[typed array length loading] Fix interaction with super

marjakh · V8 LUCI CQ · commit dd4c05cef226 · 2025-03-13T07:00:56.000-07:00
Bug: 388844115, 402646504 Change-Id: I17ff61116e68d98648a0ef8e710dfa9739135b8a Fixed: 402646504 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6348468 Reviewed-by: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Marja Hölttä <marja@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#99242}
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -6010,9 +6010,17 @@ MaybeReduceResult MaglevGraphBuilder::TryBuildPropertyLoad(
       return AddNewNode<StringLength>({string});
     }
     case compiler::PropertyAccessInfo::kTypedArrayLength: {
-      DCHECK_EQ(receiver, lookup_start_object);
       CHECK(!IsRabGsabTypedArrayElementsKind(access_info.elements_kind()));
-      return BuildLoadTypedArrayLength(receiver, access_info.elements_kind());
+      if (receiver != lookup_start_object) {
+        // We're accessing the TypedArray length via a prototype (a TypedArray
+        // object in the prototype chain, objects below it not having a "length"
+        // property, reading via super.length). That will throw a TypeError.
+        // This should never occur in any realistic code, so we can deopt here
+        // instead of implementing special handling for it.
+        return EmitUnconditionalDeopt(DeoptimizeReason::kWrongMap);
+      }
+      return BuildLoadTypedArrayLength(lookup_start_object,
+                                       access_info.elements_kind());
     }
   }
 }
diff --git a/test/mjsunit/maglev/regress-402646504.js b/test/mjsunit/maglev/regress-402646504.js
@@ -0,0 +1,30 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --maglev --no-always-turbofan
+
+const obj = {
+  func(optimize) {
+      const arrowFunc = () => {
+        return super.length;
+      };
+      %PrepareFunctionForOptimization(arrowFunc);
+      if (optimize) {
+        %OptimizeMaglevOnNextCall(arrowFunc);
+      }
+      return arrowFunc();
+  }
+};
+
+// Make super.length polymorphic:
+// Case 1:
+assertEquals(undefined, obj.func(false));
+
+// Case 2:
+const u8Arr = new Uint8Array(20);
+obj.__proto__ = u8Arr;
+assertThrows(() => { obj.func(false); }, TypeError);
+
+// Optimize for Maglev.
+assertThrows(() => { obj.func(true); }, TypeError);

Original file line number	Diff line number	Diff line change
`@@ -6010,9 +6010,17 @@ MaybeReduceResult MaglevGraphBuilder::TryBuildPropertyLoad(`
`6010`	`6010`	`return AddNewNode<StringLength>({string});`
`6011`	`6011`	`}`
`6012`	`6012`	`case compiler::PropertyAccessInfo::kTypedArrayLength: {`
`6013`		`- DCHECK_EQ(receiver, lookup_start_object);`
`6014`	`6013`	`CHECK(!IsRabGsabTypedArrayElementsKind(access_info.elements_kind()));`
`6015`		`- return BuildLoadTypedArrayLength(receiver, access_info.elements_kind());`
	`6014`	`+ if (receiver != lookup_start_object) {`
	`6015`	`+ // We're accessing the TypedArray length via a prototype (a TypedArray`
	`6016`	`+ // object in the prototype chain, objects below it not having a "length"`
	`6017`	`+ // property, reading via super.length). That will throw a TypeError.`
	`6018`	`+ // This should never occur in any realistic code, so we can deopt here`
	`6019`	`+ // instead of implementing special handling for it.`
	`6020`	`+ return EmitUnconditionalDeopt(DeoptimizeReason::kWrongMap);`
	`6021`	`+ }`
	`6022`	`+ return BuildLoadTypedArrayLength(lookup_start_object,`
	`6023`	`+ access_info.elements_kind());`
`6016`	`6024`	`}`
`6017`	`6025`	`}`
`6018`	`6026`	`}`