[builtins] take slow path in IsConcatSpreadable if proxy in prototype

src/builtins.cc

Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index 556082edf330bbd13f5e7a9b1ffea033e68d61e6..3e484e88f71f5a3fedce535382ecbeb222d1182a 100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -1180,10 +1180,21 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
   return true;
 }
 
+static bool HasProxyInPrototype(Isolate* isolate, JSReceiver* receiver) {
+  DisallowHeapAllocation no_heap;
+  for (PrototypeIterator iter(isolate, receiver, kStartAtReceiver,
+                              PrototypeIterator::END_AT_NON_HIDDEN);

[neis, 2016/07/11 09:25:19]

This must be END_AT_NULL.

[caitp, 2016/07/11 11:12:08]

I have no idea why it's not END_AT_NULL, I could have sworn I didn't add this
parameter o_O. Will fix in the next patch.

+       !iter.IsAtEnd(); iter.AdvanceIgnoringProxies()) {
+    if (iter.GetCurrent<Object>()->IsJSProxy()) return true;
+  }
+  return false;
+}
+
 static Maybe<bool> IsConcatSpreadable(Isolate* isolate, Handle<Object> obj) {
   HandleScope handle_scope(isolate);
   if (!obj->IsJSReceiver()) return Just(false);
-  if (!isolate->IsIsConcatSpreadableLookupChainIntact()) {
+  if (!isolate->IsIsConcatSpreadableLookupChainIntact() ||
+      HasProxyInPrototype(isolate, JSReceiver::cast(*obj))) {

[neis, 2016/07/11 09:25:19]

I think it makes sense to move the proxy check into
IsIsConcatSpreadableLookupChainIntact.

[caitp, 2016/07/11 11:12:08]

Acknowledged, however this would change the prototype of
IsIsConcatSpreadableLookupChainIntact, which might get messy

     // Slow path if @@isConcatSpreadable has been used.
     Handle<Symbol> key(isolate->factory()->is_concat_spreadable_symbol());
     Handle<Object> value;