[CSA] Update TryLookupProperty to JSReceiver type.

The current JSObject type is too specific as it can also be passed proxy objects. BUG=chromium:1003919,v8:6949 Change-Id: I2766868543827fc5ee6f99f3b120c7ffe9cfed39 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803651 Auto-Submit: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#63787}
2019-09-16 12:10:24 +01:00 · 2019-09-16 12:10:24 +01:00 · 61085f2cb3
commit 61085f2cb3
parent b823bf1ba6
3 changed files with 23 additions and 3 deletions
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -9416,7 +9416,7 @@ void CodeStubAssembler::TryLookupPropertyInSimpleObject(
 }

 void CodeStubAssembler::TryLookupProperty(
-    SloppyTNode<JSObject> object, SloppyTNode<Map> map,
+    SloppyTNode<JSReceiver> object, SloppyTNode<Map> map,
    SloppyTNode<Int32T> instance_type, SloppyTNode<Name> unique_name,
    Label* if_found_fast, Label* if_found_dict, Label* if_found_global,
    TVariable<HeapObject>* var_meta_storage, TVariable<IntPtrT>* var_name_index,
@ -9424,7 +9424,7 @@ void CodeStubAssembler::TryLookupProperty(
  Label if_objectisspecial(this);
  GotoIf(IsSpecialReceiverInstanceType(instance_type), &if_objectisspecial);

-  TryLookupPropertyInSimpleObject(object, map, unique_name, if_found_fast,
+  TryLookupPropertyInSimpleObject(CAST(object), map, unique_name, if_found_fast,
                                  if_found_dict, var_meta_storage,
                                  var_name_index, if_not_found);

--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@ -3145,7 +3145,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
  //
  // Note: this code does not check if the global dictionary points to deleted
  // entry! This has to be done by the caller.
-  void TryLookupProperty(SloppyTNode<JSObject> object, SloppyTNode<Map> map,
+  void TryLookupProperty(SloppyTNode<JSReceiver> object, SloppyTNode<Map> map,
                         SloppyTNode<Int32T> instance_type,
                         SloppyTNode<Name> unique_name, Label* if_found_fast,
                         Label* if_found_dict, Label* if_found_global,
--- a/test/mjsunit/regress/regress-1003919.js
+++ b/test/mjsunit/regress/regress-1003919.js
@ -0,0 +1,20 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Define an object with a getter and a proxy as it's prototype.
+var obj = {foo: 'bar'};
+Object.defineProperty(obj, 'foo', {
+  get: function () {
+  }
+});
+obj.__proto__ = new Proxy([], {});
+
+// Get key from a function to avoid the property access turning into a
+// named property access.
+function getKey() {
+  return 'values'
+}
+
+// Keyed access to update obj's values property.
+obj[getKey()] = 1;