Make __proto__ a real JavaScript accessor property.

src/v8natives.js

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 43 matching lines @@
     var f = functions[i + 1];
     %FunctionSetName(f, key);
     %FunctionRemovePrototype(f);
     %SetProperty(object, key, f, attributes);
     %SetNativeFlag(f);
   }
   %ToFastProperties(object);
 }
 
 
-// Helper function to install a getter only property.
+// Helper function to install a getter-only accessor property.
 function InstallGetter(object, name, getter) {
   %FunctionSetName(getter, name);
   %FunctionRemovePrototype(getter);
   %DefineOrRedefineAccessorProperty(object, name, getter, null, DONT_ENUM);
   %SetNativeFlag(getter);
 }
 
 
+// Helper function to install a getter/setter accessor property.
+function InstallGetterSetter(object, name, getter, setter) {
+  %FunctionSetName(getter, name);
+  %FunctionSetName(setter, name);
+  %FunctionRemovePrototype(getter);
+  %FunctionRemovePrototype(setter);
+  %DefineOrRedefineAccessorProperty(object, name, getter, setter, DONT_ENUM);
+  %SetNativeFlag(getter);
+  %SetNativeFlag(setter);
+}
+
+
 // Prevents changes to the prototype of a built-in function.
 // The "prototype" property of the function object is made non-configurable,
 // and the prototype object is made non-extensible. The latter prevents
 // changing the __proto__ property.
 function SetUpLockedPrototype(constructor, fields, methods) {
   %CheckIsBootstrapping();
   var prototype = constructor.prototype;
   // Install functions first, because this function is used to initialize
   // PropertyDescriptor itself.
   var property_count = (methods.length >> 1) + (fields ? fields.length : 0);
@@ skipping 304 matching lines @@
 function FromPropertyDescriptor(desc) {
   if (IS_UNDEFINED(desc)) return desc;
 
   if (IsDataDescriptor(desc)) {
     return { value: desc.getValue(),
              writable: desc.isWritable(),
              enumerable: desc.isEnumerable(),
              configurable: desc.isConfigurable() };
   }
   // Must be an AccessorDescriptor then. We never return a generic descriptor.
-  return { get: desc.getGet(),
-           set: desc.getSet(),
+  return { get: desc.getGet() === ObjectGetProto ? ObjectPoisonProto

[rossberg, 2013/04/04 09:58:43]

I don't think there is a need (or the intention) to poison the getter as well,
since you can always get a prototype with Object.getPrototypeOf anyway.

[Michael Starzinger, 2013/04/04 11:52:19]

Done.

+                                                 : desc.getGet(),
+           set: desc.getSet() === ObjectSetProto ? ObjectPoisonProto
+                                                 : desc.getSet(),
            enumerable: desc.isEnumerable(),
            configurable: desc.isConfigurable() };
 }
 
 
 // Harmony Proxies
 function FromGenericPropertyDescriptor(desc) {
   if (IS_UNDEFINED(desc)) return desc;
   var obj = new $Object();
 
@@ skipping 910 matching lines @@
 // Harmony egal.
 function ObjectIs(obj1, obj2) {
   if (obj1 === obj2) {
     return (obj1 !== 0) || (1 / obj1 === 1 / obj2);
   } else {
     return (obj1 !== obj1) && (obj2 !== obj2);
   }
 }
 
 
+// Harmony __proto__ getter.
+function ObjectGetProto() {
+  return %GetPrototype(this);
+}
+
+
+// Harmony __proto__ setter.
+function ObjectSetProto(obj) {
+  return %SetPrototype(this, obj);
+}
+
+
+// Harmony __proto__ poison pill.
+function ObjectPoisonProto() {
+  throw MakeTypeError("proto_poison_pill", []);
+}
+
+
 %SetCode($Object, function(x) {
   if (%_IsConstructCall()) {
     if (x == null) return this;
     return ToObject(x);
   } else {
     if (x == null) return { };
     return ToObject(x);
   }
 });
 
-%SetExpectedNumberOfProperties($Object, 4);
 
 // ----------------------------------------------------------------------------
 // Object
 
 function SetUpObject() {
   %CheckIsBootstrapping();
-  // Set Up non-enumerable functions on the Object.prototype object.
+
+  %FunctionSetName(ObjectPoisonProto, "__proto__");
+  %FunctionRemovePrototype(ObjectPoisonProto);
+  %SetExpectedNumberOfProperties($Object, 4);
+
+  // Set up non-enumerable functions on the Object.prototype object.
   InstallFunctions($Object.prototype, DONT_ENUM, $Array(
     "toString", ObjectToString,
     "toLocaleString", ObjectToLocaleString,
     "valueOf", ObjectValueOf,
     "hasOwnProperty", ObjectHasOwnProperty,
     "isPrototypeOf", ObjectIsPrototypeOf,
     "propertyIsEnumerable", ObjectPropertyIsEnumerable,
     "__defineGetter__", ObjectDefineGetter,
     "__lookupGetter__", ObjectLookupGetter,
     "__defineSetter__", ObjectDefineSetter,
     "__lookupSetter__", ObjectLookupSetter
   ));
+  InstallGetterSetter($Object.prototype, "__proto__",
+                      ObjectGetProto, ObjectSetProto);
+
+  // Set up non-enumerable functions in the Object object.
   InstallFunctions($Object, DONT_ENUM, $Array(
     "keys", ObjectKeys,
     "create", ObjectCreate,
     "defineProperty", ObjectDefineProperty,
     "defineProperties", ObjectDefineProperties,
     "freeze", ObjectFreeze,
     "getPrototypeOf", ObjectGetPrototypeOf,
     "getOwnPropertyDescriptor", ObjectGetOwnPropertyDescriptor,
     "getOwnPropertyNames", ObjectGetOwnPropertyNames,
     "is", ObjectIs,
@@ skipping 382 matching lines @@
 
 function SetUpFunction() {
   %CheckIsBootstrapping();
   InstallFunctions($Function.prototype, DONT_ENUM, $Array(
     "bind", FunctionBind,
     "toString", FunctionToString
   ));
 }
 
 SetUpFunction();