[class] Use Runtime::DefineClassField() in KeyedStoreIC

It was missing on the slow path before.

Bug: chromium:1259902, chromium:1260746, v8:10793
Change-Id: I9ae5f9efd552754a725f624307dd7caaeacd496f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226541Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#77429}

src/ic/ic.cc

@@ -2418,10 +2418,12 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
   DCHECK(store_handle.is_null());
   ASSIGN_RETURN_ON_EXCEPTION(
       isolate(), store_handle,
-      Runtime::SetObjectProperty(isolate(), object, key, value,
-                                 StoreOrigin::kMaybeKeyed),
+      IsDefineOwnIC()
+          ? Runtime::DefineClassField(isolate(), object, key, value,
+                                      StoreOrigin::kMaybeKeyed)
+          : Runtime::SetObjectProperty(isolate(), object, key, value,
+                                       StoreOrigin::kMaybeKeyed),
       Object);
-
   if (use_ic) {
     if (!old_receiver_map.is_null()) {
       if (is_arguments) {

test/mjsunit/regress/regress-crbug-1259902.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+Object.prototype[1] = 153;
+Object.freeze(Object.prototype);
+class B {
+  [1] = 7;
+}
+let b = new B();