[string] Remove invalid optimization in MaybeCallFunctionAtSymbol

The assumption behind this optimization was invalid. Even if the
string's prototype is unchanged, the symbol could exist somewhere
further up the prototype chain.

GetProperty has been sped up significantly so it might be fine to just
skip this fast path. An alternative would be to use a protector cell.

Bug: v8:8357
Change-Id: Ia577107a58157350eb15780c02aa63d77e600637
Reviewed-on: https://chromium-review.googlesource.com/c/1301498
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57038}

src/builtins/builtins-string-gen.cc

@@ -1064,29 +1064,6 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
   // Smis definitely don't have an attached symbol.
   GotoIf(TaggedIsSmi(object), &out);
 
-  Node* const object_map = LoadMap(object);
-
-  // Skip the slow lookup for Strings.
-  {
-    Label next(this);
-
-    GotoIfNot(IsStringInstanceType(LoadMapInstanceType(object_map)), &next);
-
-    Node* const native_context = LoadNativeContext(context);
-    Node* const initial_proto_initial_map = LoadContextElement(
-        native_context, Context::STRING_FUNCTION_PROTOTYPE_MAP_INDEX);
-
-    Node* const string_fun =
-        LoadContextElement(native_context, Context::STRING_FUNCTION_INDEX);
-    Node* const initial_map =
-        LoadObjectField(string_fun, JSFunction::kPrototypeOrInitialMapOffset);
-    Node* const proto_map = LoadMap(LoadMapPrototype(initial_map));
-
-    Branch(WordEqual(proto_map, initial_proto_initial_map), &out, &next);
-
-    BIND(&next);
-  }
-
   // Take the fast path for RegExps.
   // There's two conditions: {object} needs to be a fast regexp, and
   // {maybe_string} must be a string (we can't call ToString on the fast path
@@ -1098,7 +1075,7 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
     GotoIfNot(IsString(maybe_string), &slow_lookup);
 
     RegExpBuiltinsAssembler regexp_asm(state());
-    regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call,
+    regexp_asm.BranchIfFastRegExp(context, object, LoadMap(object), &stub_call,
                                   &slow_lookup);
 
     BIND(&stub_call);

test/mjsunit/regress/regress-v8-8357.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const s = "Umbridge has been reading your mail, Harry."
+
+{
+  let monkey_called = false;
+  s.__proto__.__proto__[Symbol.replace] =
+    () => { monkey_called = true; };
+  s.replace(s);
+  assertTrue(monkey_called);
+}
+
+{
+  let monkey_called = false;
+  s.__proto__.__proto__[Symbol.search] =
+    () => { monkey_called = true; };
+  s.search(s);
+  assertTrue(monkey_called);
+}
+
+{
+  let monkey_called = false;
+  s.__proto__.__proto__[Symbol.match] =
+    () => { monkey_called = true; };
+  s.match(s);
+  assertTrue(monkey_called);
+}