperandId(rhs);
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@ -2820,6 +2820,32 @@ CacheIRCompiler::emitGuardIndexIsNonNegative()
    return true;
 }

+bool
+CacheIRCompiler::emitGuardIndexGreaterThanDenseInitLength()
+{
+    Register obj = allocator.useRegister(masm, reader.objOperandId());
+    Register index = allocator.useRegister(masm, reader.int32OperandId());
+    AutoScratchRegister scratch(allocator, masm);
+    AutoScratchRegister scratch2(allocator, masm);
+
+    FailurePath* failure;
+    if (!addFailurePath(&failure)) {
+        return false;
+    }
+
+    // Load obj->elements.
+    masm.loadPtr(Address(obj, NativeObject::offsetOfElements()), scratch);
+
+    // Ensure index >= capacity.
+    Label outOfBounds;
+    Address capacity(scratch, ObjectElements::offsetOfInitializedLength());
+    masm.spectreBoundsCheck32(index, capacity, scratch2, &outOfBounds);
+    masm.jump(failure->label());
+    masm.bind(&outOfBounds);
+
+    return true;
+}
+
 bool
 CacheIRCompiler::emitGuardTagNotEqual()
 {
--- a/js/src/jit/CacheIRCompiler.h
+++ b/js/src/jit/CacheIRCompiler.h
@ -46,6 +46,7 @@ namespace jit {
    _(GuardAndGetNumberFromString)        \
    _(GuardAndGetIndexFromString)         \
    _(GuardIndexIsNonNegative)            \
+    _(GuardIndexGreaterThanDenseInitLength) \
    _(GuardTagNotEqual)                   \
    _(GuardXrayExpandoShapeAndDefaultProto)\
    _(GuardNoAllocationMetadataBuilder)   \