Make proxies work as prototypes.

src/objects.cc

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 115 matching lines @@
   }
   if (heap_object->IsHeapNumber()) {
     return HeapNumber::cast(this)->HeapNumberToBoolean();
   }
   return heap_object->GetHeap()->true_value();
 }
 
 
 void Object::Lookup(String* name, LookupResult* result) {
   Object* holder = NULL;
-  if (IsSmi()) {
+  if (IsJSReceiver()) {
+    holder = this;
+  } else {
     Context* global_context = Isolate::Current()->context()->global_context();
-    holder = global_context->number_function()->instance_prototype();
-  } else {
-    HeapObject* heap_object = HeapObject::cast(this);
-    if (heap_object->IsJSObject()) {
-      return JSObject::cast(this)->Lookup(name, result);
-    } else if (heap_object->IsJSProxy()) {
-      return result->HandlerResult();
-    }
-    Context* global_context = Isolate::Current()->context()->global_context();
-    if (heap_object->IsString()) {
+    if (IsSmi()) {

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

You can use IsNumber() here and remove the clause for IsHeapNumber() below.

[rossberg, 2011/08/31 13:28:32]

Done.

+      holder = global_context->number_function()->instance_prototype();
+    } else if (IsString()) {
       holder = global_context->string_function()->instance_prototype();
-    } else if (heap_object->IsHeapNumber()) {
+    } else if (IsHeapNumber()) {
       holder = global_context->number_function()->instance_prototype();
-    } else if (heap_object->IsBoolean()) {
+    } else if (IsBoolean()) {
       holder = global_context->boolean_function()->instance_prototype();
     }
   }
   ASSERT(holder != NULL);  // Cannot handle null or undefined.
-  JSObject::cast(holder)->Lookup(name, result);
+  JSReceiver::cast(holder)->Lookup(name, result);
 }
 
 
 MaybeObject* Object::GetPropertyWithReceiver(Object* receiver,
                                              String* name,
                                              PropertyAttributes* attributes) {
   LookupResult result;
   Lookup(name, &result);
   MaybeObject* value = GetProperty(receiver, &result, name, attributes);
   ASSERT(*attributes <= ABSENT);
@@ skipping 52 matching lines @@
     }
     // Getter is not a function.
     return isolate->heap()->undefined_value();
   }
 
   UNREACHABLE();
   return NULL;
 }
 
 
-MaybeObject* Object::GetPropertyWithHandler(Object* receiver_raw,
-                                            String* name_raw,
-                                            Object* handler_raw) {
-  Isolate* isolate = name_raw->GetIsolate();
+MaybeObject* JSProxy::GetPropertyWithHandler(Object* receiver_raw,
+                                             String* name_raw) {
+  Isolate* isolate = GetIsolate();
   HandleScope scope(isolate);
   Handle<Object> receiver(receiver_raw);
   Handle<Object> name(name_raw);
-  Handle<Object> handler(handler_raw);
 
-  // Extract trap function.
-  Handle<String> trap_name = isolate->factory()->LookupAsciiSymbol("get");
-  Handle<Object> trap(v8::internal::GetProperty(handler, trap_name));
+  Object** args[] = { receiver.location(), name.location() };

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

We seem to have a mix of this style and

Handle<Object> args[] = { receiver, name };
Handle<Object> result = CallTrap(..., HandleVector(args, ARRAY_SIZE(args));

I prefer the Handle version, partly because mentioning Handle<T>::location()
indicates something special and weird going on and so I prefer to keep it rare.

Also, seeing Handle in a signature makes it obvious (?) that the function is in
the handle world and should not be called from the raw pointer world.

[rossberg, 2011/08/31 13:28:32]

I agree. I fully handlified the type of CallTrap. But that seems to require an
ugly reinterpret_cast for args. Is there a reason whys Execution::Call and
friends do not properly type the args array with Handle<>[]? Or even use a
HandleVector, like e.g. Throw() etc? Is that perhaps worth changing?

