[Backport] Security bug 1053939 2/2

Try update deprecated maps when recomputing handlers for keyed store

For keyed stores we recompute handlers when we see a new map so that
we could transition to the most general elements kind we have seen so
far. When recomputing these handlers we drop the deprecated maps.
Instead we could TryUpdate deprecated maps. This would be inline with
what TurboFan does and also may be better for performance.

Bug: chromium:1053939
Change-Id: Ic8641c852e15020c8b734fd9afa504327488fea1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

2 files changed, 14 insertions, 8 deletions

diff --git a/chromium/v8/src/objects/feedback-vector.cc b/chromium/v8/src/objects/feedback-vector.cc
index 7028d2b0df4..ca71891c274 100644
--- a/chromium/v8/src/objects/feedback-vector.cc
+++ b/chromium/v8/src/objects/feedback-vector.cc
@@ -966,7 +966,7 @@ int FeedbackNexus::ExtractMaps(MapHandles* maps) const {
 
 int FeedbackNexus::ExtractMapsAndHandlers(
     std::vector<std::pair<Handle<Map>, MaybeObjectHandle>>* maps_and_handlers,
-    bool drop_deprecated) const {
+    bool try_update_deprecated) const {
   DCHECK(IsLoadICKind(kind()) ||
          IsStoreICKind(kind()) | IsKeyedLoadICKind(kind()) ||
          IsKeyedStoreICKind(kind()) || IsStoreOwnICKind(kind()) ||
@@ -998,10 +998,13 @@ int FeedbackNexus::ExtractMapsAndHandlers(
         MaybeObject handler = array.Get(i + 1);
         if (!handler->IsCleared()) {
           DCHECK(IC::IsHandler(handler));
-          Map map = Map::cast(heap_object);
-          if (drop_deprecated && map.is_deprecated()) continue;
+          Handle<Map> map(Map::cast(heap_object), isolate);
+          if (try_update_deprecated &&
+              !Map::TryUpdate(isolate, map).ToHandle(&map)) {
+            continue;
+          }
           maps_and_handlers->push_back(
-              MapAndHandler(handle(map, isolate), handle(handler, isolate)));
+              MapAndHandler(map, handle(handler, isolate)));
           found++;
         }
       }
@@ -1011,10 +1014,13 @@ int FeedbackNexus::ExtractMapsAndHandlers(
     MaybeObject handler = GetFeedbackExtra();
     if (!handler->IsCleared()) {
       DCHECK(IC::IsHandler(handler));
-      Map map = Map::cast(heap_object);
-      if (drop_deprecated && map.is_deprecated()) return 0;
+      Handle<Map> map = handle(Map::cast(heap_object), isolate);
+      if (try_update_deprecated &&
+          !Map::TryUpdate(isolate, map).ToHandle(&map)) {
+        return 0;
+      }
       maps_and_handlers->push_back(
-          MapAndHandler(handle(map, isolate), handle(handler, isolate)));
+          MapAndHandler(map, handle(handler, isolate)));
       return 1;
     }
   }
diff --git a/chromium/v8/src/objects/feedback-vector.h b/chromium/v8/src/objects/feedback-vector.h
index 730f6825f4d..c86af46dd5c 100644
--- a/chromium/v8/src/objects/feedback-vector.h
+++ b/chromium/v8/src/objects/feedback-vector.h
@@ -650,7 +650,7 @@ class V8_EXPORT_PRIVATE FeedbackNexus final {
 
   int ExtractMaps(MapHandles* maps) const;
   int ExtractMapsAndHandlers(std::vector<MapAndHandler>* maps_and_handlers,
-                             bool drop_deprecated = false) const;
+                             bool try_update_deprecated = false) const;
   MaybeObjectHandle FindHandlerForMap(Handle<Map> map) const;
 
   bool IsCleared() const {