Fix the receiver check in the HandleFastApiCall builtin.

src/arm64/builtins-arm64.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_ARM64
 
 #include "src/arm64/frames-arm64.h"
 #include "src/codegen.h"
 #include "src/debug/debug.h"
 #include "src/deoptimizer.h"
@@ skipping 1268 matching lines @@
   Register constructor = scratch2;
 
   // If there is no signature, return the holder.
   __ Ldr(signature, FieldMemOperand(function_template_info,
                                     FunctionTemplateInfo::kSignatureOffset));
   __ CompareRoot(signature, Heap::kUndefinedValueRootIndex);
   Label receiver_check_passed;
   __ B(eq, &receiver_check_passed);
 
   // Walk the prototype chain.
+  __ Ldr(map, FieldMemOperand(receiver, HeapObject::kMapOffset));
   Label prototype_loop_start;
   __ Bind(&prototype_loop_start);
 
-  // End if the receiver is null or if it's a hidden type.
-  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
-  __ B(eq, receiver_check_failed);
-  __ Ldr(map, FieldMemOperand(receiver, HeapObject::kMapOffset));
-  __ Ldr(x16, FieldMemOperand(map, Map::kBitField3Offset));
-  __ Tst(x16, Operand(Map::IsHiddenPrototype::kMask));
-  __ B(ne, receiver_check_failed);
-
   // Get the constructor, if any
   __ GetMapConstructor(constructor, map, x16, x16);
   __ cmp(x16, Operand(JS_FUNCTION_TYPE));
   Label next_prototype;
   __ B(ne, &next_prototype);
   Register type = constructor;
   __ Ldr(type,
          FieldMemOperand(constructor, JSFunction::kSharedFunctionInfoOffset));
   __ Ldr(type, FieldMemOperand(type, SharedFunctionInfo::kFunctionDataOffset));
 
   // Loop through the chain of inheriting function templates.
   Label function_template_loop;
   __ Bind(&function_template_loop);
 
   // If the signatures match, we have a compatible receiver.
   __ Cmp(signature, type);
   __ B(eq, &receiver_check_passed);
 
   // If the current type is not a FunctionTemplateInfo, load the next prototype
   // in the chain.
   __ JumpIfSmi(type, &next_prototype);
   __ CompareObjectType(type, x16, x17, FUNCTION_TEMPLATE_INFO_TYPE);
   __ B(ne, &next_prototype);
 
   // Otherwise load the parent function template and iterate.
   __ Ldr(type,
          FieldMemOperand(type, FunctionTemplateInfo::kParentTemplateOffset));
   __ B(&function_template_loop);
 
-  // Load the next prototype and iterate.
+  // Load the next prototype.
   __ Bind(&next_prototype);
   __ Ldr(receiver, FieldMemOperand(map, Map::kPrototypeOffset));
+  // End if the prototype is null or not hidden.
+  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
+  __ B(eq, receiver_check_failed);
+  __ Ldr(map, FieldMemOperand(receiver, HeapObject::kMapOffset));
+  __ Ldr(x16, FieldMemOperand(map, Map::kBitField3Offset));
+  __ Tst(x16, Operand(Map::IsHiddenPrototype::kMask));
+  __ B(eq, receiver_check_failed);
+  // Iterate.
   __ B(&prototype_loop_start);
 
   __ Bind(&receiver_check_passed);
 }
 
 
 void Builtins::Generate_HandleFastApiCall(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- x0                 : number of arguments excluding receiver
   //  -- x1                 : callee
@@ skipping 1236 matching lines @@
   }
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_ARM