+  Handle<Object> result = CallTrap(
+    "get", *isolate->derived_get_trap(), ARRAY_SIZE(args), args);
   if (isolate->has_pending_exception()) return Failure::Exception();
-  if (trap->IsUndefined()) {
-    // Get the derived `get' property.
-    trap = isolate->derived_get_trap();
-  }
-
-  // Call trap function.
-  Object** args[] = { receiver.location(), name.location() };
-  bool has_exception;
-  Handle<Object> result =
-      Execution::Call(trap, handler, ARRAY_SIZE(args), args, &has_exception);
-  if (has_exception) return Failure::Exception();
 
   return *result;
 }
 
 
 MaybeObject* Object::GetPropertyWithDefinedGetter(Object* receiver,
                                                   JSFunction* getter) {
   HandleScope scope;
   Handle<JSFunction> fun(JSFunction::cast(getter));
   Handle<Object> self(receiver);
@@ skipping 297 matching lines @@
       if (current == last) break;
     }
   }
 
   if (!result->IsProperty()) {
     *attributes = ABSENT;
     return heap->undefined_value();
   }
   *attributes = result->GetAttributes();
   Object* value;
-  JSObject* holder = result->holder();
   switch (result->type()) {
     case NORMAL:
-      value = holder->GetNormalizedProperty(result);
+      value = result->holder()->GetNormalizedProperty(result);
       ASSERT(!value->IsTheHole() || result->IsReadOnly());
       return value->IsTheHole() ? heap->undefined_value() : value;
     case FIELD:
-      value = holder->FastPropertyAt(result->GetFieldIndex());
+      value = result->holder()->FastPropertyAt(result->GetFieldIndex());
       ASSERT(!value->IsTheHole() || result->IsReadOnly());
       return value->IsTheHole() ? heap->undefined_value() : value;
     case CONSTANT_FUNCTION:
       return result->GetConstantFunction();
     case CALLBACKS:
       return GetPropertyWithCallback(receiver,
                                      result->GetCallbackObject(),
                                      name,
-                                     holder);
-    case HANDLER: {
-      JSProxy* proxy = JSProxy::cast(this);
-      return GetPropertyWithHandler(receiver, name, proxy->handler());
-    }
+                                     result->holder());
+    case HANDLER:
+      return result->proxy()->GetPropertyWithHandler(receiver, name);
     case INTERCEPTOR: {
       JSObject* recvr = JSObject::cast(receiver);
-      return holder->GetPropertyWithInterceptor(recvr, name, attributes);
+      return result->holder()->GetPropertyWithInterceptor(
+          recvr, name, attributes);
     }
     case MAP_TRANSITION:
     case EXTERNAL_ARRAY_TRANSITION:
     case CONSTANT_TRANSITION:
     case NULL_DESCRIPTOR:
       break;
   }
   UNREACHABLE();
   return NULL;
 }
@@ skipping 1287 matching lines @@
           *isolate->factory()->NewTypeError("no_setter_in_callback",
                                             HandleVector(args, 2)));
     }
   }
 
   UNREACHABLE();
   return NULL;
 }
 
 
-MaybeObject* JSObject::SetPropertyWithDefinedSetter(JSFunction* setter,
+MaybeObject* JSReceiver::SetPropertyWithDefinedSetter(JSFunction* setter,
                                                     Object* value) {

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

Indentation is now off.

[rossberg, 2011/08/31 13:28:32]

Done.

   Isolate* isolate = GetIsolate();
   Handle<Object> value_handle(value, isolate);
   Handle<JSFunction> fun(JSFunction::cast(setter), isolate);
-  Handle<JSObject> self(this, isolate);
+  Handle<JSReceiver> self(this, isolate);
 #ifdef ENABLE_DEBUGGER_SUPPORT
   Debug* debug = isolate->debug();
   // Handle stepping into a setter if step into is active.
   if (debug->StepInActive()) {
     debug->HandleStepIn(fun, Handle<Object>::null(), 0, false);
   }
 #endif
   bool has_pending_exception;
   Object** argv[] = { value_handle.location() };
   Execution::Call(fun, self, 1, argv, &has_pending_exception);
   // Check for pending exception and return the result.
   if (has_pending_exception) return Failure::Exception();
   return *value_handle;
 }
 
