From 17339eff0491c43af265d055f9c86d44b1aebe2a Mon Sep 17 00:00:00 2001 From: Joyee Cheung Date: Mon, 23 Jan 2023 17:44:59 +0100 Subject: [PATCH] [ic] store the slow handler for proxy elements in DefineKeyedOwnIC Previously we stored kProxy in this case, which resulted in set semantics for proxies. Bug: chromium:1409294 Change-Id: I6cca772eb6e6a35944375a72d10fc279263d2094 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4188383 Reviewed-by: Toon Verwaest Commit-Queue: Joyee Cheung Cr-Commit-Position: refs/heads/main@{#85487} --- src/ic/ic.cc | 7 ++++++ .../regress/regress-chromium-1409294.js | 23 +++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 test/mjsunit/regress/regress-chromium-1409294.js diff --git a/src/ic/ic.cc b/src/ic/ic.cc index 819f08309c..f577954896 100644 --- a/src/ic/ic.cc +++ b/src/ic/ic.cc @@ -2284,6 +2284,13 @@ Handle KeyedStoreIC::StoreElementHandler( IsStoreInArrayLiteralIC()); if (receiver_map->IsJSProxyMap()) { + // DefineKeyedOwnIC, which is used to define computed fields in instances, + // should be handled by the slow stub. + if (IsDefineKeyedOwnIC()) { + TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_SlowStub); + return StoreHandler::StoreSlow(isolate(), store_mode); + } + return StoreHandler::StoreProxy(isolate()); } diff --git a/test/mjsunit/regress/regress-chromium-1409294.js b/test/mjsunit/regress/regress-chromium-1409294.js new file mode 100644 index 0000000000..920b79a163 --- /dev/null +++ b/test/mjsunit/regress/regress-chromium-1409294.js @@ -0,0 +1,23 @@ +// Copyright 2023 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --always-turbofan + +let key = 5; + +class Base { + constructor() { + return new Proxy(this, { + defineProperty(target, key, desc) { + return Reflect.defineProperty(target, key, desc); + } + }); + } +} + +class Child extends Base { + [key] = "basic"; +} +let c = new Child(); +c = new Child();