Fix the receiver check in the HandleFastApiCall builtin.

src/ia32/builtins-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_IA32
 
 #include "src/code-factory.h"
 #include "src/codegen.h"
 #include "src/deoptimizer.h"
 #include "src/full-codegen/full-codegen.h"
@@ skipping 2330 matching lines @@
                                     Register scratch0, Register scratch1,
                                     Label* receiver_check_failed) {
   // If there is no signature, return the holder.
   __ CompareRoot(FieldOperand(function_template_info,
                               FunctionTemplateInfo::kSignatureOffset),
                  Heap::kUndefinedValueRootIndex);
   Label receiver_check_passed;
   __ j(equal, &receiver_check_passed, Label::kNear);
 
   // Walk the prototype chain.
+  __ mov(scratch0, FieldOperand(receiver, HeapObject::kMapOffset));
   Label prototype_loop_start;
   __ bind(&prototype_loop_start);
 
-  // End if receiver is null or if it's a hidden prototype.
-  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
-  __ j(equal, receiver_check_failed, Label::kNear);
-  __ mov(scratch0, FieldOperand(receiver, HeapObject::kMapOffset));
-  __ test(FieldOperand(scratch0, Map::kBitField3Offset),
-          Immediate(Map::IsHiddenPrototype::kMask));
-  __ j(not_zero, receiver_check_failed, Label::kNear);
-
   // Get the constructor, if any.
   __ GetMapConstructor(scratch0, scratch0, scratch1);
   __ CmpInstanceType(scratch1, JS_FUNCTION_TYPE);
   Label next_prototype;
   __ j(not_equal, &next_prototype, Label::kNear);
 
   // Get the constructor's signature.
   __ mov(scratch0,
          FieldOperand(scratch0, JSFunction::kSharedFunctionInfoOffset));
   __ mov(scratch0,
@@ skipping 12 matching lines @@
   // in the chain.
   __ JumpIfSmi(scratch0, &next_prototype, Label::kNear);
   __ CmpObjectType(scratch0, FUNCTION_TEMPLATE_INFO_TYPE, scratch1);
   __ j(not_equal, &next_prototype, Label::kNear);
 
   // Otherwise load the parent function template and iterate.
   __ mov(scratch0,
          FieldOperand(scratch0, FunctionTemplateInfo::kParentTemplateOffset));
   __ jmp(&function_template_loop, Label::kNear);
 
-  // Load the next prototype and iterate.
+  // Load the next prototype.
   __ bind(&next_prototype);
   __ mov(receiver, FieldOperand(receiver, HeapObject::kMapOffset));
   __ mov(receiver, FieldOperand(receiver, Map::kPrototypeOffset));
+  // End if the prototype is null or not hidden.
+  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
+  __ j(equal, receiver_check_failed);
+  __ mov(scratch0, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ test(FieldOperand(scratch0, Map::kBitField3Offset),
+          Immediate(Map::IsHiddenPrototype::kMask));
+  __ j(zero, receiver_check_failed);
+  // Iterate.
   __ jmp(&prototype_loop_start, Label::kNear);
 
   __ bind(&receiver_check_passed);
 }
 
 
 void Builtins::Generate_HandleFastApiCall(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- eax                : number of arguments (not including the receiver)
   //  -- edi                : callee
@@ skipping 90 matching lines @@
 
   __ bind(&ok);
   __ ret(0);
 }
 
 #undef __
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_IA32