[ic] Fix KeyedHasIC_SloppyArguments implementation

... to be in sync with KeyedLoadIC_SloppyArguments in handling OOB accesses which may involve prototype chain walk. Bug: chromium:1063796 Change-Id: I8421c19085dfd2f3b6360c64fd04f53b1351576c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2174504 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67541}
2020-05-01 15:40:25 +02:00 · 2020-05-01 15:40:25 +02:00 · 0d44905481
commit 0d44905481
parent d5157326eb
2 changed files with 29 additions and 19 deletions
--- a/src/builtins/builtins-handler-gen.cc
+++ b/src/builtins/builtins-handler-gen.cc
@ -158,31 +158,26 @@ TNode<Object> HandlerBuiltinsAssembler::EmitKeyedSloppyArguments(

    TNode<IntPtrT> backing_store_length =
        LoadAndUntagFixedArrayBaseLength(backing_store);
-    if (access_mode == ArgumentsAccessMode::kHas) {
-      Label out_of_bounds(this);
-      GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length),
-             &out_of_bounds);
-      TNode<Object> result = LoadFixedArrayElement(backing_store, key);
-      var_result =
-          SelectBooleanConstant(TaggedNotEqual(result, TheHoleConstant()));
-      Goto(&end);

-      BIND(&out_of_bounds);
-      var_result = FalseConstant();
-      Goto(&end);
+    // Out-of-bounds access may involve prototype chain walk and is handled
+    // in runtime.
+    GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length), bailout);
+
+    // The key falls into unmapped range.
+    if (access_mode == ArgumentsAccessMode::kStore) {
+      StoreFixedArrayElement(backing_store, key, *value);
    } else {
-      GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length), bailout);
+      TNode<Object> value = LoadFixedArrayElement(backing_store, key);
+      GotoIf(TaggedEqual(value, TheHoleConstant()), bailout);

-      // The key falls into unmapped range.
-      if (access_mode == ArgumentsAccessMode::kLoad) {
-        TNode<Object> result = LoadFixedArrayElement(backing_store, key);
-        GotoIf(TaggedEqual(result, TheHoleConstant()), bailout);
-        var_result = result;
+      if (access_mode == ArgumentsAccessMode::kHas) {
+        var_result = TrueConstant();
      } else {
-        StoreFixedArrayElement(backing_store, key, *value);
+        DCHECK_EQ(access_mode, ArgumentsAccessMode::kLoad);
+        var_result = value;
      }
-      Goto(&end);
    }
+    Goto(&end);
  }

  BIND(&end);
--- a/test/mjsunit/regress/regress-crbug-1063796.js
+++ b/test/mjsunit/regress/regress-crbug-1063796.js
@ -0,0 +1,15 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+Object.prototype[1] = 1;
+function foo(baz) {
+  return 1 in arguments;
+}
+assertTrue(foo(0));
+%PrepareFunctionForOptimization(foo);
+assertTrue(foo(0));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(foo(0));