From 99188fc477e9f149f358636cbe703d46de626192 Mon Sep 17 00:00:00 2001
From: Suraj Sharma <surshar@microsoft.com>
Date: Wed, 18 Sep 2019 20:48:57 -0700
Subject: [PATCH] [ic] Add support for StoreSlow() in Global Dispatcher

Global Objects now use the Smi handler StoreSlow() to perform
StoreGlobalIC_Slow.

Bug: chromium:1004037
Change-Id: I365ab918383525278590ca4369a4b1b0d9636d29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1812657
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63912}
---
 src/ic/accessor-assembler.cc                  | 18 +++++++++++----
 src/ic/ic.cc                                  |  8 ++-----
 test/mjsunit/regress/regress-crbug-1002628.js | 22 ++++++++++++++++++
 test/mjsunit/regress/regress-crbug-1004037.js | 23 +++++++++++++++++++
 4 files changed, 61 insertions(+), 10 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-1002628.js
 create mode 100644 test/mjsunit/regress/regress-crbug-1004037.js

diff --git a/src/ic/accessor-assembler.cc b/src/ic/accessor-assembler.cc
index 971ff92415..4bcb6e3145 100644
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -1033,8 +1033,13 @@ void AccessorAssembler::HandleStoreICHandlerCase(
       // The slow case calls into the runtime to complete the store without
       // causing an IC miss that would otherwise cause a transition to the
       // generic stub.
-      TailCallRuntime(Runtime::kKeyedStoreIC_Slow, p->context(), p->value(),
-                      p->receiver(), p->name());
+      if (ic_mode == ICMode::kGlobalIC) {
+        TailCallRuntime(Runtime::kStoreGlobalIC_Slow, p->context(), p->value(),
+                        p->slot(), p->vector(), p->receiver(), p->name());
+      } else {
+        TailCallRuntime(Runtime::kKeyedStoreIC_Slow, p->context(), p->value(),
+                        p->receiver(), p->name());
+      }
     }
   }
 
@@ -1530,8 +1535,13 @@ void AccessorAssembler::HandleStoreICProtoHandler(
       // The slow case calls into the runtime to complete the store without
       // causing an IC miss that would otherwise cause a transition to the
       // generic stub.
-      TailCallRuntime(Runtime::kKeyedStoreIC_Slow, p->context(), p->value(),
-                      p->receiver(), p->name());
+      if (ic_mode == ICMode::kGlobalIC) {
+        TailCallRuntime(Runtime::kStoreGlobalIC_Slow, p->context(), p->value(),
+                        p->slot(), p->vector(), p->receiver(), p->name());
+      } else {
+        TailCallRuntime(Runtime::kKeyedStoreIC_Slow, p->context(), p->value(),
+                        p->receiver(), p->name());
+      }
     }
 
     BIND(&if_interceptor);
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 1bed0d4bda..c5dbb1dcdd 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1499,9 +1499,7 @@ void StoreIC::UpdateCaches(LookupIterator* lookup, Handle<Object> value,
   } else {
     set_slow_stub_reason("LookupForWrite said 'false'");
     // TODO(marja): change slow_stub to return MaybeObjectHandle.
-    handler = IsStoreGlobalIC()
-                  ? MaybeObjectHandle(slow_stub())
-                  : MaybeObjectHandle(StoreHandler::StoreSlow(isolate()));
+    handler = MaybeObjectHandle(StoreHandler::StoreSlow(isolate()));
   }
 
   PatchCache(lookup->name(), handler);
@@ -1575,9 +1573,7 @@ MaybeObjectHandle StoreIC::ComputeHandler(LookupIterator* lookup) {
         set_slow_stub_reason("accessor on slow map");
         TRACE_HANDLER_STATS(isolate(), StoreIC_SlowStub);
         MaybeObjectHandle handler =
-            IsStoreGlobalIC()
-                ? MaybeObjectHandle(slow_stub())
-                : MaybeObjectHandle(StoreHandler::StoreSlow(isolate()));
+            MaybeObjectHandle(StoreHandler::StoreSlow(isolate()));
         return handler;
       }
       Handle<Object> accessors = lookup->GetAccessors();
diff --git a/test/mjsunit/regress/regress-crbug-1002628.js b/test/mjsunit/regress/regress-crbug-1002628.js
new file mode 100644
index 0000000000..8be7e8687d
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-1002628.js
@@ -0,0 +1,22 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+"use strict";
+var __v_0 = {};
+try {
+    __v_0 = this;
+    Object.freeze(__v_0);
+}
+catch (e) {
+}
+
+function f() {
+    x = { [Symbol.toPrimitive]: () => FAIL };
+}
+try {
+    f()
+} catch (e) { }
+assertThrows(() => f(), ReferenceError);
diff --git a/test/mjsunit/regress/regress-crbug-1004037.js b/test/mjsunit/regress/regress-crbug-1004037.js
new file mode 100644
index 0000000000..cf7ba70458
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-1004037.js
@@ -0,0 +1,23 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+__v_1 = {};
+__v_1.__defineGetter__('x', function () { });
+__proto__ = __v_1;
+function __f_4() {
+    __v_1 = {};
+}
+function __f_3() {
+    'use strict';
+    x = 42;
+}
+__f_4()
+try {
+    __f_3();
+} catch (e) { }
+
+__proto__ = __v_1;
+assertThrows(() => __f_3(), ReferenceError);