Implement immutable prototype chains

src/bootstrapper.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/bootstrapper.h"
 
 #include "src/accessors.h"
 #include "src/api-natives.h"
 #include "src/base/ieee754.h"
 #include "src/code-stubs.h"
@@ skipping 581 matching lines @@
     object_function_map->set_unused_property_fields(unused);
 
     native_context()->set_object_function(*object_fun);
 
     // Allocate a new prototype for the object function.
     object_function_prototype =
         factory->NewJSObject(isolate->object_function(), TENURED);
     Handle<Map> map = Map::Copy(handle(object_function_prototype->map()),
                                 "EmptyObjectPrototype");
     map->set_is_prototype_map(true);
+    // Ban re-setting Object.prototype.__proto__ to prevent Proxy security bug
+    map->set_immutable_proto(true);
     object_function_prototype->set_map(*map);
 
     native_context()->set_initial_object_prototype(*object_function_prototype);
     // For bootstrapping set the array prototype to be the same as the object
     // prototype, otherwise the missing initial_array_prototype will cause
     // assertions during startup.
     native_context()->set_initial_array_prototype(*object_function_prototype);
     Accessors::FunctionSetPrototype(object_fun, object_function_prototype)
         .Assert();
   }
@@ skipping 3331 matching lines @@
 }
 
 
 // Called when the top-level V8 mutex is destroyed.
 void Bootstrapper::FreeThreadResources() {
   DCHECK(!IsActive());
 }
 
 }  // namespace internal
 }  // namespace v8