 
 void JSObject::LookupCallbackSetterInPrototypes(String* name,
                                                 LookupResult* result) {
   Heap* heap = GetHeap();
   for (Object* pt = GetPrototype();
        pt != heap->null_value();
        pt = pt->GetPrototype()) {
+    if (pt->IsJSProxy()) {
+      result->HandlerResult(JSProxy::cast(pt));

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

I like to write

return result->HandlerResult(JSProxy::cast(pt));

[rossberg, 2011/08/31 13:28:32]

I know. :) Done.

+      return;
+    }
     JSObject::cast(pt)->LocalLookupRealNamedProperty(name, result);
     if (result->IsProperty()) {
       if (result->type() == CALLBACKS && !result->IsReadOnly()) return;
       // Found non-callback or read-only callback, stop looking.
       break;
     }
   }
   result->NotFound();
 }
 
@@ skipping 165 matching lines @@
   return new_map;
 }
 
 
 void JSObject::LocalLookupRealNamedProperty(String* name,
                                             LookupResult* result) {
   if (IsJSGlobalProxy()) {
     Object* proto = GetPrototype();
     if (proto->IsNull()) return result->NotFound();
     ASSERT(proto->IsJSGlobalObject());
+    // A GlobalProxy's prototype should always be a proper JSObject.
     return JSObject::cast(proto)->LocalLookupRealNamedProperty(name, result);
   }
 
   if (HasFastProperties()) {
     LookupInDescriptor(name, result);
     if (result->IsFound()) {
       // A property, a map transition or a null descriptor was found.
       // We return all of these result types because
       // LocalLookupRealNamedProperty is used when setting properties
       // where map transitions and null descriptors are handled.
@@ skipping 106 matching lines @@
   return *value_handle;
 }
 
 
 MaybeObject* JSReceiver::SetProperty(LookupResult* result,
                                      String* key,
                                      Object* value,
                                      PropertyAttributes attributes,
                                      StrictModeFlag strict_mode) {
   if (result->IsFound() && result->type() == HANDLER) {
-    return JSProxy::cast(this)->SetPropertyWithHandler(
+    return result->proxy()->SetPropertyWithHandler(
         key, value, attributes, strict_mode);
   } else {
     return JSObject::cast(this)->SetPropertyForResult(
         result, key, value, attributes, strict_mode);
   }
 }
 
 
 bool JSProxy::HasPropertyWithHandler(String* name_raw) {
   Isolate* isolate = GetIsolate();
   HandleScope scope(isolate);
   Handle<Object> receiver(this);
   Handle<Object> name(name_raw);
-  Handle<Object> handler(this->handler());
 
-  // Extract trap function.
-  Handle<String> trap_name = isolate->factory()->LookupAsciiSymbol("has");
-  Handle<Object> trap(v8::internal::GetProperty(handler, trap_name));
+  Object** args[] = { name.location() };
+  Handle<Object> result = CallTrap(
+    "has", *isolate->derived_has_trap(), ARRAY_SIZE(args), args);
   if (isolate->has_pending_exception()) return Failure::Exception();
-  if (trap->IsUndefined()) {
-    trap = isolate->derived_has_trap();
-  }
-
-  // Call trap function.
-  Object** args[] = { name.location() };
-  bool has_exception;
-  Handle<Object> result =
-      Execution::Call(trap, handler, ARRAY_SIZE(args), args, &has_exception);
-  if (has_exception) return Failure::Exception();
 
   return result->ToBoolean()->IsTrue();
 }
 
 
 MUST_USE_RESULT MaybeObject* JSProxy::SetPropertyWithHandler(
     String* name_raw,
     Object* value_raw,
     PropertyAttributes attributes,
     StrictModeFlag strict_mode) {
   Isolate* isolate = GetIsolate();
   HandleScope scope(isolate);
   Handle<Object> receiver(this);
   Handle<Object> name(name_raw);
   Handle<Object> value(value_raw);
-  Handle<Object> handler(this->handler());
 
