Fix keyed element access wrt string wrappers

src/arm/macro-assembler-arm.cc

Index: src/arm/macro-assembler-arm.cc
diff --git a/src/arm/macro-assembler-arm.cc b/src/arm/macro-assembler-arm.cc
index 3d2769d9a84f5cd27f7258810d99cb5c08f27cf8..08d8ec2372119e7df88f5896f6534b3ca21e6b3a 100644
--- a/src/arm/macro-assembler-arm.cc
+++ b/src/arm/macro-assembler-arm.cc
@@ -3791,14 +3791,25 @@ void MacroAssembler::JumpIfDictionaryInPrototypeChain(
   DCHECK(!scratch1.is(scratch0));
   Factory* factory = isolate()->factory();
   Register current = scratch0;
-  Label loop_again;
+  Label loop_again, end;
 
   // scratch contained elements pointer.
   mov(current, object);
+  ldr(current, FieldMemOperand(current, HeapObject::kMapOffset));
+  ldr(current, FieldMemOperand(current, Map::kPrototypeOffset));
+  cmp(current, Operand(factory->null_value()));

[Jakob Kummerow, 2015/07/13 15:00:58]

why not CompareRoot()?

+  b(eq, &end);
 
   // Loop based on the map going up the prototype chain.
   bind(&loop_again);
   ldr(current, FieldMemOperand(current, HeapObject::kMapOffset));
+
+  DCHECK(JS_PROXY_TYPE < JS_OBJECT_TYPE);
+  DCHECK(JS_VALUE_TYPE < JS_OBJECT_TYPE);
+  ldrb(scratch1, FieldMemOperand(current, Map::kInstanceTypeOffset));
+  cmp(r4, Operand(JS_OBJECT_TYPE));

[Jakob Kummerow, 2015/07/13 15:00:58]

s/r4/scratch1/

Why don't tests catch this?

+  b(lt, found);
+
   ldr(scratch1, FieldMemOperand(current, Map::kBitField2Offset));
   DecodeField<Map::ElementsKindBits>(scratch1);
   cmp(scratch1, Operand(DICTIONARY_ELEMENTS));
@@ -3806,6 +3817,8 @@ void MacroAssembler::JumpIfDictionaryInPrototypeChain(
   ldr(current, FieldMemOperand(current, Map::kPrototypeOffset));
   cmp(current, Operand(factory->null_value()));
   b(ne, &loop_again);
+
+  bind(&end);
 }