[ic] Fix non-GlobalIC store to interceptor on the global object

verwaest · Commit Bot · commit 93f189f19a03 · 2019-11-22T16:49:25.000Z
We possibly need to load the global object from the global proxy as the holder of the named interceptor. Change-Id: I0f9f2e448630608ae853588f6751b55574a9efd9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930903 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#65119}
diff --git a/src/ic/accessor-assembler.cc b/src/ic/accessor-assembler.cc
@@ -1094,8 +1094,7 @@ void AccessorAssembler::HandleStoreICHandlerCase(
     {
       Comment("store_interceptor");
       TailCallRuntime(Runtime::kStorePropertyWithInterceptor, p->context(),
-                      p->value(), p->slot(), p->vector(), p->receiver(),
-                      p->name());
+                      p->value(), p->receiver(), p->name());
     }
 
     BIND(&if_slow);
@@ -1558,8 +1557,7 @@ void AccessorAssembler::HandleStoreICProtoHandler(
 
   {
     Label if_add_normal(this), if_store_global_proxy(this), if_api_setter(this),
-        if_accessor(this), if_native_data_property(this), if_slow(this),
-        if_interceptor(this);
+        if_accessor(this), if_native_data_property(this), if_slow(this);
 
     CSA_ASSERT(this, TaggedIsSmi(smi_handler));
     TNode<Int32T> handler_word = SmiToInt32(CAST(smi_handler));
@@ -1589,9 +1587,6 @@ void AccessorAssembler::HandleStoreICProtoHandler(
     GotoIf(Word32Equal(handler_kind, Int32Constant(StoreHandler::kApiSetter)),
            &if_api_setter);
 
-    GotoIf(Word32Equal(handler_kind, Int32Constant(StoreHandler::kInterceptor)),
-           &if_interceptor);
-
     GotoIf(
         Word32Equal(handler_kind,
                     Int32Constant(StoreHandler::kApiSetterHolderIsPrototype)),
@@ -1616,14 +1611,6 @@ void AccessorAssembler::HandleStoreICProtoHandler(
       }
     }
 
-    BIND(&if_interceptor);
-    {
-      Comment("store_interceptor");
-      TailCallRuntime(Runtime::kStorePropertyWithInterceptor, p->context(),
-                      p->value(), p->slot(), p->vector(), p->receiver(),
-                      p->name());
-    }
-
     BIND(&if_add_normal);
     {
       // This is a case of "transitioning store" to a dictionary mode object
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
@@ -1363,8 +1363,7 @@ bool StoreIC::LookupForWrite(LookupIterator* it, Handle<Object> value,
         case LookupIterator::INTERCEPTOR: {
           Handle<JSObject> holder = it->GetHolder<JSObject>();
           InterceptorInfo info = holder->GetNamedInterceptor();
-          if ((it->HolderIsReceiverOrHiddenPrototype() &&
-               !info.non_masking()) ||
+          if (it->HolderIsReceiverOrHiddenPrototype() ||
               !info.getter().IsUndefined(isolate()) ||
               !info.query().IsUndefined(isolate())) {
             return true;
@@ -2757,23 +2756,20 @@ RUNTIME_FUNCTION(Runtime_LoadPropertyWithInterceptor) {
 
 RUNTIME_FUNCTION(Runtime_StorePropertyWithInterceptor) {
   HandleScope scope(isolate);
-  DCHECK_EQ(5, args.length());
+  DCHECK_EQ(3, args.length());
   // Runtime functions don't follow the IC's calling convention.
   Handle<Object> value = args.at(0);
-  Handle<Smi> slot = args.at<Smi>(1);
-  Handle<FeedbackVector> vector = args.at<FeedbackVector>(2);
-  Handle<JSObject> receiver = args.at<JSObject>(3);
-  Handle<Name> name = args.at<Name>(4);
-  FeedbackSlot vector_slot = FeedbackVector::ToSlot(slot->value());
+  Handle<JSObject> receiver = args.at<JSObject>(1);
+  Handle<Name> name = args.at<Name>(2);
 
   // TODO(ishell): Cache interceptor_holder in the store handler like we do
   // for LoadHandler::kInterceptor case.
   Handle<JSObject> interceptor_holder = receiver;
-  if (receiver->IsJSGlobalProxy()) {
-    FeedbackSlotKind kind = vector->GetKind(vector_slot);
-    if (IsStoreGlobalICKind(kind)) {
-      interceptor_holder = Handle<JSObject>::cast(isolate->global_object());
-    }
+  if (receiver->IsJSGlobalProxy() &&
+      (!receiver->HasNamedInterceptor() ||
+       receiver->GetNamedInterceptor().non_masking())) {
+    interceptor_holder =
+        handle(JSObject::cast(receiver->map().prototype()), isolate);
   }
   DCHECK(interceptor_holder->HasNamedInterceptor());
   Handle<InterceptorInfo> interceptor(interceptor_holder->GetNamedInterceptor(),
