[ic] Use slow stub if typed arrays are in prototype chain of JSObjects

The fast store handlers create elements and if we have a typed array on the prototype chain it is not easy to check when it is OK to create new elements. The TypedArrays swallow all OOB stores, and there is no easy way to check if the current store is OOB for JSObjects. So use slow stub when there are typed arrays on the prorotype chain of JSObjects. Bug: chromium:1068492 Change-Id: I9eea9cf00e3eb84931c5545d18ba53c4ec39f353 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134138 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67226}
2020-04-03 11:47:36 +01:00 · 2020-04-03 11:47:36 +01:00 · 36e80d3833
commit 36e80d3833
parent 073360536c
2 changed files with 19 additions and 3 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -2164,13 +2164,13 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
      } else if (object->IsJSArray() && IsGrowStoreMode(store_mode) &&
                 JSArray::HasReadOnlyLength(Handle<JSArray>::cast(object))) {
        set_slow_stub_reason("array has read only length");
-      } else if (object->IsJSArray() && MayHaveTypedArrayInPrototypeChain(
-                                            Handle<JSObject>::cast(object))) {
+      } else if (object->IsJSObject() && MayHaveTypedArrayInPrototypeChain(
+                                             Handle<JSObject>::cast(object))) {
        // Make sure we don't handle this in IC if there's any JSTypedArray in
        // the {receiver}'s prototype chain, since that prototype is going to
        // swallow all stores that are out-of-bounds for said prototype, and we
        // just let the runtime deal with the complexity of this.
-        set_slow_stub_reason("typed array in the prototype chain of an Array");
+        set_slow_stub_reason("typed array in the prototype chain");
      } else if (key_is_valid_index) {
        if (old_receiver_map->is_abandoned_prototype_map()) {
          set_slow_stub_reason("receiver with prototype map");
--- a/test/mjsunit/regress/regress-crbug-1053939-1.js
+++ b/test/mjsunit/regress/regress-crbug-1053939-1.js
@ -0,0 +1,16 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+
+v = {};
+v.__proto__ = new Int32Array(1);
+function foo() {
+  for (var i = 0; i < 2; i++) {
+    v[i] = 0;
+  }
+}
+foo();
+assertEquals(Object.keys(v).length, 1);