Properly handle missing from normalized stores with keys convertible to array indices

BUG=chromium:509961 LOG=n Review URL: https://codereview.chromium.org/1241613003 Cr-Commit-Position: refs/heads/master@{#29648}
2015-07-14 04:44:41 -07:00 · 2015-07-14 04:44:41 -07:00 · 5f24690384
commit 5f24690384
parent 9cf1c58145
2 changed files with 31 additions and 0 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -1492,6 +1492,27 @@ bool StoreIC::LookupForWrite(LookupIterator* it, Handle<Object> value,
 MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
                                   Handle<Object> value,
                                   JSReceiver::StoreFromKeyed store_mode) {
+  // Check if the name is trivially convertible to an index and set the element.
+  uint32_t index;
+  if (kind() == Code::KEYED_STORE_IC && name->AsArrayIndex(&index)) {
+    // Rewrite to the generic keyed store stub.
+    if (FLAG_use_ic) {
+      if (UseVector()) {
+        ConfigureVectorState(MEGAMORPHIC);
+      } else if (!AddressIsDeoptimizedCode()) {
+        set_target(*megamorphic_stub());
+      }
+      TRACE_IC("StoreIC", name);
+      TRACE_GENERIC_IC(isolate(), "StoreIC", "name as array index");
+    }
+    Handle<Object> result;
+    ASSIGN_RETURN_ON_EXCEPTION(
+        isolate(), result,
+        Object::SetElement(isolate(), object, index, value, language_mode()),
+        Object);
+    return result;
+  }
+
  if (object->IsGlobalObject() && name->IsString()) {
    // Look up in script context table.
    Handle<String> str_name = Handle<String>::cast(name);
--- a/test/mjsunit/regress/regress-509961.js
+++ b/test/mjsunit/regress/regress-509961.js
@ -0,0 +1,10 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var o = { x: 0 };
+delete o.x;
+function store(o, p, v) { o[p] = v; }
+store(o, "x", 1);
+store(o, "x", 1);
+store(o, "0", 1);