[proxies] fix access issue when having proxies on the prototype-chain of global objects.

src/crankshaft/ia32/lithium-codegen-ia32.cc

Index: src/crankshaft/ia32/lithium-codegen-ia32.cc
diff --git a/src/crankshaft/ia32/lithium-codegen-ia32.cc b/src/crankshaft/ia32/lithium-codegen-ia32.cc
index 1ede1f22b6bf2e6df6c144f03efab25dee73b2b0..6986d53816cf240ddc37f8352705ec0550034936 100644
--- a/src/crankshaft/ia32/lithium-codegen-ia32.cc
+++ b/src/crankshaft/ia32/lithium-codegen-ia32.cc
@@ -2540,6 +2540,11 @@ void LCodeGen::DoHasInPrototypeChainAndBranch(
   __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
   Label loop;
   __ bind(&loop);
+  // If we find a JSProxy during the prototype chain walk we deopt. It is
+  // important to note that we restart the lookup in the InstanceOfStub as
+  // continuing the iteration on the JSProxy would lead to a potential security
+  // issue by executing the getPrototypeOf trap of a cross-realm proxy-object
+  // without performing the necessary access checks first.

[Camillo Bruni, 2015/12/14 19:59:20]

probably should add this comment to all platforms.

[Toon Verwaest, 2015/12/14 20:06:48]

There's still a silly issue. If you have:
window2.__proto__ = window1
then in window1: window2 instanceof Object -> true

That's an information leak. It's not high-priority, but it's wrong nonetheless.

[Camillo Bruni, 2015/12/15 14:09:26]

fixed that now as well...

   __ CmpInstanceType(object_map, JS_PROXY_TYPE);
   DeoptimizeIf(equal, instr, Deoptimizer::kProxy);
   __ mov(object_prototype, FieldOperand(object_map, Map::kPrototypeOffset));