-  // Extract trap function.
-  Handle<String> trap_name = isolate->factory()->LookupAsciiSymbol("set");
-  Handle<Object> trap(v8::internal::GetProperty(handler, trap_name));
-  if (isolate->has_pending_exception()) return Failure::Exception();
-  if (trap->IsUndefined()) {
-    trap = isolate->derived_set_trap();
-  }
-
-  // Call trap function.
   Object** args[] = {
       receiver.location(), name.location(), value.location()
   };
-  bool has_exception;
-  Execution::Call(trap, handler, ARRAY_SIZE(args), args, &has_exception);
-  if (has_exception) return Failure::Exception();
+  CallTrap("set", *isolate->derived_set_trap(), ARRAY_SIZE(args), args);
+  if (isolate->has_pending_exception()) return Failure::Exception();
 
   return *value;
 }
 
 
 MUST_USE_RESULT MaybeObject* JSProxy::DeletePropertyWithHandler(
     String* name_raw, DeleteMode mode) {
   Isolate* isolate = GetIsolate();
   HandleScope scope(isolate);
   Handle<Object> receiver(this);
   Handle<Object> name(name_raw);
-  Handle<Object> handler(this->handler());
 
-  // Extract trap function.
-  Handle<String> trap_name = isolate->factory()->LookupAsciiSymbol("delete");
-  Handle<Object> trap(v8::internal::GetProperty(handler, trap_name));
+  Object** args[] = { name.location() };
+  Handle<Object> result = CallTrap("delete", NULL, ARRAY_SIZE(args), args);
   if (isolate->has_pending_exception()) return Failure::Exception();
-  if (trap->IsUndefined()) {
-    Handle<Object> args[] = { handler, trap_name };
-    Handle<Object> error = isolate->factory()->NewTypeError(
-        "handler_trap_missing", HandleVector(args, ARRAY_SIZE(args)));
-    isolate->Throw(*error);
-    return Failure::Exception();
-  }
-
-  // Call trap function.
-  Object** args[] = { name.location() };
-  bool has_exception;
-  Handle<Object> result =
-      Execution::Call(trap, handler, ARRAY_SIZE(args), args, &has_exception);
-  if (has_exception) return Failure::Exception();
 
   Object* bool_result = result->ToBoolean();
   if (mode == STRICT_DELETION && bool_result == GetHeap()->false_value()) {
-    Handle<Object> args[] = { handler, trap_name };
+    Handle<String> trap_name = isolate->factory()->LookupAsciiSymbol("delete");
+    Handle<Object> args[] = { Handle<Object>(handler()), trap_name };
     Handle<Object> error = isolate->factory()->NewTypeError(
         "handler_failed", HandleVector(args, ARRAY_SIZE(args)));
     isolate->Throw(*error);
     return Failure::Exception();
   }
   return bool_result;
 }
 
 
 MUST_USE_RESULT PropertyAttributes JSProxy::GetPropertyAttributeWithHandler(
-    JSReceiver* receiver_raw,
-    String* name_raw,
-    bool* has_exception) {
+    JSReceiver* receiver_raw, String* name_raw) {

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

Also one parameter per line here.

[rossberg, 2011/08/31 13:28:32]

Done.

