Fix EmitGenericPropertyStore to bailout on stores to TypedArrays

We don't handle all cases for stores to typed arrays in the builtins related to storing a property. Bailout to runtime when storing into a typed array if the property is not found on the object. Bug: chromium:996161 Change-Id: I684c7c4f526b15cdfb5bfe3fd23218910486a59e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789396 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#63639}

Fix EmitGenericPropertyStore to bailout on stores to TypedArrays
We don't handle all cases for stores to typed arrays in the builtins related to storing a property. Bailout to runtime when storing into a typed array if the property is not found on the object. Bug: chromium:996161 Change-Id: I684c7c4f526b15cdfb5bfe3fd23218910486a59e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789396 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#63639}
ecf178a1 · Mythri A · Commit Bot · c0ffaf68 · ecf178a1 · ecf178a1
Commit ecf178a1 authored Sep 10, 2019 by Mythri A Committed by Commit Bot Sep 10, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 48 additions and 0 deletions

keyed-store-generic.cc src/ic/keyed-store-generic.cc +5 -0

regress-996161.js test/mjsunit/regress/regress-996161.js +43 -0

No files found.
--- a/src/ic/keyed-store-generic.cc
+++ b/src/ic/keyed-store-generic.cc
@@ -869,6 +869,11 @@ void KeyedStoreGenericAssembler::EmitGenericPropertyStore(

    BIND(&not_found);
    {
+      // TODO(jkummerow): Also add support to correctly handle integer exotic
+      // cases for typed arrays and remove this check here.
+      GotoIf(InstanceTypeEqual(LoadMapInstanceType(receiver_map),
+                               JS_TYPED_ARRAY_TYPE),
+             slow);
      CheckForAssociatedProtector(name, slow);
      Label extensible(this), is_private_symbol(this);
      TNode<Uint32T> bitfield3 = LoadMapBitField3(receiver_map);

--- a/test/mjsunit/regress/regress-996161.js
+++ b/test/mjsunit/regress/regress-996161.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function checkOwnProperties(v, count) {
+  var properties = Object.getOwnPropertyNames(v);
+  assertEquals(properties.length, count);
+}
+
+
+function testStoreNoFeedback() {
+  arr = new Int32Array(10);
+  function f(a) { a["-1"] = 15; }
+
+  for (var i = 0; i < 3; i++) {
+    arr.__defineGetter__("x", function() { });
+    checkOwnProperties(arr, 11);
+    f(arr);
+  }
+}
+testStoreNoFeedback();
+
+function testStoreGeneric() {
+  arr = new Int32Array(10);
+  var index = "-1";
+  function f1(a) { a[index] = 15; }
+  %EnsureFeedbackVectorForFunction(f1);
+
+  // Make a[index] in f1 megamorphic
+  f1({a: 1});
+  f1({b: 1});
+  f1({c: 1});
+  f1({d: 1});
+
+  for (var i = 0; i < 3; i++) {
+    arr.__defineGetter__("x", function() { });
+    checkOwnProperties(arr, 11);
+    f1(arr);
+  }
+}
+testStoreGeneric();