Handle IC store with sealed elements

The path for sealed elements is handled by using the same path for SmiOrObjectElementKind, just need to extend a DCHECK in CodeStubAssembler::IsFixedArrayWithKind.
The only special case is when we write to a hole in holey sealed elements. Since we can not write in that case, just bail out.

Bug: chromium:967101
Change-Id: Ibf837ae053fe609bca83da432f298ef056f3aced
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632830
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62071}

src/codegen/code-stub-assembler.cc

@@ -6443,7 +6443,7 @@ TNode<BoolT> CodeStubAssembler::IsFixedArrayWithKind(
   if (IsDoubleElementsKind(kind)) {
     return IsFixedDoubleArray(object);
   } else {
-    DCHECK(IsSmiOrObjectElementsKind(kind));
+    DCHECK(IsSmiOrObjectElementsKind(kind) || IsSealedElementsKind(kind));
     return IsFixedArraySubclass(object);
   }
 }
@@ -10674,9 +10674,8 @@ void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
     BIND(&done);
     return;
   }
-  DCHECK(
-      IsFastElementsKind(elements_kind) ||
-      IsInRange(elements_kind, PACKED_SEALED_ELEMENTS, HOLEY_SEALED_ELEMENTS));
+  DCHECK(IsFastElementsKind(elements_kind) ||
+         IsSealedElementsKind(elements_kind));
 
   Node* length = SelectImpl(
       IsJSArray(object), [=]() { return LoadJSArrayLength(object); },
@@ -10693,18 +10692,24 @@ void CodeStubAssembler::EmitElementStore(Node* object, Node* key, Node* value,
     value = TryTaggedToFloat64(value, bailout);
   }
 
-  if (IsGrowStoreMode(store_mode) &&
-      !(IsInRange(elements_kind, PACKED_SEALED_ELEMENTS,
-                  HOLEY_SEALED_ELEMENTS))) {
+  if (IsGrowStoreMode(store_mode) && !IsSealedElementsKind(elements_kind)) {
     elements = CheckForCapacityGrow(object, elements, elements_kind, length,
                                     intptr_key, parameter_mode, bailout);
   } else {
     GotoIfNot(UintPtrLessThan(intptr_key, length), bailout);
   }
 
+  // Cannot store to a hole in holey sealed elements so bailout.
+  if (elements_kind == HOLEY_SEALED_ELEMENTS) {
+    TNode<Object> target_value =
+        LoadFixedArrayElement(CAST(elements), intptr_key);
+    GotoIf(IsTheHole(target_value), bailout);
+  }
+
   // If we didn't grow {elements}, it might still be COW, in which case we
   // copy it now.
-  if (!IsSmiOrObjectElementsKind(elements_kind)) {
+  if (!(IsSmiOrObjectElementsKind(elements_kind) ||
+        IsSealedElementsKind(elements_kind))) {
     CSA_ASSERT(this, Word32BinaryNot(IsFixedCOWArrayMap(LoadMap(elements))));
   } else if (IsCOWHandlingStoreMode(store_mode)) {
     elements = CopyElementsOnWrite(object, elements, elements_kind, length,

test/mjsunit/regress/regress-crbug-967101.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// For packed sealed object.
+function packedStore() {
+  let a = Object.seal([""]);
+  a[0] = 0;
+  assertEquals(a[0], 0);
+}
+
+packedStore();
+packedStore();
+
+// For holey sealed object.
+function holeyStore() {
+  let a = Object.seal([, ""]);
+  a[0] = 0;
+  assertEquals(a[0], undefined);
+}
+
+holeyStore();
+holeyStore();
+
+// Make sure IC store for holey is consistent.
+let a = Object.seal([, ""]);
+function foo() {
+  a[1] = 0;
+}
+
+foo();
+foo();
+function bar() {
+  a[0] = 1;
+}
+assertEquals(a, [, 0]);
+bar();
+assertEquals(a, [, 0]);
+bar();
+assertEquals(a, [, 0]);
+function baz() {
+  a[2] = 2;
+}
+assertEquals(a, [, 0]);
+baz();
+assertEquals(a, [, 0]);
+baz();
+assertEquals(a, [, 0]);