   Isolate* isolate = GetIsolate();
   HandleScope scope(isolate);
   Handle<JSReceiver> receiver(receiver_raw);
   Handle<Object> name(name_raw);
-  Handle<Object> handler(this->handler());
 
-  // Extract trap function.
-  Handle<String> trap_name =
-      isolate->factory()->LookupAsciiSymbol("getPropertyDescriptor");
-  Handle<Object> trap(v8::internal::GetProperty(handler, trap_name));
+  Object** args[] = { name.location() };
+  Handle<Object> result = CallTrap(
+    "getPropertyDescriptor", NULL, ARRAY_SIZE(args), args);
   if (isolate->has_pending_exception()) return NONE;
-  if (trap->IsUndefined()) {
-    Handle<Object> args[] = { handler, trap_name };
-    Handle<Object> error = isolate->factory()->NewTypeError(
-        "handler_trap_missing", HandleVector(args, ARRAY_SIZE(args)));
-    isolate->Throw(*error);
-    *has_exception = true;
-    return NONE;
-  }
 
-  // Call trap function.
-  Object** args[] = { name.location() };
-  Handle<Object> result =
-      Execution::Call(trap, handler, ARRAY_SIZE(args), args, has_exception);
-  if (has_exception) return NONE;
+  if (result->IsUndefined()) return ABSENT;
 
   // TODO(rossberg): convert result to PropertyAttributes
-  USE(result);
   return NONE;
 }
 
 
 void JSProxy::Fix() {
   Isolate* isolate = GetIsolate();
   HandleScope scope(isolate);
   Handle<JSProxy> self(this);
 
   if (IsJSFunctionProxy()) {
     isolate->factory()->BecomeJSFunction(self);
     // Code will be set on the JavaScript side.
   } else {
     isolate->factory()->BecomeJSObject(self);
   }
   ASSERT(self->IsJSObject());
 }
 
 
+MUST_USE_RESULT Handle<Object> JSProxy::CallTrap(
+    const char* name, Object* derived, int argc, Object*** args) {

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

I think there's a GC hazard here.  derived is a raw pointer, and looking up a
symbol in the symbol table can cause allocation and thus GC (it may have to
allocate the symbol and may also have to grow the symbol table).

Change derived to Handle<Object> in the signature?

[rossberg, 2011/08/31 13:28:32]

Done.

+  Isolate* isolate = GetIsolate();
+  Handle<Object> handler(this->handler());
+
+  Handle<String> trap_name = isolate->factory()->LookupAsciiSymbol(name);
+  Handle<Object> trap(v8::internal::GetProperty(handler, trap_name));
+  if (isolate->has_pending_exception()) return trap;
+
+  if (trap->IsUndefined()) {
+    if (derived == NULL) {
+      Handle<Object> args[] = { handler, trap_name };
+      Handle<Object> error = isolate->factory()->NewTypeError(
+        "handler_trap_missing", HandleVector(args, ARRAY_SIZE(args)));
+      isolate->Throw(*error);
+      return Handle<Object>();
+    }
+    trap = Handle<Object>(derived);
+  }
+
+  bool threw = false;
+  return Execution::Call(trap, handler, argc, args, &threw);
+}
+
 
 MaybeObject* JSObject::SetPropertyForResult(LookupResult* result,

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

I think SetPropertyForResult needs a better name but I'm at a loss for ideas.

[rossberg, 2011/08/31 13:28:32]

Same here. IMHO some bigger clean-up of the whole Get/Set interface is in order
soon anyway, I'd leave it for that.

                                             String* name,
                                             Object* value,
                                             PropertyAttributes attributes,
                                             StrictModeFlag strict_mode) {
   Heap* heap = GetHeap();
   // Make sure that the top context does not change when doing callbacks or
   // interceptor calls.
   AssertNoContextChange ncc;
 
   // Optimization for 2-byte strings often used as keys in a decompression
   // dictionary.  We make these short keys into symbols to avoid constantly
   // reallocating them.
   if (!name->IsSymbol() && name->length() <= 2) {
     Object* symbol_version;
     { MaybeObject* maybe_symbol_version = heap->LookupSymbol(name);
       if (maybe_symbol_version->ToObject(&symbol_version)) {
         name = String::cast(symbol_version);
       }
     }
   }
 
   // Check access rights if needed.
-  if (IsAccessCheckNeeded()
-      && !heap->isolate()->MayNamedAccess(this, name, v8::ACCESS_SET)) {
-    return SetPropertyWithFailedAccessCheck(result,
-                                            name,
-                                            value,
-                                            true,
-                                            strict_mode);
+  if (IsAccessCheckNeeded()) {
+    JSObject* object = JSObject::cast(this);

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

Isn't this already JSObject*?

