Make sure that we can't access hidden properties by installing accessors on Object.prototype.

src/objects.cc

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 3249 matching lines @@
   // in the prototype chain.
   if (!obj->HasHiddenPropertiesObject()) {
     // Hidden properties object not found. Allocate a new hidden properties
     // object if requested. Otherwise return the undefined value.
     if (flag == ALLOW_CREATION) {
       Object* hidden_obj;
       { MaybeObject* maybe_obj = heap->AllocateJSObject(
             isolate->context()->global_context()->object_function());
         if (!maybe_obj->ToObject(&hidden_obj)) return maybe_obj;
       }
+      // Don't allow leakage of the hidden object through accessors
+      // on Object.prototype.
+      {
+        MaybeObject* maybe_obj =
+            JSObject::cast(hidden_obj)->SetPrototype(heap->null_value(), false);
+        if (maybe_obj->IsFailure()) return maybe_obj;
+      }
       return obj->SetHiddenPropertiesObject(hidden_obj);
     } else {
       return heap->undefined_value();
     }
   }
   return obj->GetHiddenPropertiesObject();
 }
 
 
 Smi* JSReceiver::GenerateIdentityHash() {
@@ skipping 8738 matching lines @@
   if (break_point_objects()->IsUndefined()) return 0;
   // Single break point.
   if (!break_point_objects()->IsFixedArray()) return 1;
   // Multiple break points.
   return FixedArray::cast(break_point_objects())->length();
 }
 #endif
 
 
 } }  // namespace v8::internal