[super IC] Fix a receiver vs lookup start object confusion bug

Bug: chromium:1203122 Change-Id: I80a22bbc1e700cca33e26d6a1cf294a5e9a334eb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856538Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#74290}

[super IC] Fix a receiver vs lookup start object confusion bug
Bug: chromium:1203122 Change-Id: I80a22bbc1e700cca33e26d6a1cf294a5e9a334eb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856538Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#74290}
387c8030 · Marja Hölttä · V8 LUCI CQ · 7d5e5f6c · 387c8030 · 387c8030
Commit 387c8030 authored Apr 29, 2021 by Marja Hölttä Committed by V8 LUCI CQ Apr 30, 2021
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 8 deletions

accessor-assembler.cc src/ic/accessor-assembler.cc +2 -2

ic.cc src/ic/ic.cc +8 -6

No files found.
--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -220,8 +220,8 @@ void AccessorAssembler::HandleLoadICHandlerCase(
  BIND(&call_handler);
  {
    exit_point->ReturnCallStub(LoadWithVectorDescriptor{}, CAST(handler),
-                               p->context(), p->receiver(), p->name(),
+                               p->context(), p->lookup_start_object(),
-                               p->slot(), p->vector());
+                               p->name(), p->slot(), p->vector());
  }
 }

--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -835,25 +835,28 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
  Handle<Object> receiver = lookup->GetReceiver();
  ReadOnlyRoots roots(isolate());
+  Handle<Object> lookup_start_object = lookup->lookup_start_object();
  // `in` cannot be called on strings, and will always return true for string
  // wrapper length and function prototypes. The latter two cases are given
  // LoadHandler::LoadNativeDataProperty below.
  if (!IsAnyHas() && !lookup->IsElement()) {
-    if (receiver->IsString() && *lookup->name() == roots.length_string()) {
+    if (lookup_start_object->IsString() &&
+        *lookup->name() == roots.length_string()) {
      TRACE_HANDLER_STATS(isolate(), LoadIC_StringLength);
      return BUILTIN_CODE(isolate(), LoadIC_StringLength);
    }
-    if (receiver->IsStringWrapper() &&
+    if (lookup_start_object->IsStringWrapper() &&
        *lookup->name() == roots.length_string()) {
      TRACE_HANDLER_STATS(isolate(), LoadIC_StringWrapperLength);
      return BUILTIN_CODE(isolate(), LoadIC_StringWrapperLength);
    }
    // Use specialized code for getting prototype of functions.
-    if (receiver->IsJSFunction() &&
+    if (lookup_start_object->IsJSFunction() &&
        *lookup->name() == roots.prototype_string() &&
-        !JSFunction::cast(*receiver).PrototypeRequiresRuntimeLookup()) {
+        !JSFunction::cast(*lookup_start_object)
+             .PrototypeRequiresRuntimeLookup()) {
      TRACE_HANDLER_STATS(isolate(), LoadIC_FunctionPrototypeStub);
      return BUILTIN_CODE(isolate(), LoadIC_FunctionPrototype);
    }
@@ -864,8 +867,7 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
  bool holder_is_lookup_start_object;
  if (lookup->state() != LookupIterator::JSPROXY) {
    holder = lookup->GetHolder<JSObject>();
-    holder_is_lookup_start_object =
+    holder_is_lookup_start_object = lookup_start_object.is_identical_to(holder);
-        lookup->lookup_start_object().is_identical_to(holder);
  }
  switch (lookup->state()) {