[ic] Add StoreOwnIC_Slow

This runtime function behaves like StoreDataPropertyInLiteral, except it can throw, since it's also used for defining public class fields. Unlike the literal use case, class field can end up throwing due to field initializers doing things like freezing the instance. Bug: chromium:1264828 Change-Id: I3ea4d15ad9b906c26763f022c8e22b757fa80b6c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3252558 Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Shu-yu Guo <syg@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#77704}
2021-10-29 10:35:52 -07:00 · 2021-10-29 10:35:52 -07:00 · 1cc12b278e
commit 1cc12b278e
parent 0bf11af7e4
4 changed files with 46 additions and 6 deletions
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@ -1303,13 +1303,16 @@ void AccessorAssembler::HandleStoreICHandlerCase(
      if (ic_mode == ICMode::kGlobalIC) {
        TailCallRuntime(Runtime::kStoreGlobalIC_Slow, p->context(), p->value(),
                        p->slot(), p->vector(), p->receiver(), p->name());
-      } else if (p->IsStoreOwn()) {
-        TailCallRuntime(Runtime::kStoreDataPropertyInLiteral, p->context(),
-                        p->receiver(), p->name(), p->value());
      } else {
-        TailCallRuntime(p->IsDefineOwn() ? Runtime::kKeyedDefineOwnIC_Slow
-                                         : Runtime::kKeyedStoreIC_Slow,
-                        p->context(), p->value(), p->receiver(), p->name());
+        Runtime::FunctionId id;
+        if (p->IsStoreOwn()) {
+          id = Runtime::kStoreOwnIC_Slow;
+        } else if (p->IsDefineOwn()) {
+          id = Runtime::kKeyedDefineOwnIC_Slow;
+        } else {
+          id = Runtime::kKeyedStoreIC_Slow;
+        }
+        TailCallRuntime(id, p->context(), p->value(), p->receiver(), p->name());
      }
    }
  }
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -2751,6 +2751,27 @@ RUNTIME_FUNCTION(Runtime_StoreOwnIC_Miss) {
  RETURN_RESULT_OR_FAILURE(isolate, ic.Store(receiver, key, value));
 }

+RUNTIME_FUNCTION(Runtime_StoreOwnIC_Slow) {
+  HandleScope scope(isolate);
+  DCHECK_EQ(3, args.length());
+
+  Handle<Object> value = args.at(0);
+  Handle<Object> object = args.at(1);
+  Handle<Object> key = args.at(2);
+
+  // Unlike DefineOwn, StoreOwn doesn't handle private fields and is used for
+  // defining data properties in object literals and defining public class
+  // fields.
+  DCHECK(!key->IsSymbol() || !Symbol::cast(*key).is_private_name());
+
+  PropertyKey lookup_key(isolate, key);
+  LookupIterator it(isolate, object, lookup_key, LookupIterator::OWN);
+  MAYBE_RETURN(JSObject::DefineOwnPropertyIgnoreAttributes(
+                   &it, value, NONE, Nothing<ShouldThrow>()),
+               ReadOnlyRoots(isolate).exception());
+  return *value;
+}
+
 RUNTIME_FUNCTION(Runtime_StoreGlobalIC_Miss) {
  HandleScope scope(isolate);
  DCHECK_EQ(4, args.length());
--- a/src/runtime/runtime.h
+++ b/src/runtime/runtime.h
@ -638,6 +638,7 @@ namespace internal {
  F(KeyedStoreIC_Miss, 5, 1)                 \
  F(KeyedDefineOwnIC_Miss, 5, 1)             \
  F(StoreInArrayLiteralIC_Miss, 5, 1)        \
+  F(StoreOwnIC_Slow, 3, 1)                   \
  F(KeyedStoreIC_Slow, 3, 1)                 \
  F(KeyedDefineOwnIC_Slow, 3, 1)             \
  F(LoadElementWithInterceptor, 2, 1)        \
--- a/test/mjsunit/regress/regress-crbug-1264828.js
+++ b/test/mjsunit/regress/regress-crbug-1264828.js
@ -0,0 +1,15 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+{
+  class C {
+    x = Object.freeze(this);
+  }
+  // Call once to install slow handler.
+  assertThrows(() => { new C(); });
+  // Hit the slow handler.
+  assertThrows(() => { new C(); });
+}