Make array __proto__ manipulations not disturb the species protector

src/isolate.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/isolate.h"
 
 #include <stdlib.h>
 
 #include <fstream>  // NOLINT(readability/streams)
 #include <sstream>
@@ skipping 2541 matching lines @@
 
   return cell_reports_intact;
 }
 
 bool Isolate::IsArraySpeciesLookupChainIntact() {
   if (!FLAG_harmony_species) return true;
   // Note: It would be nice to have debug checks to make sure that the
   // species protector is accurate, but this would be hard to do for most of
   // what the protector stands for:
   // - You'd need to traverse the heap to check that no Array instance has
-  //   a constructor property or a modified __proto__
+  //   a constructor property
   // - To check that Array[Symbol.species] == Array, JS code has to execute,
   //   but JS cannot be invoked in callstack overflow situations
   // All that could be checked reliably is that
   // Array.prototype.constructor == Array. Given that limitation, no check is
   // done here. In place, there are mjsunit tests harmony/array-species* which
   // ensure that behavior is correct in various invalid protector cases.
 
   PropertyCell* species_cell = heap()->species_protector();
   return species_cell->value()->IsSmi() &&
          Smi::cast(species_cell->value())->value() == kArrayProtectorValid;
@@ skipping 426 matching lines @@
   // Then check whether this scope intercepts.
   if ((flag & intercept_mask_)) {
     intercepted_flags_ |= flag;
     return true;
   }
   return false;
 }
 
 }  // namespace internal
 }  // namespace v8