Fix keyed stores to strings convertible to indices

src/ic/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/accessors.h"
 #include "src/api.h"
 #include "src/arguments.h"
 #include "src/base/bits.h"
@@ skipping 1527 matching lines @@
         Object::SetProperty(object, name, value, language_mode()), Object);
     return result;
   }
 
   // If the object is undefined or null it's illegal to try to set any
   // properties on it; throw a TypeError in that case.
   if (object->IsUndefined() || object->IsNull()) {
     return TypeError(MessageTemplate::kNonObjectPropertyStore, object, name);
   }
 
-  // Check if the given name is an array index.
-  uint32_t index;
-  if (name->AsArrayIndex(&index)) {
-    // Ignore other stores where the receiver is not a JSObject.
-    // TODO(1475): Must check prototype chains of object wrappers.
-    if (!object->IsJSObject()) return value;
-    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
-
-    Handle<Object> result;
-    ASSIGN_RETURN_ON_EXCEPTION(
-        isolate(), result,
-        Object::SetElement(isolate(), receiver, index, value, language_mode()),
-        Object);
-    return value;
-  }
-
   // Observed objects are always modified through the runtime.
   if (object->IsHeapObject() &&
       Handle<HeapObject>::cast(object)->map()->is_observed()) {
     Handle<Object> result;
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate(), result,
         Object::SetProperty(object, name, value, language_mode(), store_mode),
         Object);
     return result;
   }
@@ skipping 535 matching lines @@
     return result;
   }
 
   // Check for non-string values that can be converted into an
   // internalized string directly or is representable as a smi.
   key = TryConvertKey(key, isolate());
 
   Handle<Object> store_handle;
   Handle<Code> stub = megamorphic_stub();
 
-  if (key->IsInternalizedString() || key->IsSymbol()) {
+  uint32_t index;
+  if ((key->IsInternalizedString() &&
+       !String::cast(*key)->AsArrayIndex(&index)) ||
+      key->IsSymbol()) {
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate(), store_handle,
         StoreIC::Store(object, Handle<Name>::cast(key), value,
                        JSReceiver::MAY_BE_STORE_FROM_KEYED),
         Object);
     if (FLAG_vector_stores) {
       if (!is_vector_set()) {
         ConfigureVectorState(MEGAMORPHIC);
         TRACE_GENERIC_IC(isolate(), "KeyedStoreIC",
                          "unhandled internalized string key");
@@ skipping 19 matching lines @@
     // expect to be able to trap element sets to objects with those maps in
     // the runtime to enable optimization of element hole access.
     Handle<HeapObject> heap_object = Handle<HeapObject>::cast(object);
     if (heap_object->map()->IsMapInArrayPrototypeChain()) {
       TRACE_GENERIC_IC(isolate(), "KeyedStoreIC", "map in array prototype");
       use_ic = false;
     }
   }
 
   if (use_ic) {
-    DCHECK(!object->IsAccessCheckNeeded());
-
     if (object->IsJSObject()) {
       Handle<JSObject> receiver = Handle<JSObject>::cast(object);
       bool key_is_smi_like = !Object::ToSmi(isolate(), key).is_null();
       if (receiver->elements()->map() ==
               isolate()->heap()->sloppy_arguments_elements_map() &&
           !is_sloppy(language_mode())) {
         TRACE_GENERIC_IC(isolate(), "KeyedStoreIC", "arguments receiver");
       } else if (key_is_smi_like) {
         // We should go generic if receiver isn't a dictionary, but our
         // prototype chain does have dictionary elements. This ensures that
@@ skipping 934 matching lines @@
 static const Address IC_utilities[] = {
 #define ADDR(name) FUNCTION_ADDR(name),
     IC_UTIL_LIST(ADDR) NULL
 #undef ADDR
 };
 
 
 Address IC::AddressFromUtilityId(IC::UtilityId id) { return IC_utilities[id]; }
 }  // namespace internal
 }  // namespace v8