[rossberg, 2011/08/31 13:28:32]

Right. I had moved the method to JSReceiver, but undid that and overlooked this.

+    if (!heap->isolate()->MayNamedAccess(object, name, v8::ACCESS_SET)) {
+      return object->SetPropertyWithFailedAccessCheck(
+          result, name, value, true, strict_mode);
+    }
   }
 
   if (IsJSGlobalProxy()) {
     Object* proto = GetPrototype();
     if (proto->IsNull()) return value;
     ASSERT(proto->IsJSGlobalObject());
-    return JSObject::cast(proto)->SetProperty(
+    return JSObject::cast(proto)->SetPropertyForResult(
         result, name, value, attributes, strict_mode);
   }
 
   if (!result->IsProperty() && !IsJSContextExtensionObject()) {
     // We could not find a local property so let's check whether there is an
     // accessor that wants to handle the property.
     LookupResult accessor_result;
     LookupCallbackSetterInPrototypes(name, &accessor_result);
-    if (accessor_result.IsProperty()) {
-      return SetPropertyWithCallback(accessor_result.GetCallbackObject(),
-                                     name,
-                                     value,
-                                     accessor_result.holder(),
-                                     strict_mode);
+    if (accessor_result.IsFound()) {
+      if (accessor_result.type() == CALLBACKS) {
+        return SetPropertyWithCallback(accessor_result.GetCallbackObject(),
+                                       name,
+                                       value,
+                                       accessor_result.holder(),
+                                       strict_mode);
+      } else if (accessor_result.type() == HANDLER) {
+        // There is a proxy in the prototype chain. Invoke its
+        // getOwnPropertyDescriptor trap.
+        Isolate* isolate = heap->isolate();
+        Handle<JSProxy> proxy(accessor_result.proxy());
+        Handle<Object> hname(name);
+        Object** args[] = { hname.location() };
+        Handle<Object> result = proxy->CallTrap(

[Kevin Millikin (Chromium), 2011/08/31 10:15:31]

There's also a GC hazard here.  CallTrap can silently perform GC and there's no
way for the caller of this function to find that out.

[rossberg, 2011/08/31 13:28:32]

Argh, of course. The good news is that the only caller is
JSReceiver::SetProperty, which is already documented to potentially cause GC.

The bad news is that a GC might invalidate `result' -- specifically,
result->holder, which is used for a number of methods on LookupResult below, so
it's not enough to handlify the holder separately from `result'.

I think I can get around that problem here by fully separating the code paths
(in this case, this only required duplicating the !IsFound case). But in
general, is there a way to properly deal with GC vs LookupResult?

