[super ic] Fix receiver type

With non-super loads (receiver == lookup_start_object), we don't hit the code in AccessorAssembler::GenericPropertyLoad calling CSA::TryGetOwnProperty if the receiver (the lookup_start_object) is a SMI. But with super property loads, if we set up lookup_start_object the right way, we will hit this code. The code was assuming receiver is a HeapObject, which is too restrictive. The receiver is only used for the accessor call, so it's ok to make the type more generic. Bug: v8:9237, chromium:1139786 Change-Id: I3167ccfb54a49ac1c401040a6f02fc1f3b98d9d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2484366 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#70647}
2020-10-19 15:45:18 +02:00 · 2020-10-19 15:45:18 +02:00 · 3773e46e3e
commit 3773e46e3e
parent 7103dc613a
4 changed files with 24 additions and 15 deletions
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -8834,22 +8834,21 @@ TNode<Object> CodeStubAssembler::CallGetterIfAccessor(
 }

 void CodeStubAssembler::TryGetOwnProperty(
-    TNode<Context> context, TNode<HeapObject> receiver,
-    TNode<JSReceiver> object, TNode<Map> map, TNode<Int32T> instance_type,
-    TNode<Name> unique_name, Label* if_found_value,
-    TVariable<Object>* var_value, Label* if_not_found, Label* if_bailout) {
+    TNode<Context> context, TNode<Object> receiver, TNode<JSReceiver> object,
+    TNode<Map> map, TNode<Int32T> instance_type, TNode<Name> unique_name,
+    Label* if_found_value, TVariable<Object>* var_value, Label* if_not_found,
+    Label* if_bailout) {
  TryGetOwnProperty(context, receiver, object, map, instance_type, unique_name,
                    if_found_value, var_value, nullptr, nullptr, if_not_found,
                    if_bailout, kCallJSGetter);
 }

 void CodeStubAssembler::TryGetOwnProperty(
-    TNode<Context> context, TNode<HeapObject> receiver,
-    TNode<JSReceiver> object, TNode<Map> map, TNode<Int32T> instance_type,
-    TNode<Name> unique_name, Label* if_found_value,
-    TVariable<Object>* var_value, TVariable<Uint32T>* var_details,
-    TVariable<Object>* var_raw_value, Label* if_not_found, Label* if_bailout,
-    GetOwnPropertyMode mode) {
+    TNode<Context> context, TNode<Object> receiver, TNode<JSReceiver> object,
+    TNode<Map> map, TNode<Int32T> instance_type, TNode<Name> unique_name,
+    Label* if_found_value, TVariable<Object>* var_value,
+    TVariable<Uint32T>* var_details, TVariable<Object>* var_raw_value,
+    Label* if_not_found, Label* if_bailout, GetOwnPropertyMode mode) {
  DCHECK_EQ(MachineRepresentation::kTagged, var_value->rep());
  Comment("TryGetOwnProperty");
  CSA_ASSERT(this, IsUniqueNameNoCachedIndex(unique_name));
--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@ -2940,12 +2940,12 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
  // is an accessor then it also calls a getter. If the property is a double
  // field it re-wraps value in an immutable heap number. {unique_name} must be
  // a unique name (Symbol or InternalizedString) that is not an array index.
-  void TryGetOwnProperty(TNode<Context> context, TNode<HeapObject> receiver,
+  void TryGetOwnProperty(TNode<Context> context, TNode<Object> receiver,
                         TNode<JSReceiver> object, TNode<Map> map,
                         TNode<Int32T> instance_type, TNode<Name> unique_name,
                         Label* if_found_value, TVariable<Object>* var_value,
                         Label* if_not_found, Label* if_bailout);
-  void TryGetOwnProperty(TNode<Context> context, TNode<HeapObject> receiver,
+  void TryGetOwnProperty(TNode<Context> context, TNode<Object> receiver,
                         TNode<JSReceiver> object, TNode<Map> map,
                         TNode<Int32T> instance_type, TNode<Name> unique_name,
                         Label* if_found_value, TVariable<Object>* var_value,
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@ -2497,9 +2497,9 @@ void AccessorAssembler::GenericPropertyLoad(
      var_holder_map = proto_map;
      var_holder_instance_type = proto_instance_type;
      Label next_proto(this), return_value(this, &var_value), goto_slow(this);
-      TryGetOwnProperty(p->context(), CAST(p->receiver()), CAST(proto),
-                        proto_map, proto_instance_type, name, &return_value,
-                        &var_value, &next_proto, &goto_slow);
+      TryGetOwnProperty(p->context(), p->receiver(), CAST(proto), proto_map,
+                        proto_instance_type, name, &return_value, &var_value,
+                        &next_proto, &goto_slow);

      // This trampoline and the next are required to appease Turbofan's
      // variable merging.
--- a/test/mjsunit/es6/super-ic.js
+++ b/test/mjsunit/es6/super-ic.js
@ -454,3 +454,13 @@ function forceDictionaryMode(obj) {
  obj1.x = "added";
  assertEquals("added", obj1.x);
 })();
+
+// Regression test for crbug.com/1139786
+(function HomeObjectProtoIsInt8ArrayAndReceiverIsSmi() {
+  class A extends Int8Array {
+    f() {
+      super.toString();
+    }
+  };
+  A.prototype.f.call(42);
+})();