Fix keyed stores to strings convertible to indices

BUG=chromium:509545 LOG=n Review URL: https://codereview.chromium.org/1232823002 Cr-Commit-Position: refs/heads/master@{#29596}

Fix keyed stores to strings convertible to indices
BUG=chromium:509545 LOG=n Review URL: https://codereview.chromium.org/1232823002 Cr-Commit-Position: refs/heads/master@{#29596}
bb964f63 · verwaest · Commit bot · cd61b047 · bb964f63 · bb964f63
Commit bb964f63 authored Jul 13, 2015 by verwaest Committed by Commit bot Jul 13, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 19 deletions

ic.cc src/ic/ic.cc +4 -19

proxies.js test/mjsunit/harmony/proxies.js +4 -0

primitive-keyed-access.js test/mjsunit/primitive-keyed-access.js +6 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1545,22 +1545,6 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
    return TypeError(MessageTemplate::kNonObjectPropertyStore, object, name);
  }
-  // Check if the given name is an array index.
-  uint32_t index;
-  if (name->AsArrayIndex(&index)) {
-    // Ignore other stores where the receiver is not a JSObject.
-    // TODO(1475): Must check prototype chains of object wrappers.
-    if (!object->IsJSObject()) return value;
-    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
-    Handle<Object> result;
-    ASSIGN_RETURN_ON_EXCEPTION(
-        isolate(), result,
-        Object::SetElement(isolate(), receiver, index, value, language_mode()),
-        Object);
-    return value;
-  }
  // Observed objects are always modified through the runtime.
  if (object->IsHeapObject() &&
      Handle<HeapObject>::cast(object)->map()->is_observed()) {
@@ -2116,7 +2100,10 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  Handle<Object> store_handle;
  Handle<Code> stub = megamorphic_stub();
-  if (key->IsInternalizedString() || key->IsSymbol()) {
+  uint32_t index;
+  if ((key->IsInternalizedString() &&
+       !String::cast(*key)->AsArrayIndex(&index)) ||
+      key->IsSymbol()) {
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate(), store_handle,
        StoreIC::Store(object, Handle<Name>::cast(key), value,
@@ -2156,8 +2143,6 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
  }
  if (use_ic) {
-    DCHECK(!object->IsAccessCheckNeeded());
    if (object->IsJSObject()) {
      Handle<JSObject> receiver = Handle<JSObject>::cast(object);
      bool key_is_smi_like = !Object::ToSmi(isolate(), key).is_null();

--- a/test/mjsunit/harmony/proxies.js
+++ b/test/mjsunit/harmony/proxies.js
@@ -382,6 +382,10 @@ function TestSet2(create, handler) {
  assertEquals(46, (function(n) { return p[n] = 46 })(99))
  assertEquals("99", key)
  assertEquals(46, val)
+  assertEquals(47, p["0"] = 47)
+  assertEquals("0", key)
+  assertEquals(47, val)
 }
 TestSet({

--- a/test/mjsunit/primitive-keyed-access.js
+++ b/test/mjsunit/primitive-keyed-access.js
@@ -41,3 +41,9 @@ assertThrows(function() {
  var sym = Symbol('66');
  sym[62] = 0;
 });
+assertThrows(function() {
+  "use strict";
+  var o = "bla";
+  o["0"] = 1;
+});