+          "getOwnPropertyDescriptor", NULL, ARRAY_SIZE(args), args);
+        if (isolate->has_pending_exception()) return Failure::Exception();
+
+        if (!result->IsUndefined()) {
+          // The proxy handler cares about this property.
+          // Check whether it is virtualized as an accessor.
+          Handle<String> getter_name =
+              isolate->factory()->LookupAsciiSymbol("get");
+          Handle<Object> getter(
+              v8::internal::GetProperty(result, getter_name));
+          if (isolate->has_pending_exception()) return Failure::Exception();
+          Handle<String> setter_name =
+              isolate->factory()->LookupAsciiSymbol("set");
+          Handle<Object> setter(
+              v8::internal::GetProperty(result, setter_name));
+          if (isolate->has_pending_exception()) return Failure::Exception();
+
+          if (!setter->IsUndefined()) {
+            // We have a setter -- invoke it.
+            if (setter->IsJSFunction()) {
+              return proxy->SetPropertyWithDefinedSetter(
+                  JSFunction::cast(*setter), value);
+            }
+            Handle<Object> args[] = { setter };
+            Handle<Object> error = isolate->factory()->NewTypeError(
+               "setter_must_be_callable", HandleVector(args, ARRAY_SIZE(args)));
+            return isolate->Throw(*error);
+          } else if (!getter->IsUndefined()) {
+            // We have a getter but no setter -- the property may not be
+            // written. In strict mode, throw an error.
+            if (strict_mode == kNonStrictMode) return value;
+            Handle<Object> args[] = { hname, proxy };
+            Handle<Object> error = isolate->factory()->NewTypeError(
+                "no_setter_in_callback", HandleVector(args, ARRAY_SIZE(args)));
+            return isolate->Throw(*error);
+          }
+          // The proxy does not define the property as an accessor.
+          // Consequently, it has no effect on setting the receiver.
+          // Fall through.
+        }
+      }
     }
   }
   if (!result->IsFound()) {
     // Neither properties nor transitions found.
     return AddProperty(name, value, attributes, strict_mode);
   }
   if (result->IsReadOnly() && result->IsProperty()) {
     if (strict_mode == kStrictMode) {
       HandleScope scope(heap->isolate());
       Handle<String> key(name);
@@ skipping 254 matching lines @@
     }
   }
   if (result->IsProperty()) {
     switch (result->type()) {
       case NORMAL:  // fall through
       case FIELD:
       case CONSTANT_FUNCTION:
       case CALLBACKS:
         return result->GetAttributes();
       case HANDLER: {
-        // TODO(rossberg): propagate exceptions properly.
-        bool has_exception = false;
-        return JSProxy::cast(this)->GetPropertyAttributeWithHandler(
-            receiver, name, &has_exception);
+        return JSProxy::cast(result->proxy())->GetPropertyAttributeWithHandler(
+            receiver, name);
       }
       case INTERCEPTOR:
         return result->holder()->GetPropertyAttributeWithInterceptor(
             JSObject::cast(receiver), name, continue_search);
       default:
         UNREACHABLE();
     }
   }
   return ABSENT;
 }
@@ skipping 778 matching lines @@
   for (int i = 0; i < descs->number_of_descriptors(); i++) {
     if (name->Equals(descs->GetKey(i)) && descs->GetType(i) == CALLBACKS) {
       return descs->GetCallbacks(i);
     }
   }
   return NULL;
 }
 
 
 void JSReceiver::LocalLookup(String* name, LookupResult* result) {
-  if (IsJSProxy()) {
-    result->HandlerResult();
-  } else {
-    JSObject::cast(this)->LocalLookup(name, result);
-  }
-}
-
-
-void JSObject::LocalLookup(String* name, LookupResult* result) {
   ASSERT(name->IsString());
 
   Heap* heap = GetHeap();
 
   if (IsJSGlobalProxy()) {
     Object* proto = GetPrototype();
     if (proto->IsNull()) return result->NotFound();
     ASSERT(proto->IsJSGlobalObject());
-    return JSObject::cast(proto)->LocalLookup(name, result);
+    return JSReceiver::cast(proto)->LocalLookup(name, result);
+  }
+
+  if (IsJSProxy()) {
+    result->HandlerResult(JSProxy::cast(this));
+    return;
   }
 
   // Do not use inline caching if the object is a non-global object
   // that requires access checks.
-  if (!IsJSGlobalProxy() && IsAccessCheckNeeded()) {
+  if (IsAccessCheckNeeded()) {
     result->DisallowCaching();
   }
 
+  JSObject* js_object = JSObject::cast(this);
+
   // Check __proto__ before interceptor.
   if (name->Equals(heap->Proto_symbol()) && !IsJSContextExtensionObject()) {
-    result->ConstantResult(this);
+    result->ConstantResult(js_object);
     return;
   }
 
   // Check for lookup interceptor except when bootstrapping.
-  if (HasNamedInterceptor() && !heap->isolate()->bootstrapper()->IsActive()) {
-    result->InterceptorResult(this);
+  if (js_object->HasNamedInterceptor() &&
+      !heap->isolate()->bootstrapper()->IsActive()) {
+    result->InterceptorResult(js_object);
     return;
   }
 
