Fix for v8:3255 Grow KeyedStoreIC doesn't respect String value wrappers

BUG=v8:3255 LOG=N R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/226053002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-04-07 07:52:24 +00:00 · 2014-04-07 07:52:24 +00:00 · eaacd968f1
commit eaacd968f1
parent 5a803ca2fb
2 changed files with 20 additions and 0 deletions
--- a/src/ic.cc
+++ b/src/ic.cc
@ -1690,6 +1690,7 @@ MaybeObject* KeyedStoreIC::Store(Handle<Object> object,
    if (maybe_object->IsFailure()) return maybe_object;
  } else {
    bool use_ic = FLAG_use_ic &&
+        !object->IsStringWrapper() &&
        !object->IsAccessCheckNeeded() &&
        !object->IsJSGlobalProxy() &&
        !(object->IsJSObject() &&
--- a/test/mjsunit/regress/regress-3255.js
+++ b/test/mjsunit/regress/regress-3255.js
@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+var arr = [];
+var str = new String('x');
+
+function f(a,b) {
+  a[b] = 1;
+}
+
+f(arr, 0);
+f(str, 0);
+f(str, 0);
+
+// This is just to trigger elements validation, object already broken.
+%SetProperty(str, 1, 'y', 0);