From 87463dd88b9c1b90f7a4c24859b277b4952cf076 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=A9=AC=E5=AE=97=E5=AF=8C?= <mazongfu1@h-partners.com>
Date: Sat, 30 Nov 2024 11:51:20 +0800
Subject: [PATCH] =?UTF-8?q?114=E4=BF=AE=E5=A4=8DCVE-339736513?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 马宗富 <mazongfu1@h-partners.com>
---
 src/ic/ic.cc | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index b8f55270a..0a95dcced 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2262,15 +2262,16 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
           receiver_map->MayHaveReadOnlyElementsInPrototypeChain(isolate()),
       IsStoreInArrayLiteralIC());
 
-  if (receiver_map->IsJSProxyMap()) {
+  if (!receiver_map->IsJSObjectMap()) {
     // DefineKeyedOwnIC, which is used to define computed fields in instances,
-    // should be handled by the slow stub.
-    if (IsDefineKeyedOwnIC()) {
-      TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_SlowStub);
-      return StoreHandler::StoreSlow(isolate(), store_mode);
+    // should handled by the slow stub below instead of the proxy stub.
+    if (receiver_map->IsJSProxyMap() && !IsDefineKeyedOwnIC()) {
+      return StoreHandler::StoreProxy(isolate());
     }
 
-    return StoreHandler::StoreProxy(isolate());
+    // Wasm objects or other kind of special objects go through the slow stub.
+    TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_SlowStub);
+    return StoreHandler::StoreSlow(isolate(), store_mode);
   }
 
   // TODO(ishell): move to StoreHandler::StoreElement().
-- 
Gitee