[runtime] Fix integer indexed property handling

[runtime] Fix integer indexed property handling

This includes 2 fixes:
1) We didn't properly advance the holder when checking whether
Receiver==Holder, so we'd inadvertently block loading the property if
the first property we find is on the typed array.
2) Reflect.get may cause any object on the prototype chain of the holder
to be the receiver; so we need to recheck for this special state for
each object we perform lookup on.

Committed: https://crrev.com/621bdd642cc60f0ff1bd1fbececce7a891bd0fbc
Cr-Commit-Position: refs/heads/master@{#33689}

[Toon Verwaest, 2016-02-02 15:10:56]

Patchset #1 (id:1) has been deleted

[Toon Verwaest, 2016-02-02 15:11:02]

Patchset #1 (id:20001) has been deleted

[Toon Verwaest, 2016-02-02 15:21:15]

verwaest@chromium.org changed reviewers:
+ jkummerow@chromium.org

[Toon Verwaest, 2016-02-02 15:21:16]

ptal

[Jakob Kummerow, 2016-02-02 15:31:45]

LGTM

https://codereview.chromium.org/1651913005/diff/40001/test/mjsunit/regress/re...
File test/mjsunit/regress/regress-integer-indexed-element.js (right):

https://codereview.chromium.org/1651913005/diff/40001/test/mjsunit/regress/re...
test/mjsunit/regress/regress-integer-indexed-element.js:1: // Copyright 2015 the
V8 project authors. All rights reserved.
2015 is so last year

[Toon Verwaest, 2016-02-02 16:33:39]

The CQ bit was checked by verwaest@chromium.org

[Toon Verwaest, 2016-02-02 16:33:40]

The patchset sent to the CQ was uploaded after l-g-t-m from
jkummerow@chromium.org
Link to the patchset: https://codereview.chromium.org/1651913005/#ps80001
(title: " ")

[commit-bot: I haz the power, 2016-02-02 16:36:49]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1651913005/80001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1651913005/80001

[commit-bot: I haz the power, 2016-02-02 17:02:02]

Committed patchset #3 (id:80001)

[commit-bot: I haz the power, 2016-02-02 17:02:29]

Description was changed from

==========
[runtime] Fix integer indexed property handling

This includes 2 fixes:
1) We didn't properly advance the holder when checking whether
Receiver==Holder, so we'd inadvertently block loading the property if
the first property we find is on the typed array.
2) Reflect.get may cause any object on the prototype chain of the holder
to be the receiver; so we need to recheck for this special state for
each object we perform lookup on.
==========

to

==========
[runtime] Fix integer indexed property handling

This includes 2 fixes:
1) We didn't properly advance the holder when checking whether
Receiver==Holder, so we'd inadvertently block loading the property if
the first property we find is on the typed array.
2) Reflect.get may cause any object on the prototype chain of the holder
to be the receiver; so we need to recheck for this special state for
each object we perform lookup on.

Committed: https://crrev.com/621bdd642cc60f0ff1bd1fbececce7a891bd0fbc
Cr-Commit-Position: refs/heads/master@{#33689}
==========

[commit-bot: I haz the power, 2016-02-02 17:02:30]

Patchset 3 (id:??) landed as
https://crrev.com/621bdd642cc60f0ff1bd1fbececce7a891bd0fbc
Cr-Commit-Position: refs/heads/master@{#33689}