From 5f24690384284a2d24cd3974de491e49bdec077f Mon Sep 17 00:00:00 2001
From: verwaest <verwaest@chromium.org>
Date: Tue, 14 Jul 2015 04:44:41 -0700
Subject: [PATCH] Properly handle missing from normalized stores with keys
 convertible to array indices

BUG=chromium:509961
LOG=n

Review URL: https://codereview.chromium.org/1241613003

Cr-Commit-Position: refs/heads/master@{#29648}
---
 src/ic/ic.cc                           | 21 +++++++++++++++++++++
 test/mjsunit/regress/regress-509961.js | 10 ++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 test/mjsunit/regress/regress-509961.js

diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 0c5867d..d1b9838 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1492,6 +1492,27 @@ bool StoreIC::LookupForWrite(LookupIterator* it, Handle<Object> value,
 MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
                                    Handle<Object> value,
                                    JSReceiver::StoreFromKeyed store_mode) {
+  // Check if the name is trivially convertible to an index and set the element.
+  uint32_t index;
+  if (kind() == Code::KEYED_STORE_IC && name->AsArrayIndex(&index)) {
+    // Rewrite to the generic keyed store stub.
+    if (FLAG_use_ic) {
+      if (UseVector()) {
+        ConfigureVectorState(MEGAMORPHIC);
+      } else if (!AddressIsDeoptimizedCode()) {
+        set_target(*megamorphic_stub());
+      }
+      TRACE_IC("StoreIC", name);
+      TRACE_GENERIC_IC(isolate(), "StoreIC", "name as array index");
+    }
+    Handle<Object> result;
+    ASSIGN_RETURN_ON_EXCEPTION(
+        isolate(), result,
+        Object::SetElement(isolate(), object, index, value, language_mode()),
+        Object);
+    return result;
+  }
+
   if (object->IsGlobalObject() && name->IsString()) {
     // Look up in script context table.
     Handle<String> str_name = Handle<String>::cast(name);
diff --git a/test/mjsunit/regress/regress-509961.js b/test/mjsunit/regress/regress-509961.js
new file mode 100644
index 0000000..d28bc8a
--- /dev/null
+++ b/test/mjsunit/regress/regress-509961.js
@@ -0,0 +1,10 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var o = { x: 0 };
+delete o.x;
+function store(o, p, v) { o[p] = v; }
+store(o, "x", 1);
+store(o, "x", 1);
+store(o, "0", 1);
-- 
2.7.4