[ic] Add StoreOwnIC_Slow

This runtime function behaves like StoreDataPropertyInLiteral, except it
can throw, since it's also used for defining public class fields. Unlike
the literal use case, class field can end up throwing due to field
initializers doing things like freezing the instance.

Bug: chromium:1264828
Change-Id: I3ea4d15ad9b906c26763f022c8e22b757fa80b6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3252558
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77704}

src/ic/accessor-assembler.cc

@@ -1303,13 +1303,16 @@ void AccessorAssembler::HandleStoreICHandlerCase(
       if (ic_mode == ICMode::kGlobalIC) {
         TailCallRuntime(Runtime::kStoreGlobalIC_Slow, p->context(), p->value(),
                         p->slot(), p->vector(), p->receiver(), p->name());
-      } else if (p->IsStoreOwn()) {
-        TailCallRuntime(Runtime::kStoreDataPropertyInLiteral, p->context(),
-                        p->receiver(), p->name(), p->value());
       } else {
-        TailCallRuntime(p->IsDefineOwn() ? Runtime::kKeyedDefineOwnIC_Slow
-                                         : Runtime::kKeyedStoreIC_Slow,
-                        p->context(), p->value(), p->receiver(), p->name());
+        Runtime::FunctionId id;
+        if (p->IsStoreOwn()) {
+          id = Runtime::kStoreOwnIC_Slow;
+        } else if (p->IsDefineOwn()) {
+          id = Runtime::kKeyedDefineOwnIC_Slow;
+        } else {
+          id = Runtime::kKeyedStoreIC_Slow;
+        }
+        TailCallRuntime(id, p->context(), p->value(), p->receiver(), p->name());
       }
     }
   }

src/ic/ic.cc

@@ -2751,6 +2751,27 @@ RUNTIME_FUNCTION(Runtime_StoreOwnIC_Miss) {
   RETURN_RESULT_OR_FAILURE(isolate, ic.Store(receiver, key, value));
 }
 
+RUNTIME_FUNCTION(Runtime_StoreOwnIC_Slow) {
+  HandleScope scope(isolate);
+  DCHECK_EQ(3, args.length());
+
+  Handle<Object> value = args.at(0);
+  Handle<Object> object = args.at(1);
+  Handle<Object> key = args.at(2);
+
+  // Unlike DefineOwn, StoreOwn doesn't handle private fields and is used for
+  // defining data properties in object literals and defining public class
+  // fields.
+  DCHECK(!key->IsSymbol() || !Symbol::cast(*key).is_private_name());
+
+  PropertyKey lookup_key(isolate, key);
+  LookupIterator it(isolate, object, lookup_key, LookupIterator::OWN);
+  MAYBE_RETURN(JSObject::DefineOwnPropertyIgnoreAttributes(
+                   &it, value, NONE, Nothing<ShouldThrow>()),
+               ReadOnlyRoots(isolate).exception());
+  return *value;
+}
+
 RUNTIME_FUNCTION(Runtime_StoreGlobalIC_Miss) {
   HandleScope scope(isolate);
   DCHECK_EQ(4, args.length());

src/runtime/runtime.h

@@ -638,6 +638,7 @@ namespace internal {
   F(KeyedStoreIC_Miss, 5, 1)                 \
   F(KeyedDefineOwnIC_Miss, 5, 1)             \
   F(StoreInArrayLiteralIC_Miss, 5, 1)        \
+  F(StoreOwnIC_Slow, 3, 1)                   \
   F(KeyedStoreIC_Slow, 3, 1)                 \
   F(KeyedDefineOwnIC_Slow, 3, 1)             \
   F(LoadElementWithInterceptor, 2, 1)        \

test/mjsunit/regress/regress-crbug-1264828.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+{
+  class C {
+    x = Object.freeze(this);
+  }
+  // Call once to install slow handler.
+  assertThrows(() => { new C(); });
+  // Hit the slow handler.
+  assertThrows(() => { new C(); });
+}