Modify the DCHECK in when computing KeyedAccessStoreMode.

Since slow handler was previously not a Smi. The DCHECK assumed any Smi Handler on this path should be a proxy handler. Now it Checks for both, and should continue if the current handler is a slow handler. Bug: chromium:1008632 Change-Id: I079960894d7320d8d658d0990e8c32db51703206 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1828480 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Suraj Sharma <surshar@microsoft.com> Cr-Commit-Position: refs/heads/master@{#64052}
2019-09-27 13:44:22 -07:00 · 2019-09-27 13:44:22 -07:00 · 1e3c3876f8
commit 1e3c3876f8
parent f9aa377d19
2 changed files with 29 additions and 3 deletions
--- a/src/objects/feedback-vector.cc
+++ b/src/objects/feedback-vector.cc
@ -1203,9 +1203,11 @@ KeyedAccessStoreMode FeedbackNexus::GetKeyedAccessStoreMode() const {
      handler = handle(Code::cast(data_handler->smi_handler()),
                       vector().GetIsolate());
    } else if (maybe_code_handler.object()->IsSmi()) {
-      // Skip proxy handlers.
-      DCHECK_EQ(*(maybe_code_handler.object()),
-                *StoreHandler::StoreProxy(GetIsolate()));
+      // Skip proxy handlers and the slow handler.
+      DCHECK(*(maybe_code_handler.object()) ==
+                 *StoreHandler::StoreProxy(GetIsolate()) ||
+             *(maybe_code_handler.object()) ==
+                 *StoreHandler::StoreSlow(GetIsolate()));
      continue;
    } else {
      // Element store without prototype chain check.
--- a/test/mjsunit/regress/regress-crbug-1008632.js
+++ b/test/mjsunit/regress/regress-crbug-1008632.js
@ -0,0 +1,24 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
+
+var __v_9690 = function () {};
+try {
+    (function () {
+        __f_1653();
+    })()
+} catch (__v_9763) {
+}
+function __f_1653(__v_9774, __v_9775) {
+  try {
+  } catch (e) {}
+    __v_9774[__v_9775 + 4] = 2;
+}
+(function () {
+    %PrepareFunctionForOptimization(__f_1653);
+    __f_1653(__v_9690, true);
+    %OptimizeFunctionOnNextCall(__f_1653);
+    assertThrows(() => __f_1653(), TypeError);
+})();