[runtime] Make sure that LookupIterator::OWN always performs a HIDDEN lookup as well.

src/runtime/runtime-object.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/runtime/runtime-utils.h"
 
 #include "src/arguments.h"
 #include "src/bootstrapper.h"
 #include "src/debug/debug.h"
 #include "src/isolate-inl.h"
@@ skipping 102 matching lines @@
   return Runtime::GetObjectProperty(isolate, receiver_obj, key_obj);
 }
 
 
 Maybe<bool> Runtime::DeleteObjectProperty(Isolate* isolate,
                                           Handle<JSReceiver> receiver,
                                           Handle<Object> key,
                                           LanguageMode language_mode) {
   bool success = false;
   LookupIterator it = LookupIterator::PropertyOrElement(
-      isolate, receiver, key, &success, LookupIterator::HIDDEN);
+      isolate, receiver, key, &success, LookupIterator::OWN);
   if (!success) return Nothing<bool>();
 
   return JSReceiver::DeleteProperty(&it, language_mode);
 }
 
 // ES6 19.1.3.2
 RUNTIME_FUNCTION(Runtime_ObjectHasOwnProperty) {
   HandleScope scope(isolate);
   Handle<Object> property = args.at<Object>(1);
 
@@ skipping 28 matching lines @@
     }
 
     Map* map = js_obj->map();
     if (!map->has_hidden_prototype() &&
         (key_is_array_index ? !map->has_indexed_interceptor()
                             : !map->has_named_interceptor())) {
       return isolate->heap()->false_value();
     }
 
     // Slow case.
-    LookupIterator::Configuration c = LookupIterator::HIDDEN;
+    LookupIterator::Configuration c = LookupIterator::OWN;
     LookupIterator it = key_is_array_index
                             ? LookupIterator(isolate, js_obj, index, js_obj, c)
                             : LookupIterator(js_obj, key, js_obj, c);
 
     Maybe<bool> maybe = JSReceiver::HasProperty(&it);
     if (maybe.IsNothing()) return isolate->heap()->exception();
     DCHECK(!isolate->has_pending_exception());
     return isolate->heap()->ToBoolean(maybe.FromJust());
 
   } else if (object->IsJSProxy()) {
@@ skipping 110 matching lines @@
   // Go up context chain to the script context.
   Handle<Context> script_context(isolate->context()->script_context(), isolate);
   DCHECK(script_context->IsScriptContext());
   DCHECK(script_context->get(slot)->IsPropertyCell());
 
   // Lookup the named property on the global object.
   Handle<ScopeInfo> scope_info(script_context->scope_info(), isolate);
   Handle<Name> name(scope_info->ContextSlotName(slot), isolate);
   Handle<JSGlobalObject> global_object(script_context->global_object(),
                                        isolate);
-  LookupIterator it(global_object, name, global_object, LookupIterator::HIDDEN);
+  LookupIterator it(global_object, name, global_object, LookupIterator::OWN);
 
   // Switch to fast mode only if there is a data property and it's not on
   // a hidden prototype.
   if (it.state() == LookupIterator::DATA &&
       it.GetHolder<Object>().is_identical_to(global_object)) {
     // Now update the cell in the script context.
     Handle<PropertyCell> cell = it.GetPropertyCell();
     script_context->set(slot, *cell);
   } else {
     // This is not a fast case, so keep this access in a slow mode.
@@ skipping 14 matching lines @@
   // Go up context chain to the script context.
   Handle<Context> script_context(isolate->context()->script_context(), isolate);
   DCHECK(script_context->IsScriptContext());
   DCHECK(script_context->get(slot)->IsPropertyCell());
 
   // Lookup the named property on the global object.
   Handle<ScopeInfo> scope_info(script_context->scope_info(), isolate);
   Handle<Name> name(scope_info->ContextSlotName(slot), isolate);
   Handle<JSGlobalObject> global_object(script_context->global_object(),
                                        isolate);
-  LookupIterator it(global_object, name, global_object, LookupIterator::HIDDEN);
+  LookupIterator it(global_object, name, global_object, LookupIterator::OWN);
 
   // Switch to fast mode only if there is a data property and it's not on
   // a hidden prototype.
   if (it.state() == LookupIterator::DATA &&
       it.GetHolder<Object>().is_identical_to(global_object)) {
     // Now update cell in the script context.
     Handle<PropertyCell> cell = it.GetPropertyCell();
     script_context->set(slot, *cell);
   } else {
     // This is not a fast case, so keep this access in a slow mode.
@@ skipping 760 matching lines @@
 
 
 RUNTIME_FUNCTION(Runtime_CreateDataProperty) {
   HandleScope scope(isolate);
   DCHECK(args.length() == 3);
   CONVERT_ARG_HANDLE_CHECKED(JSReceiver, o, 0);
   CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
   CONVERT_ARG_HANDLE_CHECKED(Object, value, 2);
   bool success;
   LookupIterator it = LookupIterator::PropertyOrElement(
-      isolate, o, key, &success, LookupIterator::HIDDEN);
+      isolate, o, key, &success, LookupIterator::OWN);
   if (!success) return isolate->heap()->exception();
   MAYBE_RETURN(
       JSReceiver::CreateDataProperty(&it, value, Object::THROW_ON_ERROR),
       isolate->heap()->exception());
   return *value;
 }
 
 }  // namespace internal
 }  // namespace v8