Implement correct checking for inherited readonliness on assignment.

src/hydrogen.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 4256 matching lines @@
     switch (property->kind()) {
       case ObjectLiteral::Property::MATERIALIZED_LITERAL:
         ASSERT(!CompileTimeValue::IsCompileTimeValue(value));
         // Fall through.
       case ObjectLiteral::Property::COMPUTED:
         if (key->handle()->IsSymbol()) {
           if (property->emit_store()) {
             property->RecordTypeFeedback(oracle());
             CHECK_ALIVE(VisitForValue(value));
             HValue* value = Pop();
-            HInstruction* store = BuildStoreNamed(literal, value, property);
+            HInstruction* store;
+            CHECK_ALIVE(store = BuildStoreNamed(literal, value, property));
             AddInstruction(store);
             if (store->HasObservableSideEffects()) AddSimulate(key->id());
           } else {
             CHECK_ALIVE(VisitForEffect(value));
           }
           break;
         }
         // Fall through.
       case ObjectLiteral::Property::PROTOTYPE:
       case ObjectLiteral::Property::SETTER:
@@ skipping 143 matching lines @@
   }
 }
 
 
 HInstruction* HGraphBuilder::BuildStoreNamedField(HValue* object,
                                                   Handle<String> name,
                                                   HValue* value,
                                                   Handle<Map> type,
                                                   LookupResult* lookup,
                                                   bool smi_and_map_check) {
+  ASSERT(lookup->IsFound());
   if (smi_and_map_check) {
     AddInstruction(new(zone()) HCheckNonSmi(object));
     AddInstruction(HCheckMaps::NewWithTransitions(object, type));
   }
 
+  // If the property does not exist yet, we have to check that it wasn't made
+  // readonly by some meanwhile modifications on the prototype chain.
+  if (!lookup->IsProperty()) {
+    Object* proto = type->prototype();
+    // First check that the prototype chain isn't affected already.
+    LookupResult proto_result(isolate());
+    proto->Lookup(*name, &proto_result);
+    if (proto_result.IsProperty()) {
+      // If the inherited property could induce readonly-ness, bail out.
+      if (proto_result.IsReadOnly() || !proto_result.IsCacheable()) {
+        Bailout("improper object on prototype chain for store");
+        return NULL;
+      }
+      // We only need to check up to where the preexisting property.
+      proto = proto_result.holder();
+    } else {
+      // Otherwise, find the top prototype.
+      while (proto->GetPrototype()->IsJSObject()) proto = proto->GetPrototype();
+    }
+    ASSERT(proto->IsJSObject());
+    AddInstruction(new(zone()) HCheckPrototypeMaps(
+        Handle<JSObject>(JSObject::cast(type->prototype())),
+        Handle<JSObject>(JSObject::cast(proto))));
+  }
+
   int index = ComputeLoadStoreFieldIndex(type, name, lookup);
   bool is_in_object = index < 0;
   int offset = index * kPointerSize;
   if (index < 0) {
     // Negative property indices are in-object properties, indexed
     // from the end of the fixed part of the object.
     offset += type->instance_size();
   } else {
     offset += FixedArray::kHeaderSize;
   }
@@ skipping 136 matching lines @@
         join = graph()->CreateBasicBlock();
       }
       ++count;
       HBasicBlock* if_true = graph()->CreateBasicBlock();
       HBasicBlock* if_false = graph()->CreateBasicBlock();
       HCompareMap* compare =
           new(zone()) HCompareMap(object, map, if_true, if_false);
       current_block()->Finish(compare);
 
       set_current_block(if_true);
-      HInstruction* instr =
-          BuildStoreNamedField(object, name, value, map, &lookup, false);
+      HInstruction* instr;
+      CHECK_ALIVE(instr =
+          BuildStoreNamedField(object, name, value, map, &lookup, false));
       instr->set_position(expr->position());
       // Goto will add the HSimulate for the store.
       AddInstruction(instr);
       if (!ast_context()->IsEffect()) Push(value);
       current_block()->Goto(join);
 
       set_current_block(if_false);
     }
   }
 
@@ skipping 47 matching lines @@
     // Named store.
     CHECK_ALIVE(VisitForValue(expr->value()));
     value = Pop();
     HValue* object = Pop();
 
     Literal* key = prop->key()->AsLiteral();
     Handle<String> name = Handle<String>::cast(key->handle());
     ASSERT(!name.is_null());
 
     SmallMapList* types = expr->GetReceiverTypes();
-    LookupResult lookup(isolate());
-
     if (expr->IsMonomorphic()) {
-      instr = BuildStoreNamed(object, value, expr);
+      CHECK_ALIVE(instr = BuildStoreNamed(object, value, expr));
 
     } else if (types != NULL && types->length() > 1) {
       HandlePolymorphicStoreNamedField(expr, object, value, types, name);
       return;
 
     } else {
       instr = BuildStoreNamedGeneric(object, name, value);
     }
 
   } else {
@@ skipping 158 matching lines @@
       if (load->HasObservableSideEffects()) AddSimulate(expr->CompoundLoadId());
 
       CHECK_ALIVE(VisitForValue(expr->value()));
       HValue* right = Pop();
       HValue* left = Pop();
 
       HInstruction* instr = BuildBinaryOperation(operation, left, right);
       PushAndAdd(instr);
       if (instr->HasObservableSideEffects()) AddSimulate(operation->id());
 
-      HInstruction* store = BuildStoreNamed(obj, instr, prop);
+      HInstruction* store;
+      CHECK_ALIVE(store = BuildStoreNamed(obj, instr, prop));
       AddInstruction(store);
       // Drop the simulated receiver and value.  Return the value.
       Drop(2);
       Push(instr);
       if (store->HasObservableSideEffects()) AddSimulate(expr->AssignmentId());
       return ast_context()->ReturnValue(Pop());
 
     } else {
       // Keyed property.
       CHECK_ALIVE(VisitForValue(prop->obj()));
@@ skipping 2229 matching lines @@
         load = BuildLoadNamed(obj, prop, map, name);
       } else {
         load = BuildLoadNamedGeneric(obj, prop);
       }
       PushAndAdd(load);
       if (load->HasObservableSideEffects()) AddSimulate(expr->CountId());
 
       after = BuildIncrement(returns_original_input, expr);
       input = Pop();
 
-      HInstruction* store = BuildStoreNamed(obj, after, prop);
+      HInstruction* store;
+      CHECK_ALIVE(store = BuildStoreNamed(obj, after, prop));
       AddInstruction(store);
 
       // Overwrite the receiver in the bailout environment with the result
       // of the operation, and the placeholder with the original value if
       // necessary.
       environment()->SetExpressionStackAt(0, after);
       if (returns_original_input) environment()->SetExpressionStackAt(1, input);
       if (store->HasObservableSideEffects()) AddSimulate(expr->AssignmentId());
 
     } else {
@@ skipping 1746 matching lines @@
     }
   }
 
 #ifdef DEBUG
   if (graph_ != NULL) graph_->Verify(false);  // No full verify.
   if (allocator_ != NULL) allocator_->Verify();
 #endif
 }
 
 } }  // namespace v8::internal