[ic] Fix KeyedHasIC_SloppyArguments implementation

... to be in sync with KeyedLoadIC_SloppyArguments in handling OOB accesses which may involve prototype chain walk. Bug: chromium:1063796 Change-Id: I8421c19085dfd2f3b6360c64fd04f53b1351576c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2174504Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67541}

[ic] Fix KeyedHasIC_SloppyArguments implementation
... to be in sync with KeyedLoadIC_SloppyArguments in handling OOB accesses which may involve prototype chain walk. Bug: chromium:1063796 Change-Id: I8421c19085dfd2f3b6360c64fd04f53b1351576c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2174504Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67541}
0d449054 · Igor Sheludko · Commit Bot · d5157326 · 0d449054 · 0d449054
Commit 0d449054 authored May 01, 2020 by Igor Sheludko Committed by Commit Bot May 04, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 20 deletions

builtins-handler-gen.cc src/builtins/builtins-handler-gen.cc +15 -20

regress-crbug-1063796.js test/mjsunit/regress/regress-crbug-1063796.js +15 -0

No files found.
--- a/src/builtins/builtins-handler-gen.cc
+++ b/src/builtins/builtins-handler-gen.cc
@@ -158,31 +158,26 @@ TNode<Object> HandlerBuiltinsAssembler::EmitKeyedSloppyArguments(
    TNode<IntPtrT> backing_store_length =
        LoadAndUntagFixedArrayBaseLength(backing_store);
-    if (access_mode == ArgumentsAccessMode::kHas) {
-      Label out_of_bounds(this);
+    // Out-of-bounds access may involve prototype chain walk and is handled
-      GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length),
+    // in runtime.
-             &out_of_bounds);
+    GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length), bailout);
-      TNode<Object> result = LoadFixedArrayElement(backing_store, key);
-      var_result =
+    // The key falls into unmapped range.
-          SelectBooleanConstant(TaggedNotEqual(result, TheHoleConstant()));
+    if (access_mode == ArgumentsAccessMode::kStore) {
-      Goto(&end);
+      StoreFixedArrayElement(backing_store, key, *value);
-      BIND(&out_of_bounds);
-      var_result = FalseConstant();
-      Goto(&end);
    } else {
-      GotoIf(UintPtrGreaterThanOrEqual(key, backing_store_length), bailout);
+      TNode<Object> value = LoadFixedArrayElement(backing_store, key);
+      GotoIf(TaggedEqual(value, TheHoleConstant()), bailout);
-      // The key falls into unmapped range.
+      if (access_mode == ArgumentsAccessMode::kHas) {
-      if (access_mode == ArgumentsAccessMode::kLoad) {
+        var_result = TrueConstant();
-        TNode<Object> result = LoadFixedArrayElement(backing_store, key);
-        GotoIf(TaggedEqual(result, TheHoleConstant()), bailout);
-        var_result = result;
      } else {
-        StoreFixedArrayElement(backing_store, key, *value);
+        DCHECK_EQ(access_mode, ArgumentsAccessMode::kLoad);
+        var_result = value;
      }
-      Goto(&end);
    }
+    Goto(&end);
  }
  BIND(&end);

--- a/test/mjsunit/regress/regress-crbug-1063796.js
+++ b/test/mjsunit/regress/regress-crbug-1063796.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --allow-natives-syntax
+Object.prototype[1] = 1;
+function foo(baz) {
+  return 1 in arguments;
+}
+assertTrue(foo(0));
+%PrepareFunctionForOptimization(foo);
+assertTrue(foo(0));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(foo(0));