Fix the receiver check in the HandleFastApiCall builtin.

src/x64/builtins-x64.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_X64
 
 #include "src/code-factory.h"
 #include "src/codegen.h"
 #include "src/deoptimizer.h"
 #include "src/full-codegen/full-codegen.h"
@@ skipping 2418 matching lines @@
   Register constructor = scratch2;
 
   // If there is no signature, return the holder.
   __ movp(signature, FieldOperand(function_template_info,
                                   FunctionTemplateInfo::kSignatureOffset));
   __ CompareRoot(signature, Heap::kUndefinedValueRootIndex);
   Label receiver_check_passed;
   __ j(equal, &receiver_check_passed, Label::kNear);
 
   // Walk the prototype chain.
+  __ movp(map, FieldOperand(receiver, HeapObject::kMapOffset));
   Label prototype_loop_start;
   __ bind(&prototype_loop_start);
 
-  // End if the receiver is null or if it's a hidden prototype.
-  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
-  __ j(equal, receiver_check_failed, Label::kNear);
-  __ movp(map, FieldOperand(receiver, HeapObject::kMapOffset));
-  __ testq(FieldOperand(map, Map::kBitField3Offset),
-           Immediate(Map::IsHiddenPrototype::kMask));
-  __ j(not_zero, receiver_check_failed, Label::kNear);
-
   // Get the constructor, if any.
   __ GetMapConstructor(constructor, map, kScratchRegister);
   __ CmpInstanceType(kScratchRegister, JS_FUNCTION_TYPE);
   Label next_prototype;
   __ j(not_equal, &next_prototype, Label::kNear);
 
   // Get the constructor's signature.
   Register type = constructor;
   __ movp(type,
           FieldOperand(constructor, JSFunction::kSharedFunctionInfoOffset));
@@ skipping 11 matching lines @@
   // in the chain.
   __ JumpIfSmi(type, &next_prototype, Label::kNear);
   __ CmpObjectType(type, FUNCTION_TEMPLATE_INFO_TYPE, kScratchRegister);
   __ j(not_equal, &next_prototype, Label::kNear);
 
   // Otherwise load the parent function template and iterate.
   __ movp(type,
           FieldOperand(type, FunctionTemplateInfo::kParentTemplateOffset));
   __ jmp(&function_template_loop, Label::kNear);
 
-  // Load the next prototype and iterate.
+  // Load the next prototype.
   __ bind(&next_prototype);
   __ movp(receiver, FieldOperand(map, Map::kPrototypeOffset));
+  // End if the prototype is null or not hidden.
+  __ CompareRoot(receiver, Heap::kNullValueRootIndex);
+  __ j(equal, receiver_check_failed);
+  __ movp(map, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ testq(FieldOperand(map, Map::kBitField3Offset),
+           Immediate(Map::IsHiddenPrototype::kMask));
+  __ j(zero, receiver_check_failed);
+  // Iterate.
   __ jmp(&prototype_loop_start, Label::kNear);
 
   __ bind(&receiver_check_passed);
 }
 
 
 void Builtins::Generate_HandleFastApiCall(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- rax                : number of arguments (not including the receiver)
   //  -- rdi                : callee
@@ skipping 89 matching lines @@
   __ ret(0);
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_X64