Fix the receiver check in the HandleFastApiCall builtin.

src/arm/builtins-arm.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_ARM
 
 #include "src/codegen.h"
 #include "src/debug/debug.h"
 #include "src/deoptimizer.h"
 #include "src/full-codegen/full-codegen.h"
@@ skipping 1288 matching lines @@
   Register constructor = scratch2;
 
   // If there is no signature, return the holder.
   __ ldr(signature, FieldMemOperand(function_template_info,
                                     FunctionTemplateInfo::kSignatureOffset));
   __ CompareRoot(signature, Heap::kUndefinedValueRootIndex);
   Label receiver_check_passed;
   __ b(eq, &receiver_check_passed);
 
   // Walk the prototype chain.
+  __ ldr(map, FieldMemOperand(receiver, HeapObject::kMapOffset));
   Label prototype_loop_start;
   __ bind(&prototype_loop_start);
 
-  // End if the receiver is null or if it's a hidden type.
-  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
-  __ b(eq, receiver_check_failed);
-  __ ldr(map, FieldMemOperand(receiver, HeapObject::kMapOffset));
-  __ ldr(ip, FieldMemOperand(map, Map::kBitField3Offset));
-  __ tst(ip, Operand(Map::IsHiddenPrototype::kMask));
-  __ b(ne, receiver_check_failed);
-
   // Get the constructor, if any.
   __ GetMapConstructor(constructor, map, ip, ip);
   __ cmp(ip, Operand(JS_FUNCTION_TYPE));
   Label next_prototype;
   __ b(ne, &next_prototype);
   Register type = constructor;
   __ ldr(type,
          FieldMemOperand(constructor, JSFunction::kSharedFunctionInfoOffset));
   __ ldr(type, FieldMemOperand(type, SharedFunctionInfo::kFunctionDataOffset));
 
   // Loop through the chain of inheriting function templates.
   Label function_template_loop;
   __ bind(&function_template_loop);
 
   // If the signatures match, we have a compatible receiver.
   __ cmp(signature, type);
   __ b(eq, &receiver_check_passed);
 
   // If the current type is not a FunctionTemplateInfo, load the next prototype
   // in the chain.
   __ JumpIfSmi(type, &next_prototype);
   __ CompareObjectType(type, ip, ip, FUNCTION_TEMPLATE_INFO_TYPE);
 
   // Otherwise load the parent function template and iterate.
   __ ldr(type,
          FieldMemOperand(type, FunctionTemplateInfo::kParentTemplateOffset),
          eq);
   __ b(&function_template_loop, eq);
 
-  // Load the next prototype and iterate.
+  // Load the next prototype.
   __ bind(&next_prototype);
   __ ldr(receiver, FieldMemOperand(map, Map::kPrototypeOffset));
+  // End if the prototype is null or not hidden.
+  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
+  __ b(eq, receiver_check_failed);
+  __ ldr(map, FieldMemOperand(receiver, HeapObject::kMapOffset));
+  __ ldr(ip, FieldMemOperand(map, Map::kBitField3Offset));
+  __ tst(ip, Operand(Map::IsHiddenPrototype::kMask));
+  __ b(eq, receiver_check_failed);
+  // Iterate.
   __ b(&prototype_loop_start);
 
   __ bind(&receiver_check_passed);
 }
 
 
 void Builtins::Generate_HandleFastApiCall(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- r0                 : number of arguments excluding receiver
   //  -- r1                 : callee
@@ skipping 1068 matching lines @@
   }
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_ARM