From c26ef77e6c5d299b9d45408a6e6a2951c5ef73ed Mon Sep 17 00:00:00 2001
From: Keeley Hammond <vertedinde@electronjs.org>
Date: Mon, 13 May 2024 04:01:19 -0700
Subject: [PATCH] chore: cherry-pick f320600cd1f4 from v8 (#42122)

* chore: cherry-pick f320600cd1f4 from v8

* chore: update patches

---------

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
---
 patches/v8/.patches                       |  1 +
 patches/v8/cherry-pick-f320600cd1f4.patch | 27 +++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 patches/v8/cherry-pick-f320600cd1f4.patch

diff --git a/patches/v8/.patches b/patches/v8/.patches
index 280a34b93603..dd5b93a8df77 100644
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -1,2 +1,3 @@
 chore_allow_customizing_microtask_policy_per_context.patch
 deps_add_v8_object_setinternalfieldfornodecore.patch
+cherry-pick-f320600cd1f4.patch
diff --git a/patches/v8/cherry-pick-f320600cd1f4.patch b/patches/v8/cherry-pick-f320600cd1f4.patch
new file mode 100644
index 000000000000..57fb23cfe84a
--- /dev/null
+++ b/patches/v8/cherry-pick-f320600cd1f4.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shu-yu Guo <syg@chromium.org>
+Date: Thu, 9 May 2024 12:03:28 -0700
+Subject: Only normalize JSObject targets in SetOrCopyDataProperties
+
+Bug: 339458194
+Change-Id: I4d6eebdd921971fa28d7c474535d978900ba633f
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5527397
+Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
+Commit-Queue: Shu-yu Guo <syg@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#93811}
+
+diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
+index e5a03dff14835e98a53ff7a40c5c60b362c4afec..2f3ab484cdc010915c57cd6112c4330c4ed69c6c 100644
+--- a/src/objects/js-objects.cc
++++ b/src/objects/js-objects.cc
+@@ -432,9 +432,7 @@ Maybe<bool> JSReceiver::SetOrCopyDataProperties(
+       Nothing<bool>());
+ 
+   if (!from->HasFastProperties() && target->HasFastProperties() &&
+-      !IsJSGlobalProxy(*target)) {
+-    // JSProxy is always in slow-mode.
+-    DCHECK(!IsJSProxy(*target));
++      IsJSObject(*target) && !IsJSGlobalProxy(*target)) {
+     // Convert to slow properties if we're guaranteed to overflow the number of
+     // descriptors.
+     int source_length;