[ic] Use validity cells to protect keyed element stores against object's prototype chain modificati…

src/lookup.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/lookup.h"
 
 #include "src/bootstrapper.h"
 #include "src/deoptimizer.h"
 #include "src/elements.h"
 #include "src/field-type.h"
@@ skipping 508 matching lines @@
   holder_ = receiver;
 
   PropertyDetails details(attributes, ACCESSOR_CONSTANT, 0,
                           PropertyCellType::kMutable);
 
   if (IsElement()) {
     // TODO(verwaest): Move code into the element accessor.
     Handle<SeededNumberDictionary> dictionary =
         JSObject::NormalizeElements(receiver);
 
-    // We unconditionally pass used_as_prototype=false here because the call
-    // to RequireSlowElements takes care of the required IC clearing and
-    // we don't want to walk the heap twice.
-    dictionary =
-        SeededNumberDictionary::Set(dictionary, index_, pair, details, false);
+    dictionary = SeededNumberDictionary::Set(dictionary, index_, pair, details,
+                                             receiver);
     receiver->RequireSlowElements(*dictionary);
 
     if (receiver->HasSlowArgumentsElements()) {
       FixedArray* parameter_map = FixedArray::cast(receiver->elements());
       uint32_t length = parameter_map->length() - 2;
       if (number_ < length) {
         parameter_map->set(number_ + 2, heap()->the_hole_value());
       }
       FixedArray::cast(receiver->elements())->set(1, *dictionary);
     } else {
@@ skipping 329 matching lines @@
 
   // We have found a cached property! Modify the iterator accordingly.
   name_ = maybe_name.ToHandleChecked();
   Restart();
   CHECK_EQ(state(), LookupIterator::DATA);
   return true;
 }
 
 }  // namespace internal
 }  // namespace v8