[proxies] fix access issue when having proxies on the prototype-chain of global objects.

src/mips/code-stubs-mips.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_MIPS
 
 #include "src/base/bits.h"
 #include "src/bootstrapper.h"
 #include "src/code-stubs.h"
 #include "src/codegen.h"
@@ skipping 1488 matching lines @@
   __ AssertNotSmi(function_prototype);
 
   // Update the global instanceof cache with the current {object} map and
   // {function}.  The cached answer will be set when it is known below.
   __ StoreRoot(function, Heap::kInstanceofCacheFunctionRootIndex);
   __ StoreRoot(object_map, Heap::kInstanceofCacheMapRootIndex);
 
   // Loop through the prototype chain looking for the {function} prototype.
   // Assume true, and change to false if not found.
   Register const object_instance_type = function_map;
+  Register const map_bit_field = function_map;
   Register const null = scratch;
   Register const result = v0;
-  Label done, loop, proxy_case;
+
+  Label done, loop, fast_runtime_fallback;
   __ LoadRoot(result, Heap::kTrueValueRootIndex);
   __ LoadRoot(null, Heap::kNullValueRootIndex);
   __ bind(&loop);
+
+  // Check if the object needs to be access checked.
+  __ lbu(map_bit_field, FieldMemOperand(object_map, Map::kBitFieldOffset));
+  __ And(map_bit_field, map_bit_field, Operand(1 << Map::kIsAccessCheckNeeded));
+  __ Branch(&fast_runtime_fallback, ne, map_bit_field, Operand(zero_reg));
+  // Check if the current object is a Proxy.
   __ lbu(object_instance_type,
          FieldMemOperand(object_map, Map::kInstanceTypeOffset));
-  __ Branch(&proxy_case, eq, object_instance_type, Operand(JS_PROXY_TYPE));
+  __ Branch(&fast_runtime_fallback, eq, object_instance_type,
+            Operand(JS_PROXY_TYPE));
+
   __ lw(object, FieldMemOperand(object_map, Map::kPrototypeOffset));
   __ Branch(&done, eq, object, Operand(function_prototype));
   __ Branch(USE_DELAY_SLOT, &loop, ne, object, Operand(null));
   __ lw(object_map,
         FieldMemOperand(object, HeapObject::kMapOffset));  // In delay slot.
   __ LoadRoot(result, Heap::kFalseValueRootIndex);
   __ bind(&done);
   __ Ret(USE_DELAY_SLOT);
   __ StoreRoot(result,
                Heap::kInstanceofCacheAnswerRootIndex);  // In delay slot.
 
-  // Proxy-case: Call the %HasInPrototypeChain runtime function.
-  __ bind(&proxy_case);
+  // Found Proxy or access check needed: Call the runtime
+  __ bind(&fast_runtime_fallback);
   __ Push(object, function_prototype);
   // Invalidate the instanceof cache.
   DCHECK(Smi::FromInt(0) == 0);
   __ StoreRoot(zero_reg, Heap::kInstanceofCacheFunctionRootIndex);
   __ TailCallRuntime(Runtime::kHasInPrototypeChain, 2, 1);
 
   // Slow-case: Call the %InstanceOf runtime function.
   __ bind(&slow_case);
   __ Push(object, function);
   __ TailCallRuntime(Runtime::kInstanceOf, 2, 1);
@@ skipping 4027 matching lines @@
                            MemOperand(fp, 6 * kPointerSize), NULL);
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_MIPS