-  LocalLookupRealNamedProperty(name, result);
+  js_object->LocalLookupRealNamedProperty(name, result);
 }
 
 
 void JSReceiver::Lookup(String* name, LookupResult* result) {
   // Ecma-262 3rd 8.6.2.4
   Heap* heap = GetHeap();
   for (Object* current = this;
        current != heap->null_value();
        current = JSObject::cast(current)->GetPrototype()) {
-    JSObject::cast(current)->LocalLookup(name, result);
+    JSReceiver::cast(current)->LocalLookup(name, result);
     if (result->IsProperty()) return;
   }
   result->NotFound();
 }
 
 
 // Search object and it's prototype chain for callback properties.
 void JSObject::LookupCallback(String* name, LookupResult* result) {
   Heap* heap = GetHeap();
   for (Object* current = this;
@@ skipping 2626 matching lines @@
   for (int i = 0; i < descriptors->number_of_descriptors(); i++) {
     if (descriptors->GetType(i) == MAP_TRANSITION ||
         descriptors->GetType(i) == EXTERNAL_ARRAY_TRANSITION ||
         descriptors->GetType(i) == CONSTANT_TRANSITION) {
       // Get target.
       Map* target = Map::cast(descriptors->GetValue(i));
 #ifdef DEBUG
       // Verify target.
       Object* source_prototype = prototype();
       Object* target_prototype = target->prototype();
-      ASSERT(source_prototype->IsJSObject() ||
+      ASSERT(source_prototype->IsJSReceiver() ||
              source_prototype->IsMap() ||
              source_prototype->IsNull());
-      ASSERT(target_prototype->IsJSObject() ||
+      ASSERT(target_prototype->IsJSReceiver() ||
              target_prototype->IsNull());
       ASSERT(source_prototype->IsMap() ||
              source_prototype == target_prototype);
 #endif
       // Point target back to source.  set_prototype() will not let us set
       // the prototype to a map, as we do here.
       *RawField(target, kPrototypeOffset) = this;
     }
   }
 }
@@ skipping 1509 matching lines @@
     return heap->isolate()->Throw(
         *FACTORY->NewTypeError("non_extensible_proto",
                                HandleVector<Object>(&handle, 1)));
   }
 
   // Before we can set the prototype we need to be sure
   // prototype cycles are prevented.
   // It is sufficient to validate that the receiver is not in the new prototype
   // chain.
   for (Object* pt = value; pt != heap->null_value(); pt = pt->GetPrototype()) {
-    if (JSObject::cast(pt) == this) {
+    if (JSReceiver::cast(pt) == this) {
       // Cycle detected.
       HandleScope scope(heap->isolate());
       return heap->isolate()->Throw(
           *FACTORY->NewError("cyclic_proto", HandleVector<Object>(NULL, 0)));
     }
   }
 
   JSReceiver* real_receiver = this;
 
   if (skip_hidden_prototypes) {
     // Find the first object in the chain whose prototype object is not
     // hidden and set the new prototype on that object.
     Object* current_proto = real_receiver->GetPrototype();
     while (current_proto->IsJSObject() &&
-          JSObject::cast(current_proto)->map()->is_hidden_prototype()) {
-      real_receiver = JSObject::cast(current_proto);
+          JSReceiver::cast(current_proto)->map()->is_hidden_prototype()) {
+      real_receiver = JSReceiver::cast(current_proto);
       current_proto = current_proto->GetPrototype();
     }
   }
 
   // Set the new prototype of the object.
   Map* map = real_receiver->map();
 
   // Nothing to do if prototype is already set.
   if (map->prototype() == value) return value;
 
@@ skipping 3821 matching lines @@
   if (break_point_objects()->IsUndefined()) return 0;
   // Single break point.
   if (!break_point_objects()->IsFixedArray()) return 1;
   // Multiple break points.
   return FixedArray::cast(break_point_objects())->length();
 }
 #endif
 
 
 } }  // namespace v8::internal