1 files changed, 29 insertions, 16 deletions

diff --git a/deps/v8/src/mips/stub-cache-mips.cc b/deps/v8/src/mips/stub-cache-mips.cc
index d5cf6de90..da6770a14 100644
--- a/deps/v8/src/mips/stub-cache-mips.cc
+++ b/deps/v8/src/mips/stub-cache-mips.cc
@@ -415,7 +415,7 @@ void StubCompiler::GenerateLoadFunctionPrototype(MacroAssembler* masm,
 // may be clobbered.
 void StubCompiler::GenerateStoreField(MacroAssembler* masm,
                                       Handle<JSObject> object,
-                                      int index,
+                                      LookupResult* lookup,
                                       Handle<Map> transition,
                                       Handle<Name> name,
                                       Register receiver_reg,
@@ -428,16 +428,6 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
   // a0 : value.
   Label exit;
 
-  LookupResult lookup(masm->isolate());
-  object->Lookup(*name, &lookup);
-  if (lookup.IsFound() && (lookup.IsReadOnly() || !lookup.IsCacheable())) {
-    // In sloppy mode, we could just return the value and be done. However, we
-    // might be in strict mode, where we have to throw. Since we cannot tell,
-    // go into slow case unconditionally.
-    __ jmp(miss_label);
-    return;
-  }
-
   // Check that the map of the object hasn't changed.
   CompareMapMode mode = transition.is_null() ? ALLOW_ELEMENT_TRANSITION_MAPS
                                              : REQUIRE_EXACT_MAP;
@@ -452,8 +442,9 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
   // Check that we are allowed to write this.
   if (!transition.is_null() && object->GetPrototype()->IsJSObject()) {
     JSObject* holder;
-    if (lookup.IsFound()) {
-      holder = lookup.holder();
+    // holder == object indicates that no property was found.
+    if (lookup->holder() != *object) {
+      holder = lookup->holder();
     } else {
       // Find the top object.
       holder = *object;
@@ -461,8 +452,19 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
         holder = JSObject::cast(holder->GetPrototype());
       } while (holder->GetPrototype()->IsJSObject());
     }
-    CheckPrototypes(object, receiver_reg, Handle<JSObject>(holder), name_reg,
-                    scratch1, scratch2, name, miss_restore_name);
+    Register holder_reg = CheckPrototypes(
+        object, receiver_reg, Handle<JSObject>(holder), name_reg,
+        scratch1, scratch2, name, miss_restore_name);
+    // If no property was found, and the holder (the last object in the
+    // prototype chain) is in slow mode, we need to do a negative lookup on the
+    // holder.
+    if (lookup->holder() == *object &&
+        !holder->HasFastProperties() &&
+        !holder->IsJSGlobalProxy() &&
+        !holder->IsJSGlobalObject()) {
+      GenerateDictionaryNegativeLookup(
+          masm, miss_restore_name, holder_reg, name, scratch1, scratch2);
+    }
   }
 
   // Stub never generated for non-global objects that require access
@@ -483,6 +485,7 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
     return;
   }
 
+  int index;
   if (!transition.is_null()) {
     // Update the map of the object.
     __ li(scratch1, Operand(transition));
@@ -498,6 +501,10 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
                         kDontSaveFPRegs,
                         OMIT_REMEMBERED_SET,
                         OMIT_SMI_CHECK);
+    index = transition->instance_descriptors()->GetFieldIndex(
+        transition->LastAdded());
+  } else {
+    index = lookup->GetFieldIndex().field_index();
   }
 
   // Adjust for the number of properties stored in the object. Even in the
@@ -2424,6 +2431,12 @@ void CallStubCompiler::CompileHandlerFrontend(Handle<Object> object,
       // Check that the object is a symbol.
       __ GetObjectType(a1, a1, a3);
       __ Branch(&miss, ne, a3, Operand(SYMBOL_TYPE));
+      // Check that the maps starting from the prototype haven't changed.
+      GenerateDirectLoadGlobalFunctionPrototype(
+          masm(), Context::SYMBOL_FUNCTION_INDEX, a0, &miss);
+      CheckPrototypes(
+          Handle<JSObject>(JSObject::cast(object->GetPrototype(isolate()))),
+          a0, holder, a3, a1, t0, name, &miss);
       break;
 
     case NUMBER_CHECK: {
@@ -3010,7 +3023,7 @@ Handle<Code> ConstructStubCompiler::CompileConstructStub(
   __ Check(eq, "Instance size of initial map changed.",
            a3, Operand(instance_size >> kPointerSizeLog2));
 #endif
-  __ AllocateInNewSpace(a3, t4, t5, t6, &generic_stub_call, SIZE_IN_WORDS);
+  __ Allocate(a3, t4, t5, t6, &generic_stub_call, SIZE_IN_WORDS);
 
   // Allocated the JSObject, now initialize the fields. Map is set to initial
   // map and properties and elements are set to empty fixed array.