Handle COW map for sealed, frozen object

Basically, SetPropertyInternal is called without handling COW map.

Improve test coverage as well.

Bug: chromium:951438
Change-Id: Iea8c818ab6a8ddea204f86a9d676a1ea42fd07f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562731
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60834}

src/elements-kind.h

@@ -157,6 +157,10 @@ inline bool IsFrozenOrSealedElementsKind(ElementsKind kind) {
   return IsInRange(kind, PACKED_SEALED_ELEMENTS, PACKED_FROZEN_ELEMENTS);
 }
 
+inline bool IsSealedElementsKind(ElementsKind kind) {
+  return kind == PACKED_SEALED_ELEMENTS;
+}
+
 inline bool IsSmiOrObjectElementsKind(ElementsKind kind) {
   return kind == PACKED_SMI_ELEMENTS || kind == HOLEY_SMI_ELEMENTS ||
          kind == PACKED_ELEMENTS || kind == HOLEY_ELEMENTS;

src/lookup.cc

@@ -459,7 +459,7 @@ void LookupIterator::PrepareForDataProperty(Handle<Object> value) {
     }
 
     // Copy the backing store if it is copy-on-write.
-    if (IsSmiOrObjectElementsKind(to)) {
+    if (IsSmiOrObjectElementsKind(to) || IsSealedElementsKind(to)) {
       JSObject::EnsureWritableFastElements(holder_obj);
     }
     return;

src/objects/js-objects.cc

@@ -2059,7 +2059,8 @@ MaybeHandle<JSObject> JSObject::ObjectCreate(Isolate* isolate,
 
 void JSObject::EnsureWritableFastElements(Handle<JSObject> object) {
   DCHECK(object->HasSmiOrObjectElements() ||
-         object->HasFastStringWrapperElements());
+         object->HasFastStringWrapperElements() ||
+         object->HasFrozenOrSealedElements());
   FixedArray raw_elems = FixedArray::cast(object->elements());
   Isolate* isolate = object->GetIsolate();
   if (raw_elems->map() != ReadOnlyRoots(isolate).fixed_cow_array_map()) return;

test/mjsunit/object-freeze.js

@@ -414,6 +414,7 @@ function testPackedFrozenArray1(obj) {
   assertTrue(Array.isArray(obj));
   assertThrows(function() { obj.pop(); }, TypeError);
   assertThrows(function() { obj.push(); }, TypeError);
+  assertThrows(function() { obj.shift(); }, TypeError);
   assertThrows(function() { obj.unshift(); }, TypeError);
   assertThrows(function() { obj.copyWithin(0,0); }, TypeError);
   assertThrows(function() { obj.fill(0); }, TypeError);
@@ -545,3 +546,9 @@ assertThrows(function() {
     value: obj,
   });
 }, TypeError);
+
+// Regression test with simple array
+var arr = ['a'];
+Object.freeze(arr);
+arr[0] = 'b';
+assertEquals(arr[0], 'a');

test/mjsunit/object-prevent-extensions.js

@@ -172,6 +172,7 @@ assertTrue(Array.isArray(obj));
 
 // Verify that the length can't be written by builtins.
 assertThrows(function() { obj.push(1); }, TypeError);
+assertDoesNotThrow(function() { obj.shift(); });
 assertThrows(function() { obj.unshift(1); }, TypeError);
 assertThrows(function() { obj.splice(0, 0, 1); }, TypeError);
 assertDoesNotThrow(function() {obj.splice(0, 0)});
@@ -250,3 +251,9 @@ arr.fill('d');
 assertEquals(arr.join(''), "ddd");
 arr.pop();
 assertEquals(arr.join(''), "dd");
+
+// Regression test with simple array
+var arr = ['a'];
+Object.preventExtensions(arr);
+arr[0] = 'b';
+assertEquals(arr[0], 'b');

test/mjsunit/object-seal.js

@@ -402,6 +402,7 @@ function testPackedSealedArray1(obj) {
   // Verify that the length can't be written by builtins.
   assertThrows(function() { obj.pop(); }, TypeError);
   assertThrows(function() { obj.push(1); }, TypeError);
+  assertThrows(function() { obj.shift(); }, TypeError);
   assertThrows(function() { obj.unshift(1); }, TypeError);
   assertThrows(function() { obj.splice(0); }, TypeError);
   assertDoesNotThrow(function() { obj.splice(0, 0); });
@@ -521,3 +522,9 @@ assertThrows(function() {
     value: obj,
   });
 }, TypeError);
+
+// Regression test with simple array
+var arr = ['a'];
+Object.seal(arr);
+arr[0] = 'b';
+assertEquals(arr[0], 'b');