[ic] Only use StorePropertyWithInterceptor if there's an own setter

This fixes the issue highlighted in https://chromium-review.googlesource.com/c/v8/v8/+/1803236. Change-Id: Iea2d6c4f9585a56d017f2cb1eb8e23b52de1f795 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807356 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#63871}

[ic] Only use StorePropertyWithInterceptor if there's an own setter
This fixes the issue highlighted in https://chromium-review.googlesource.com/c/v8/v8/+/1803236. Change-Id: Iea2d6c4f9585a56d017f2cb1eb8e23b52de1f795 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807356 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#63871}
c45c2b9c · Toon Verwaest · Commit Bot · e6f8d122 · c45c2b9c
Commit c45c2b9c authored Sep 18, 2019 by Toon Verwaest Committed by Commit Bot Sep 18, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 12 deletions

ic.cc src/ic/ic.cc +17 -12

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1315,7 +1315,8 @@ bool StoreIC::LookupForWrite(LookupIterator* it, Handle<Object> value,
        case LookupIterator::INTERCEPTOR: {
          Handle<JSObject> holder = it->GetHolder<JSObject>();
          InterceptorInfo info = holder->GetNamedInterceptor();
-          if (it->HolderIsReceiverOrHiddenPrototype() ||
+          if ((it->HolderIsReceiverOrHiddenPrototype() &&
+               !info.non_masking()) ||
              !info.getter().IsUndefined(isolate()) ||
              !info.query().IsUndefined(isolate())) {
            return true;
@@ -1541,22 +1542,26 @@ MaybeObjectHandle StoreIC::ComputeHandler(LookupIterator* lookup) {
    case LookupIterator::INTERCEPTOR: {
      Handle<JSObject> holder = lookup->GetHolder<JSObject>();
-      Handle<Smi> smi_handler = StoreHandler::StoreInterceptor(isolate());
      InterceptorInfo info = holder->GetNamedInterceptor();
-      if (!info.getter().IsUndefined(isolate()) ||
+      // If the interceptor is on the receiver
-          !info.query().IsUndefined(isolate()) || info.non_masking()) {
+      if (lookup->HolderIsReceiverOrHiddenPrototype() && !info.non_masking()) {
-        smi_handler = StoreHandler::StoreSlow(isolate());
+        // return a store interceptor smi handler if there is one,
-      }
+        if (!info.setter().IsUndefined(isolate())) {
+          return MaybeObjectHandle(StoreHandler::StoreInterceptor(isolate()));
-      if (receiver_map().is_identical_to(holder) &&
+        }
-          !info.setter().IsUndefined(isolate()) && !info.non_masking()) {
+        // otherwise return a slow-case smi handler.
-        DCHECK(!holder->GetNamedInterceptor().setter().IsUndefined(isolate()));
+        return MaybeObjectHandle(StoreHandler::StoreSlow(isolate()));
-        return MaybeObjectHandle(smi_handler);
      }
+      // If the interceptor is a getter/query interceptor on the prototype
+      // chain, return an invalidatable slow handler so it can turn fast if the
+      // interceptor is masked by a regular property later.
+      DCHECK(!info.getter().IsUndefined(isolate()) ||
+             !info.query().IsUndefined(isolate()));
      Handle<Object> handler = StoreHandler::StoreThroughPrototype(
-          isolate(), receiver_map(), holder, smi_handler);
+          isolate(), receiver_map(), holder,
+          StoreHandler::StoreSlow(isolate()));
      return MaybeObjectHandle(handler);
    }