From 36e80d38331228c628bdf83ae9dc706aa55f2865 Mon Sep 17 00:00:00 2001
From: Mythri A <mythria@chromium.org>
Date: Fri, 3 Apr 2020 11:47:36 +0100
Subject: [PATCH] [ic] Use slow stub if typed arrays are in prototype chain of
 JSObjects

The fast store handlers create elements and if we have a typed array
on the prototype chain it is not easy to check when it is OK to create
new elements. The TypedArrays swallow all OOB stores, and there is no
easy way to check if the current store is OOB for JSObjects. So use
slow stub when there are typed arrays on the prorotype chain of
JSObjects.

Bug: chromium:1068492
Change-Id: I9eea9cf00e3eb84931c5545d18ba53c4ec39f353
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134138
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67226}
---
 src/ic/ic.cc                                    |  6 +++---
 test/mjsunit/regress/regress-crbug-1053939-1.js | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-1053939-1.js

diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index e6e623091f..7b969ca294 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2164,13 +2164,13 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
       } else if (object->IsJSArray() && IsGrowStoreMode(store_mode) &&
                  JSArray::HasReadOnlyLength(Handle<JSArray>::cast(object))) {
         set_slow_stub_reason("array has read only length");
-      } else if (object->IsJSArray() && MayHaveTypedArrayInPrototypeChain(
-                                            Handle<JSObject>::cast(object))) {
+      } else if (object->IsJSObject() && MayHaveTypedArrayInPrototypeChain(
+                                             Handle<JSObject>::cast(object))) {
         // Make sure we don't handle this in IC if there's any JSTypedArray in
         // the {receiver}'s prototype chain, since that prototype is going to
         // swallow all stores that are out-of-bounds for said prototype, and we
         // just let the runtime deal with the complexity of this.
-        set_slow_stub_reason("typed array in the prototype chain of an Array");
+        set_slow_stub_reason("typed array in the prototype chain");
       } else if (key_is_valid_index) {
         if (old_receiver_map->is_abandoned_prototype_map()) {
           set_slow_stub_reason("receiver with prototype map");
diff --git a/test/mjsunit/regress/regress-crbug-1053939-1.js b/test/mjsunit/regress/regress-crbug-1053939-1.js
new file mode 100644
index 0000000000..e7657882bc
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-1053939-1.js
@@ -0,0 +1,16 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+
+v = {};
+v.__proto__ = new Int32Array(1);
+function foo() {
+  for (var i = 0; i < 2; i++) {
+    v[i] = 0;
+  }
+}
+foo();
+assertEquals(Object.keys(v).length, 1);