Fix: KeyedStoreGeneric must check for writable array length

src/ic/keyed-store-generic.cc

Index: src/ic/keyed-store-generic.cc
diff --git a/src/ic/keyed-store-generic.cc b/src/ic/keyed-store-generic.cc
index cf1c49f0c897304788c7134572b5413eb062fa05..4785398266018d4d821554254ec44050e1b5dfcd 100644
--- a/src/ic/keyed-store-generic.cc
+++ b/src/ic/keyed-store-generic.cc
@@ -225,6 +225,16 @@ void KeyedStoreGenericAssembler::StoreElementWithCapacity(
   if (update_length != kDontChangeLength) {
     CSA_ASSERT(this, Word32Equal(LoadMapInstanceType(receiver_map),
                                  Int32Constant(JS_ARRAY_TYPE)));
+    // Check if the length property is writable. The fast check is only
+    // supported for fast properties.
+    GotoIf(IsDictionaryMap(receiver_map), slow);
+    // The length property is non-configurable, so it's guaranteed to always
+    // be the first property.
+    Node* descriptors = LoadMapDescriptors(receiver_map);
+    Node* details =
+        LoadFixedArrayElement(descriptors, DescriptorArray::ToDetailsIndex(0));
+    Node* mask_node = SmiConstant(PropertyDetails::kAttributesReadOnlyMask);
+    GotoIf(WordEqual(SmiAnd(details, mask_node), mask_node), slow);

[danno, 2017/01/10 01:27:12]

What about:

GotoIf(IsSetWord(BitcastTaggedToWord(details),
PropertyDetails::kAttributesReadOnlyMask), slow);

[Jakob Kummerow, 2017/01/10 11:53:46]

As suggested, that compares a Smi against an untagged int, which is incorrect.
It would need "SmiUntag" instead of BitcastTaggedToWord, which adds an
additional instruction I'd rather avoid.

Keeping as-is unless you feel strongly about it.

   }
   STATIC_ASSERT(FixedArray::kHeaderSize == FixedDoubleArray::kHeaderSize);
   const int kHeaderSize = FixedArray::kHeaderSize - kHeapObjectTag;