Add some runtime checks to MayNamedAccess

R=svenpanne@chromium.org
BUG=

Review URL: https://codereview.chromium.org/11877027
Patch from Dan Carney <dcarney@google.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13385 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/isolate.cc

@@ -924,7 +924,11 @@ bool Isolate::MayNamedAccess(JSObject* receiver, Object* key,
   if (decision != UNKNOWN) return decision == YES;
 
   // Get named access check callback
-  JSFunction* constructor = JSFunction::cast(receiver->map()->constructor());
+  // TODO(dcarney): revert
+  Map* map = receiver->map();
+  CHECK(map->IsMap());
+  CHECK(map->constructor()->IsJSFunction());
+  JSFunction* constructor = JSFunction::cast(map->constructor());
   if (!constructor->shared()->IsApiFunction()) return false;
 
   Object* data_obj =

src/objects.cc

@@ -627,6 +627,8 @@ MaybeObject* Object::GetProperty(Object* receiver,
         // that even though we may not actually end up loading the named
         // property from the current object, we still check that we have
         // access to it.
+        // TODO(dcarney): revert.
+        CHECK(current->IsJSObject());
         JSObject* checked = JSObject::cast(current);
         if (!heap->isolate()->MayNamedAccess(checked, name, v8::ACCESS_GET)) {
           return checked->GetPropertyWithFailedAccessCheck(receiver,