From 62fc0993345ffcef9c64c4e4d51d1b92390f31e0 Mon Sep 17 00:00:00 2001
From: "dcarney@chromium.org"
 <dcarney@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 11 Mar 2014 15:12:47 +0000
Subject: [PATCH] fix bad access check check

R=verwaest@chromium.org

BUG=

Review URL: https://codereview.chromium.org/195163002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19804 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects.cc                               | 2 +-
 test/mjsunit/regress/regress-crbug-351262.js | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-351262.js

diff --git a/src/objects.cc b/src/objects.cc
index 42ebedf..56e1375 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -5912,9 +5912,9 @@ bool JSReceiver::IsSimpleEnum() {
     JSObject* curr = JSObject::cast(o);
     int enum_length = curr->map()->EnumLength();
     if (enum_length == kInvalidEnumCacheSentinel) return false;
+    if (curr->IsAccessCheckNeeded()) return false;
     ASSERT(!curr->HasNamedInterceptor());
     ASSERT(!curr->HasIndexedInterceptor());
-    ASSERT(!curr->IsAccessCheckNeeded());
     if (curr->NumberOfEnumElements() > 0) return false;
     if (curr != this && enum_length != 0) return false;
   }
diff --git a/test/mjsunit/regress/regress-crbug-351262.js b/test/mjsunit/regress/regress-crbug-351262.js
new file mode 100644
index 0000000..a2f4ead
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-351262.js
@@ -0,0 +1,6 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+for (var x in this) {};
+JSON.stringify(this);
-- 
2.7.4