Interceptors expect the receiver to always be an JSReceiver.

src/ic/ic.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/ic/ic.h"
 
 #include "src/accessors.h"
 #include "src/api.h"
 #include "src/api-arguments.h"
 #include "src/arguments.h"
@@ skipping 1006 matching lines @@
     TRACE_HANDLER_STATS(isolate(), LoadIC_FunctionPrototypeStub);
     FunctionPrototypeStub function_prototype_stub(isolate());
     return function_prototype_stub.GetCode();
   }
 
   Handle<Map> map = receiver_map();
   Handle<JSObject> holder = lookup->GetHolder<JSObject>();
   bool receiver_is_holder = receiver.is_identical_to(holder);
   switch (lookup->state()) {
     case LookupIterator::INTERCEPTOR: {
+      if (!receiver->IsJSReceiver()) break;

[Toon Verwaest, 2016/05/11 14:19:36]

This shouldn't be necessary given your change below?

       DCHECK(!holder->GetNamedInterceptor()->getter()->IsUndefined());
       TRACE_HANDLER_STATS(isolate(), LoadIC_LoadInterceptor);
       NamedLoadHandlerCompiler compiler(isolate(), map, holder, cache_holder);
       // Perform a lookup behind the interceptor. Copy the LookupIterator since
       // the original iterator will be used to fetch the value.
       LookupIterator it = *lookup;
       it.Next();
       LookupForRead(&it);
       return compiler.CompileLoadInterceptor(&it);
     }
@@ skipping 507 matching lines @@
         break;
       }
 
       DCHECK(lookup->IsCacheableTransition());
       TRACE_HANDLER_STATS(isolate(), StoreIC_StoreTransition);
       NamedStoreHandlerCompiler compiler(isolate(), receiver_map(), holder);
       return compiler.CompileStoreTransition(transition, lookup->name());
     }
 
     case LookupIterator::INTERCEPTOR: {
+      DCHECK(receiver->IsJSReceiver());
       DCHECK(!holder->GetNamedInterceptor()->setter()->IsUndefined());
       TRACE_HANDLER_STATS(isolate(), StoreIC_StoreInterceptorStub);
       StoreInterceptorStub stub(isolate());
       return stub.GetCode();
     }
 
     case LookupIterator::ACCESSOR: {
       if (!holder->HasFastProperties()) {
         TRACE_GENERIC_IC(isolate(), "StoreIC", "accessor on slow map");
         break;
@@ skipping 1044 matching lines @@
  * Attempts to load a property with an interceptor (which must be present),
  * but doesn't search the prototype chain.
  *
  * Returns |Heap::no_interceptor_result_sentinel()| if interceptor doesn't
  * provide any value for the given name.
  */
 RUNTIME_FUNCTION(Runtime_LoadPropertyWithInterceptorOnly) {
   DCHECK(args.length() == NamedLoadHandlerCompiler::kInterceptorArgsLength);
   Handle<Name> name =
       args.at<Name>(NamedLoadHandlerCompiler::kInterceptorArgsNameIndex);
-  Handle<JSObject> receiver =
-      args.at<JSObject>(NamedLoadHandlerCompiler::kInterceptorArgsThisIndex);
+  Handle<Object> receiver =
+      args.at<Object>(NamedLoadHandlerCompiler::kInterceptorArgsThisIndex);
   Handle<JSObject> holder =
       args.at<JSObject>(NamedLoadHandlerCompiler::kInterceptorArgsHolderIndex);
   HandleScope scope(isolate);
 
+  if (!receiver->IsJSReceiver()) {
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+        isolate, receiver, Object::ConvertReceiver(isolate, receiver));
+  }
+
   InterceptorInfo* interceptor = holder->GetNamedInterceptor();
   PropertyCallbackArguments arguments(isolate, interceptor->data(), *receiver,
                                       *holder, Object::DONT_THROW);
 
   v8::GenericNamedPropertyGetterCallback getter =
       v8::ToCData<v8::GenericNamedPropertyGetterCallback>(
           interceptor->getter());
   Handle<Object> result = arguments.Call(getter, name);
 
   RETURN_FAILURE_IF_SCHEDULED_EXCEPTION(isolate);
 
   if (!result.is_null()) return *result;
   return isolate->heap()->no_interceptor_result_sentinel();
 }
 
 
 /**
  * Loads a property with an interceptor performing post interceptor
  * lookup if interceptor failed.
  */
 RUNTIME_FUNCTION(Runtime_LoadPropertyWithInterceptor) {
   HandleScope scope(isolate);
   DCHECK(args.length() == NamedLoadHandlerCompiler::kInterceptorArgsLength);
   Handle<Name> name =
       args.at<Name>(NamedLoadHandlerCompiler::kInterceptorArgsNameIndex);
-  Handle<JSObject> receiver =
-      args.at<JSObject>(NamedLoadHandlerCompiler::kInterceptorArgsThisIndex);
+  Handle<Object> receiver =
+      args.at<Object>(NamedLoadHandlerCompiler::kInterceptorArgsThisIndex);
   Handle<JSObject> holder =
       args.at<JSObject>(NamedLoadHandlerCompiler::kInterceptorArgsHolderIndex);
 
+  if (!receiver->IsJSReceiver()) {
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+        isolate, receiver, Object::ConvertReceiver(isolate, receiver));
+  }
+
   InterceptorInfo* interceptor = holder->GetNamedInterceptor();
   PropertyCallbackArguments arguments(isolate, interceptor->data(), *receiver,
                                       *holder, Object::DONT_THROW);
 
   v8::GenericNamedPropertyGetterCallback getter =
       v8::ToCData<v8::GenericNamedPropertyGetterCallback>(
           interceptor->getter());
   Handle<Object> result = arguments.Call(getter, name);
 
   RETURN_FAILURE_IF_SCHEDULED_EXCEPTION(isolate);
@@ skipping 119 matching lines @@
     KeyedLoadICNexus nexus(vector, vector_slot);
     KeyedLoadIC ic(IC::EXTRA_CALL_FRAME, isolate, &nexus);
     ic.UpdateState(receiver, key);
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
   }
 
   return *result;
 }
 }  // namespace internal
 }  // namespace v8