deps: V8: backport 93f189f19a03

Original commit message:

    [ic] Fix non-GlobalIC store to interceptor on the global object

    We possibly need to load the global object from the global proxy as the holder
    of the named interceptor.

    Change-Id: I0f9f2e448630608ae853588f6751b55574a9efd9
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930903
    Commit-Queue: Igor Sheludko <[email protected]>
    Reviewed-by: Igor Sheludko <[email protected]>
    Cr-Commit-Position: refs/heads/master@{#65119}

Refs: v8/v8@93f189f
Fixes: #30586

PR-URL: #30681
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>

Author: targos

Diff for: common.gypi

@@ -39,7 +39,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.21',
+    'v8_embedder_string': '-node.22',
 
     ##### V8 defaults for Node.js #####
 

Diff for: deps/v8/src/ic/accessor-assembler.cc

@@ -1053,8 +1053,7 @@ void AccessorAssembler::HandleStoreICHandlerCase(
     {
       Comment("store_interceptor");
       TailCallRuntime(Runtime::kStorePropertyWithInterceptor, p->context(),
-                      p->value(), p->slot(), p->vector(), p->receiver(),
-                      p->name());
+                      p->value(), p->receiver(), p->name());
     }
 
     BIND(&if_slow);
@@ -1516,8 +1515,7 @@ void AccessorAssembler::HandleStoreICProtoHandler(
 
   {
     Label if_add_normal(this), if_store_global_proxy(this), if_api_setter(this),
-        if_accessor(this), if_native_data_property(this), if_slow(this),
-        if_interceptor(this);
+        if_accessor(this), if_native_data_property(this), if_slow(this);
 
     CSA_ASSERT(this, TaggedIsSmi(smi_handler));
     TNode<Int32T> handler_word = SmiToInt32(CAST(smi_handler));
@@ -1547,9 +1545,6 @@ void AccessorAssembler::HandleStoreICProtoHandler(
     GotoIf(Word32Equal(handler_kind, Int32Constant(StoreHandler::kSlow)),
            &if_slow);
 
-    GotoIf(Word32Equal(handler_kind, Int32Constant(StoreHandler::kInterceptor)),
-           &if_interceptor);
-
     GotoIf(
         Word32Equal(handler_kind,
                     Int32Constant(StoreHandler::kApiSetterHolderIsPrototype)),
@@ -1574,14 +1569,6 @@ void AccessorAssembler::HandleStoreICProtoHandler(
       }
     }
 
-    BIND(&if_interceptor);
-    {
-      Comment("store_interceptor");
-      TailCallRuntime(Runtime::kStorePropertyWithInterceptor, p->context(),
-                      p->value(), p->slot(), p->vector(), p->receiver(),
-                      p->name());
-    }
-
     BIND(&if_add_normal);
     {
       // This is a case of "transitioning store" to a dictionary mode object

Diff for: deps/v8/src/ic/ic.cc

@@ -1308,8 +1308,7 @@ bool StoreIC::LookupForWrite(LookupIterator* it, Handle<Object> value,
         case LookupIterator::INTERCEPTOR: {
           Handle<JSObject> holder = it->GetHolder<JSObject>();
           InterceptorInfo info = holder->GetNamedInterceptor();
-          if ((it->HolderIsReceiverOrHiddenPrototype() &&
-               !info.non_masking()) ||
+          if (it->HolderIsReceiverOrHiddenPrototype() ||
               !info.getter().IsUndefined(isolate()) ||
               !info.query().IsUndefined(isolate())) {
             return true;
@@ -2718,23 +2717,20 @@ RUNTIME_FUNCTION(Runtime_LoadPropertyWithInterceptor) {
 
 RUNTIME_FUNCTION(Runtime_StorePropertyWithInterceptor) {
   HandleScope scope(isolate);
-  DCHECK_EQ(5, args.length());
+  DCHECK_EQ(3, args.length());
   // Runtime functions don't follow the IC's calling convention.
   Handle<Object> value = args.at(0);
-  Handle<Smi> slot = args.at<Smi>(1);
-  Handle<FeedbackVector> vector = args.at<FeedbackVector>(2);
-  Handle<JSObject> receiver = args.at<JSObject>(3);
-  Handle<Name> name = args.at<Name>(4);
-  FeedbackSlot vector_slot = FeedbackVector::ToSlot(slot->value());
+  Handle<JSObject> receiver = args.at<JSObject>(1);
+  Handle<Name> name = args.at<Name>(2);
 
   // TODO(ishell): Cache interceptor_holder in the store handler like we do
   // for LoadHandler::kInterceptor case.
   Handle<JSObject> interceptor_holder = receiver;
-  if (receiver->IsJSGlobalProxy()) {
-    FeedbackSlotKind kind = vector->GetKind(vector_slot);
-    if (IsStoreGlobalICKind(kind)) {
-      interceptor_holder = Handle<JSObject>::cast(isolate->global_object());
-    }
+  if (receiver->IsJSGlobalProxy() &&
+      (!receiver->HasNamedInterceptor() ||
+       receiver->GetNamedInterceptor().non_masking())) {
+    interceptor_holder =
+        handle(JSObject::cast(receiver->map().prototype()), isolate);
   }
   DCHECK(interceptor_holder->HasNamedInterceptor());
   Handle<InterceptorInfo> interceptor(interceptor_holder->GetNamedInterceptor(),