From 696ce7df261f9d773adddb30d2a94eed1d577b5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Date: Tue, 18 Jan 2022 14:12:27 +0100
Subject: [PATCH] deps: V8: cherry-pick 1cc12b278e22

Original commit message:

    [ic] Add StoreOwnIC_Slow

    This runtime function behaves like StoreDataPropertyInLiteral, except it
    can throw, since it's also used for defining public class fields. Unlike
    the literal use case, class field can end up throwing due to field
    initializers doing things like freezing the instance.

    Bug: chromium:1264828
    Change-Id: I3ea4d15ad9b906c26763f022c8e22b757fa80b6c
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3252558
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Auto-Submit: Shu-yu Guo <syg@chromium.org>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#77704}

Refs: https://github.com/v8/v8/commit/1cc12b278e22d9ad4f0154e4b9e63cbb707b4657

PR-URL: https://github.com/nodejs/node/pull/40907
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
---
 common.gypi                                   |  2 +-
 deps/v8/src/ic/accessor-assembler.cc          | 15 +++++++------
 deps/v8/src/ic/ic.cc                          | 21 +++++++++++++++++++
 deps/v8/src/runtime/runtime.h                 |  1 +
 .../mjsunit/regress/regress-crbug-1264828.js  | 15 +++++++++++++
 5 files changed, 47 insertions(+), 7 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-1264828.js

diff --git a/common.gypi b/common.gypi
index 3b49749da52dfc..8b323a5f10a4ea 100644
--- a/common.gypi
+++ b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.10',
+    'v8_embedder_string': '-node.11',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/ic/accessor-assembler.cc b/deps/v8/src/ic/accessor-assembler.cc
index 7a1f49d09a706b..83b296423d19aa 100644
--- a/deps/v8/src/ic/accessor-assembler.cc
+++ b/deps/v8/src/ic/accessor-assembler.cc
@@ -1296,13 +1296,16 @@ void AccessorAssembler::HandleStoreICHandlerCase(
       if (ic_mode == ICMode::kGlobalIC) {
         TailCallRuntime(Runtime::kStoreGlobalIC_Slow, p->context(), p->value(),
                         p->slot(), p->vector(), p->receiver(), p->name());
-      } else if (p->IsStoreOwn()) {
-        TailCallRuntime(Runtime::kStoreDataPropertyInLiteral, p->context(),
-                        p->receiver(), p->name(), p->value());
       } else {
-        TailCallRuntime(p->IsDefineOwn() ? Runtime::kKeyedDefineOwnIC_Slow
-                                         : Runtime::kKeyedStoreIC_Slow,
-                        p->context(), p->value(), p->receiver(), p->name());
+        Runtime::FunctionId id;
+        if (p->IsStoreOwn()) {
+          id = Runtime::kStoreOwnIC_Slow;
+        } else if (p->IsDefineOwn()) {
+          id = Runtime::kKeyedDefineOwnIC_Slow;
+        } else {
+          id = Runtime::kKeyedStoreIC_Slow;
+        }
+        TailCallRuntime(id, p->context(), p->value(), p->receiver(), p->name());
       }
     }
   }
diff --git a/deps/v8/src/ic/ic.cc b/deps/v8/src/ic/ic.cc
index 983cd9423b8c51..6141377bfea5c0 100644
--- a/deps/v8/src/ic/ic.cc
+++ b/deps/v8/src/ic/ic.cc
@@ -2751,6 +2751,27 @@ RUNTIME_FUNCTION(Runtime_StoreOwnIC_Miss) {
   RETURN_RESULT_OR_FAILURE(isolate, ic.Store(receiver, key, value));
 }
 
+RUNTIME_FUNCTION(Runtime_StoreOwnIC_Slow) {
+  HandleScope scope(isolate);
+  DCHECK_EQ(3, args.length());
+
+  Handle<Object> value = args.at(0);
+  Handle<Object> object = args.at(1);
+  Handle<Object> key = args.at(2);
+
+  // Unlike DefineOwn, StoreOwn doesn't handle private fields and is used for
+  // defining data properties in object literals and defining public class
+  // fields.
+  DCHECK(!key->IsSymbol() || !Symbol::cast(*key).is_private_name());
+
+  PropertyKey lookup_key(isolate, key);
+  LookupIterator it(isolate, object, lookup_key, LookupIterator::OWN);
+  MAYBE_RETURN(JSObject::DefineOwnPropertyIgnoreAttributes(
+                   &it, value, NONE, Nothing<ShouldThrow>()),
+               ReadOnlyRoots(isolate).exception());
+  return *value;
+}
+
 RUNTIME_FUNCTION(Runtime_StoreGlobalIC_Miss) {
   HandleScope scope(isolate);
   DCHECK_EQ(4, args.length());
diff --git a/deps/v8/src/runtime/runtime.h b/deps/v8/src/runtime/runtime.h
index b50d481e8285c4..96b404f95d506f 100644
--- a/deps/v8/src/runtime/runtime.h
+++ b/deps/v8/src/runtime/runtime.h
@@ -638,6 +638,7 @@ namespace internal {
   F(KeyedStoreIC_Miss, 5, 1)                 \
   F(KeyedDefineOwnIC_Miss, 5, 1)             \
   F(StoreInArrayLiteralIC_Miss, 5, 1)        \
+  F(StoreOwnIC_Slow, 3, 1)                   \
   F(KeyedStoreIC_Slow, 3, 1)                 \
   F(KeyedDefineOwnIC_Slow, 3, 1)             \
   F(LoadElementWithInterceptor, 2, 1)        \
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1264828.js b/deps/v8/test/mjsunit/regress/regress-crbug-1264828.js
new file mode 100644
index 00000000000000..ce33cd6f8a0b2c
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-1264828.js
@@ -0,0 +1,15 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+{
+  class C {
+    x = Object.freeze(this);
+  }
+  // Call once to install slow handler.
+  assertThrows(() => { new C(); });
+  // Hit the slow handler.
+  assertThrows(() => { new C(); });
+}