Ensure JSProxy correctness for PrototypeIterator uses

src/objects.cc

Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index a31600eb6c5d47a753d85358d298f19c9a299978..03d589a68c1563c1c7be550b6a0aa9a7ed2368a2 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11508,7 +11508,8 @@ void JSObject::LazyRegisterPrototypeUser(Handle<Map> user, Isolate* isolate) {
     }
     Handle<Object> maybe_proto = PrototypeIterator::GetCurrent(iter);
     if (maybe_proto->IsJSGlobalProxy()) continue;
-    // Proxies on the prototype chain are not supported.
+    // Proxies on the prototype chain are not supported. They make it
+    // impossible to make any assumptions about the prototype chain anyway.
     if (maybe_proto->IsJSProxy()) return;
     Handle<JSObject> proto = Handle<JSObject>::cast(maybe_proto);
     Handle<PrototypeInfo> proto_info =
@@ -14072,6 +14073,8 @@ Maybe<bool> JSObject::SetPrototypeUnobserved(Handle<JSObject> object,
     // hidden.
     PrototypeIterator iter(isolate, real_receiver);
     while (!iter.IsAtEnd(PrototypeIterator::END_AT_NON_HIDDEN)) {
+      // Casting to JSObject is fine because hidden prototypes are never
+      // JSProxies.
       real_receiver = PrototypeIterator::GetCurrent<JSObject>(iter);
       iter.Advance();
       all_extensible = all_extensible && real_receiver->map()->is_extensible();