[class] Use Runtime::DefineClassField() in KeyedStoreIC

It was missing on the slow path before. Bug: chromium:1259902, chromium:1260746, v8:10793 Change-Id: I9ae5f9efd552754a725f624307dd7caaeacd496f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226541 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Joyee Cheung <joyee@igalia.com> Cr-Commit-Position: refs/heads/main@{#77429}
2021-10-16 16:18:57 +08:00 · 2021-10-16 16:18:57 +08:00 · 50031da2bc
commit 50031da2bc
parent bce4410837
2 changed files with 17 additions and 3 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -2418,10 +2418,12 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  DCHECK(store_handle.is_null());
  ASSIGN_RETURN_ON_EXCEPTION(
      isolate(), store_handle,
-      Runtime::SetObjectProperty(isolate(), object, key, value,
-                                 StoreOrigin::kMaybeKeyed),
+      IsDefineOwnIC()
+          ? Runtime::DefineClassField(isolate(), object, key, value,
+                                      StoreOrigin::kMaybeKeyed)
+          : Runtime::SetObjectProperty(isolate(), object, key, value,
+                                       StoreOrigin::kMaybeKeyed),
      Object);
-
  if (use_ic) {
    if (!old_receiver_map.is_null()) {
      if (is_arguments) {
--- a/test/mjsunit/regress/regress-crbug-1259902.js
+++ b/test/mjsunit/regress/regress-crbug-1259902.js
@ -0,0 +1,12 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+Object.prototype[1] = 153;
+Object.freeze(Object.prototype);
+class B {
+  [1] = 7;
+}
+let b = new B();