Fix keyed stores to strings convertible to indices

BUG=chromium:509545 LOG=n Review URL: https://codereview.chromium.org/1232823002 Cr-Commit-Position: refs/heads/master@{#29596}
2015-07-13 03:46:28 -07:00 · 2015-07-13 03:46:28 -07:00 · bb964f63d1
commit bb964f63d1
parent cd61b047f1
3 changed files with 14 additions and 19 deletions
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@ -1545,22 +1545,6 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
    return TypeError(MessageTemplate::kNonObjectPropertyStore, object, name);
  }

-  // Check if the given name is an array index.
-  uint32_t index;
-  if (name->AsArrayIndex(&index)) {
-    // Ignore other stores where the receiver is not a JSObject.
-    // TODO(1475): Must check prototype chains of object wrappers.
-    if (!object->IsJSObject()) return value;
-    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
-
-    Handle<Object> result;
-    ASSIGN_RETURN_ON_EXCEPTION(
-        isolate(), result,
-        Object::SetElement(isolate(), receiver, index, value, language_mode()),
-        Object);
-    return value;
-  }
-
  // Observed objects are always modified through the runtime.
  if (object->IsHeapObject() &&
      Handle<HeapObject>::cast(object)->map()->is_observed()) {
@ -2116,7 +2100,10 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  Handle<Object> store_handle;
  Handle<Code> stub = megamorphic_stub();

-  if (key->IsInternalizedString() || key->IsSymbol()) {
+  uint32_t index;
+  if ((key->IsInternalizedString() &&
+       !String::cast(*key)->AsArrayIndex(&index)) ||
+      key->IsSymbol()) {
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate(), store_handle,
        StoreIC::Store(object, Handle<Name>::cast(key), value,
@ -2156,8 +2143,6 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  }

  if (use_ic) {
-    DCHECK(!object->IsAccessCheckNeeded());
-
    if (object->IsJSObject()) {
      Handle<JSObject> receiver = Handle<JSObject>::cast(object);
      bool key_is_smi_like = !Object::ToSmi(isolate(), key).is_null();
--- a/test/mjsunit/harmony/proxies.js
+++ b/test/mjsunit/harmony/proxies.js
@ -382,6 +382,10 @@ function TestSet2(create, handler) {
  assertEquals(46, (function(n) { return p[n] = 46 })(99))
  assertEquals("99", key)
  assertEquals(46, val)
+
+  assertEquals(47, p["0"] = 47)
+  assertEquals("0", key)
+  assertEquals(47, val)
 }

 TestSet({
--- a/test/mjsunit/primitive-keyed-access.js
+++ b/test/mjsunit/primitive-keyed-access.js
@ -41,3 +41,9 @@ assertThrows(function() {
  var sym = Symbol('66');
  sym[62] = 0;
 });
+
+assertThrows(function() {
+  "use strict";
+  var o = "bla";
+  o["0"] = 1;
+});