Fix: KeyedStoreGeneric must check for writable array length

src/ic/keyed-store-generic.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ic/keyed-store-generic.h"
 
 #include "src/code-factory.h"
 #include "src/code-stub-assembler.h"
 #include "src/contexts.h"
 #include "src/ic/accessor-assembler-impl.h"
@@ skipping 207 matching lines @@
   Return(value);
 }
 
 void KeyedStoreGenericAssembler::StoreElementWithCapacity(
     Node* receiver, Node* receiver_map, Node* elements, Node* elements_kind,
     Node* intptr_index, Node* value, Node* context, Label* slow,
     UpdateLength update_length) {
   if (update_length != kDontChangeLength) {
     CSA_ASSERT(this, Word32Equal(LoadMapInstanceType(receiver_map),
                                  Int32Constant(JS_ARRAY_TYPE)));
+    // Check if the length property is writable. The fast check is only
+    // supported for fast properties.
+    GotoIf(IsDictionaryMap(receiver_map), slow);
+    // The length property is non-configurable, so it's guaranteed to always
+    // be the first property.
+    Node* descriptors = LoadMapDescriptors(receiver_map);
+    Node* details =
+        LoadFixedArrayElement(descriptors, DescriptorArray::ToDetailsIndex(0));
+    Node* mask_node = SmiConstant(PropertyDetails::kAttributesReadOnlyMask);
+    GotoIf(WordEqual(SmiAnd(details, mask_node), mask_node), slow);

[danno, 2017/01/10 01:27:12]

What about:

GotoIf(IsSetWord(BitcastTaggedToWord(details),
PropertyDetails::kAttributesReadOnlyMask), slow);

[Jakob Kummerow, 2017/01/10 11:53:46]

As suggested, that compares a Smi against an untagged int, which is incorrect.
It would need "SmiUntag" instead of BitcastTaggedToWord, which adds an
additional instruction I'd rather avoid.

Keeping as-is unless you feel strongly about it.

   }
   STATIC_ASSERT(FixedArray::kHeaderSize == FixedDoubleArray::kHeaderSize);
   const int kHeaderSize = FixedArray::kHeaderSize - kHeapObjectTag;
 
   Label check_double_elements(this), check_cow_elements(this);
   Node* elements_map = LoadMap(elements);
   GotoIf(WordNotEqual(elements_map, LoadRoot(Heap::kFixedArrayMapRootIndex)),
          &check_double_elements);
 
   // FixedArray backing store -> Smi or object elements.
@@ skipping 540 matching lines @@
   Bind(&slow);
   {
     Comment("KeyedStoreGeneric_slow");
     TailCallRuntime(Runtime::kSetProperty, context, receiver, name, value,
                     SmiConstant(language_mode));
   }
 }
 
 }  // namespace internal
 }  // namespace v8