[ic] store the slow handler for proxy elements in DefineKeyedOwnIC

Previously we stored kProxy in this case, which resulted in set semantics for proxies. Bug: chromium:1409294 Change-Id: I6cca772eb6e6a35944375a72d10fc279263d2094 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4188383 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Joyee Cheung <joyee@igalia.com> Cr-Commit-Position: refs/heads/main@{#85487}
2023-01-23 17:44:59 +01:00 · 2023-01-23 17:44:59 +01:00 · 17339eff04
commit 17339eff04
parent 7fbba7e1f8
2 changed files with 30 additions and 0 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -2284,6 +2284,13 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
      IsStoreInArrayLiteralIC());

  if (receiver_map->IsJSProxyMap()) {
+    // DefineKeyedOwnIC, which is used to define computed fields in instances,
+    // should be handled by the slow stub.
+    if (IsDefineKeyedOwnIC()) {
+      TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_SlowStub);
+      return StoreHandler::StoreSlow(isolate(), store_mode);
+    }
+
    return StoreHandler::StoreProxy(isolate());
  }

--- a/test/mjsunit/regress/regress-chromium-1409294.js
+++ b/test/mjsunit/regress/regress-chromium-1409294.js
@ -0,0 +1,23 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-turbofan
+
+let key = 5;
+
+class Base {
+  constructor() {
+    return new Proxy(this, {
+      defineProperty(target, key, desc) {
+        return Reflect.defineProperty(target, key, desc);
+      }
+    });
+  }
+}
+
+class Child extends Base {
+  [key] = "basic";
+}
+let c = new Child();
+c = new Child();