deps: V8: cherry-pick 1cc12b278e22

Original commit message:

    [ic] Add StoreOwnIC_Slow

    This runtime function behaves like StoreDataPropertyInLiteral, except it
    can throw, since it's also used for defining public class fields. Unlike
    the literal use case, class field can end up throwing due to field
    initializers doing things like freezing the instance.

    Bug: chromium:1264828
    Change-Id: I3ea4d15ad9b906c26763f022c8e22b757fa80b6c
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3252558
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Auto-Submit: Shu-yu Guo <syg@chromium.org>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#77704}

Refs: v8/v8@1cc12b2

PR-URL: #40907
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

Author: targos

common.gypi

@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.10',
+    'v8_embedder_string': '-node.11',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/ic/accessor-assembler.cc

@@ -1296,13 +1296,16 @@ void AccessorAssembler::HandleStoreICHandlerCase(
       if (ic_mode == ICMode::kGlobalIC) {
         TailCallRuntime(Runtime::kStoreGlobalIC_Slow, p->context(), p->value(),
                         p->slot(), p->vector(), p->receiver(), p->name());
-      } else if (p->IsStoreOwn()) {
-        TailCallRuntime(Runtime::kStoreDataPropertyInLiteral, p->context(),
-                        p->receiver(), p->name(), p->value());
       } else {
-        TailCallRuntime(p->IsDefineOwn() ? Runtime::kKeyedDefineOwnIC_Slow
-                                         : Runtime::kKeyedStoreIC_Slow,
-                        p->context(), p->value(), p->receiver(), p->name());
+        Runtime::FunctionId id;
+        if (p->IsStoreOwn()) {
+          id = Runtime::kStoreOwnIC_Slow;
+        } else if (p->IsDefineOwn()) {
+          id = Runtime::kKeyedDefineOwnIC_Slow;
+        } else {
+          id = Runtime::kKeyedStoreIC_Slow;
+        }
+        TailCallRuntime(id, p->context(), p->value(), p->receiver(), p->name());
       }
     }
   }

deps/v8/src/ic/ic.cc

@@ -2751,6 +2751,27 @@ RUNTIME_FUNCTION(Runtime_StoreOwnIC_Miss) {
   RETURN_RESULT_OR_FAILURE(isolate, ic.Store(receiver, key, value));
 }
 
+RUNTIME_FUNCTION(Runtime_StoreOwnIC_Slow) {
+  HandleScope scope(isolate);
+  DCHECK_EQ(3, args.length());
+
+  Handle<Object> value = args.at(0);
+  Handle<Object> object = args.at(1);
+  Handle<Object> key = args.at(2);
+
+  // Unlike DefineOwn, StoreOwn doesn't handle private fields and is used for
+  // defining data properties in object literals and defining public class
+  // fields.
+  DCHECK(!key->IsSymbol() || !Symbol::cast(*key).is_private_name());
+
+  PropertyKey lookup_key(isolate, key);
+  LookupIterator it(isolate, object, lookup_key, LookupIterator::OWN);
+  MAYBE_RETURN(JSObject::DefineOwnPropertyIgnoreAttributes(
+                   &it, value, NONE, Nothing<ShouldThrow>()),
+               ReadOnlyRoots(isolate).exception());
+  return *value;
+}
+
 RUNTIME_FUNCTION(Runtime_StoreGlobalIC_Miss) {
   HandleScope scope(isolate);
   DCHECK_EQ(4, args.length());

deps/v8/src/runtime/runtime.h

@@ -638,6 +638,7 @@ namespace internal {
   F(KeyedStoreIC_Miss, 5, 1)                 \
   F(KeyedDefineOwnIC_Miss, 5, 1)             \
   F(StoreInArrayLiteralIC_Miss, 5, 1)        \
+  F(StoreOwnIC_Slow, 3, 1)                   \
   F(KeyedStoreIC_Slow, 3, 1)                 \
   F(KeyedDefineOwnIC_Slow, 3, 1)             \
   F(LoadElementWithInterceptor, 2, 1)        \

deps/v8/test/mjsunit/regress/regress-crbug-1264828.js

@@ -0,0 +1,15 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+{
+  class C {
+    x = Object.freeze(this);
+  }
+  // Call once to install slow handler.
+  assertThrows(() => { new C(); });
+  // Hit the slow handler.
+  assertThrows(() => { new C(); });
+}