From bb1b54a776856280598bc5a0aa17ce2256996515 Mon Sep 17 00:00:00 2001
From: verwaest <verwaest@chromium.org>
Date: Wed, 17 Jun 2015 03:20:41 -0700
Subject: [PATCH] Only walk the hidden prototype chain for private nonexistent
 symbols

BUG=chromium:479528
LOG=n

Review URL: https://codereview.chromium.org/1185373004

Cr-Commit-Position: refs/heads/master@{#29075}
---
 src/ic/handler-compiler.cc             | 15 ++++++++++++++-
 test/mjsunit/regress/regress-479528.js | 13 +++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-479528.js

diff --git a/src/ic/handler-compiler.cc b/src/ic/handler-compiler.cc
index 4d9d46acda..04b8fb0c8c 100644
--- a/src/ic/handler-compiler.cc
+++ b/src/ic/handler-compiler.cc
@@ -53,6 +53,16 @@ Handle<Code> NamedLoadHandlerCompiler::ComputeLoadNonexistent(
   while (true) {
     if (current_map->is_dictionary_map()) cache_name = name;
     if (current_map->prototype()->IsNull()) break;
+    if (name->IsPrivate()) {
+      // TODO(verwaest): Use nonexistent_private_symbol.
+      cache_name = name;
+      JSReceiver* prototype = JSReceiver::cast(current_map->prototype());
+      if (!prototype->map()->is_hidden_prototype() &&
+          !prototype->map()->IsGlobalObjectMap()) {
+        break;
+      }
+    }
+
     last = handle(JSObject::cast(current_map->prototype()));
     current_map = handle(last->map());
   }
@@ -428,8 +438,11 @@ Handle<Code> NamedStoreHandlerCompiler::CompileStoreTransition(
   if (is_nonexistent) {
     // Find the top object.
     Handle<JSObject> last;
+    PrototypeIterator::WhereToEnd end =
+        name->IsPrivate() ? PrototypeIterator::END_AT_NON_HIDDEN
+                          : PrototypeIterator::END_AT_NULL;
     PrototypeIterator iter(isolate(), holder());
-    while (!iter.IsAtEnd()) {
+    while (!iter.IsAtEnd(end)) {
       last = Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
       iter.Advance();
     }
diff --git a/test/mjsunit/regress/regress-479528.js b/test/mjsunit/regress/regress-479528.js
new file mode 100644
index 0000000000..be0dfaff45
--- /dev/null
+++ b/test/mjsunit/regress/regress-479528.js
@@ -0,0 +1,13 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var __v_7 = {"__proto__": this};
+__v_9 = %CreatePrivateSymbol("__v_9");
+this[__v_9] = "moo";
+function __f_5() {
+    __v_7[__v_9] = "bow-wow";
+}
+__f_5();