From b7b39e0b77d4ad16583ecd56ef5c35b081c9cde4 Mon Sep 17 00:00:00 2001
From: Michaël Zasso <targos@protonmail.com>
Date: Wed, 27 Nov 2019 15:35:23 +0100
Subject: deps: V8: backport 93f189f19a03

Original commit message:

    [ic] Fix non-GlobalIC store to interceptor on the global object

    We possibly need to load the global object from the global proxy as the holder
    of the named interceptor.

    Change-Id: I0f9f2e448630608ae853588f6751b55574a9efd9
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930903
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#65119}

Refs: https://github.com/v8/v8/commit/93f189f19a030d5de6c5173711dca120ad76e5cd
Fixes: https://github.com/nodejs/node/issues/30586

PR-URL: https://github.com/nodejs/node/pull/30681
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
---
 deps/v8/src/ic/accessor-assembler.cc | 17 ++---------------
 deps/v8/src/ic/ic.cc                 | 22 +++++++++-------------
 2 files changed, 11 insertions(+), 28 deletions(-)

(limited to 'deps')

diff --git a/deps/v8/src/ic/accessor-assembler.cc b/deps/v8/src/ic/accessor-assembler.cc
index 99cbd3c3c8..c9f86ed328 100644
--- a/deps/v8/src/ic/accessor-assembler.cc
+++ b/deps/v8/src/ic/accessor-assembler.cc
@@ -1053,8 +1053,7 @@ void AccessorAssembler::HandleStoreICHandlerCase(
     {
       Comment("store_interceptor");
       TailCallRuntime(Runtime::kStorePropertyWithInterceptor, p->context(),
-                      p->value(), p->slot(), p->vector(), p->receiver(),
-                      p->name());
+                      p->value(), p->receiver(), p->name());
     }
 
     BIND(&if_slow);
@@ -1516,8 +1515,7 @@ void AccessorAssembler::HandleStoreICProtoHandler(
 
   {
     Label if_add_normal(this), if_store_global_proxy(this), if_api_setter(this),
-        if_accessor(this), if_native_data_property(this), if_slow(this),
-        if_interceptor(this);
+        if_accessor(this), if_native_data_property(this), if_slow(this);
 
     CSA_ASSERT(this, TaggedIsSmi(smi_handler));
     TNode<Int32T> handler_word = SmiToInt32(CAST(smi_handler));
@@ -1547,9 +1545,6 @@ void AccessorAssembler::HandleStoreICProtoHandler(
     GotoIf(Word32Equal(handler_kind, Int32Constant(StoreHandler::kSlow)),
            &if_slow);
 
-    GotoIf(Word32Equal(handler_kind, Int32Constant(StoreHandler::kInterceptor)),
-           &if_interceptor);
-
     GotoIf(
         Word32Equal(handler_kind,
                     Int32Constant(StoreHandler::kApiSetterHolderIsPrototype)),
@@ -1574,14 +1569,6 @@ void AccessorAssembler::HandleStoreICProtoHandler(
       }
     }
 
-    BIND(&if_interceptor);
-    {
-      Comment("store_interceptor");
-      TailCallRuntime(Runtime::kStorePropertyWithInterceptor, p->context(),
-                      p->value(), p->slot(), p->vector(), p->receiver(),
-                      p->name());
-    }
-
     BIND(&if_add_normal);
     {
       // This is a case of "transitioning store" to a dictionary mode object
diff --git a/deps/v8/src/ic/ic.cc b/deps/v8/src/ic/ic.cc
index 4ac5fd7abe..1b481cd817 100644
--- a/deps/v8/src/ic/ic.cc
+++ b/deps/v8/src/ic/ic.cc
@@ -1308,8 +1308,7 @@ bool StoreIC::LookupForWrite(LookupIterator* it, Handle<Object> value,
         case LookupIterator::INTERCEPTOR: {
           Handle<JSObject> holder = it->GetHolder<JSObject>();
           InterceptorInfo info = holder->GetNamedInterceptor();
-          if ((it->HolderIsReceiverOrHiddenPrototype() &&
-               !info.non_masking()) ||
+          if (it->HolderIsReceiverOrHiddenPrototype() ||
               !info.getter().IsUndefined(isolate()) ||
               !info.query().IsUndefined(isolate())) {
             return true;
@@ -2718,23 +2717,20 @@ RUNTIME_FUNCTION(Runtime_LoadPropertyWithInterceptor) {
 
 RUNTIME_FUNCTION(Runtime_StorePropertyWithInterceptor) {
   HandleScope scope(isolate);
-  DCHECK_EQ(5, args.length());
+  DCHECK_EQ(3, args.length());
   // Runtime functions don't follow the IC's calling convention.
   Handle<Object> value = args.at(0);
-  Handle<Smi> slot = args.at<Smi>(1);
-  Handle<FeedbackVector> vector = args.at<FeedbackVector>(2);
-  Handle<JSObject> receiver = args.at<JSObject>(3);
-  Handle<Name> name = args.at<Name>(4);
-  FeedbackSlot vector_slot = FeedbackVector::ToSlot(slot->value());
+  Handle<JSObject> receiver = args.at<JSObject>(1);
+  Handle<Name> name = args.at<Name>(2);
 
   // TODO(ishell): Cache interceptor_holder in the store handler like we do
   // for LoadHandler::kInterceptor case.
   Handle<JSObject> interceptor_holder = receiver;
-  if (receiver->IsJSGlobalProxy()) {
-    FeedbackSlotKind kind = vector->GetKind(vector_slot);
-    if (IsStoreGlobalICKind(kind)) {
-      interceptor_holder = Handle<JSObject>::cast(isolate->global_object());
-    }
+  if (receiver->IsJSGlobalProxy() &&
+      (!receiver->HasNamedInterceptor() ||
+       receiver->GetNamedInterceptor().non_masking())) {
+    interceptor_holder =
+        handle(JSObject::cast(receiver->map().prototype()), isolate);
   }
   DCHECK(interceptor_holder->HasNamedInterceptor());
   Handle<InterceptorInfo> interceptor(interceptor_holder->GetNamedInterceptor(),
-- 
cgit v1.2.3