[proxies] fix access issue when having proxies on the prototype-chain of global objects.

src/prototype.h

Index: src/prototype.h
diff --git a/src/prototype.h b/src/prototype.h
index 2be43e4fbdc9d0794e8670938f709d77652d0387..ea3495569ee9b6be0364137fe59859f726323edb 100644
--- a/src/prototype.h
+++ b/src/prototype.h
@@ -63,6 +63,17 @@ class PrototypeIterator {
 
   ~PrototypeIterator() {}
 
+  const bool HasAccess() {

[Lei Zhang, 2015/12/23 00:25:17]

BTW, using V8 with PDFium, I get this warning:

../../v8/src/prototype.h:70:3: warning: 'const' type qualifier on return type
has no effect [-Wignored-qualifiers]
  const bool HasAccess() {
  ^~~~~~

+    // We can only perform access check in the handlified version of the
+    // PrototypeIterator.
+    DCHECK(!handle_.is_null());
+    if (handle_->IsAccessCheckNeeded()) {
+      return isolate_->MayAccess(handle(isolate_->context()),
+                                 Handle<JSObject>::cast(handle_));
+    }
+    return true;
+  }
+
   template <typename T = Object>
   T* GetCurrent() const {
     DCHECK(handle_.is_null());
@@ -72,6 +83,7 @@ class PrototypeIterator {
   template <typename T = Object>
   static Handle<T> GetCurrent(const PrototypeIterator& iterator) {
     DCHECK(!iterator.handle_.is_null());
+    DCHECK(iterator.object_ == NULL);
     return Handle<T>::cast(iterator.handle_);
   }
 
@@ -110,6 +122,11 @@ class PrototypeIterator {
   // TODO(neis): This should probably replace Advance().
   bool AdvanceFollowingProxies() {
     DCHECK(!(handle_.is_null() && object_->IsJSProxy()));
+    if (!HasAccess()) {
+      // Abort the lookup if we do not have access to the current object.
+      handle_ = isolate_->factory()->null_value();
+      return true;
+    }
     if (!handle_.is_null() && handle_->IsJSProxy()) {
       did_jump_to_prototype_chain_ = true;
       MaybeHandle<Object> proto =