From ce5e9b02612ed9201a87db4a96b0ca57c9c0bbf6 Mon Sep 17 00:00:00 2001
From: "yangguo@chromium.org"
 <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 17 Jul 2014 08:35:36 +0000
Subject: [PATCH] Go to slow path when JSON.stringifying the global proxy.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/396993004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/json-stringifier.h | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/json-stringifier.h b/src/json-stringifier.h
index 0a453ef..4edc8d8 100644
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -442,7 +442,8 @@ BasicJsonStringifier::Result BasicJsonStringifier::Serialize_(
         SerializeString(Handle<String>::cast(object));
         return SUCCESS;
       } else if (object->IsJSObject()) {
-        if (object->IsAccessCheckNeeded()) break;
+        // Go to slow path for global proxy and objects requiring access checks.
+        if (object->IsAccessCheckNeeded() || object->IsJSGlobalProxy()) break;
         if (deferred_string_key) SerializeDeferredKey(comma, key);
         return SerializeJSObject(Handle<JSObject>::cast(object));
       }
@@ -630,11 +631,7 @@ BasicJsonStringifier::Result BasicJsonStringifier::SerializeJSObject(
   HandleScope handle_scope(isolate_);
   Result stack_push = StackPush(object);
   if (stack_push != SUCCESS) return stack_push;
-  if (object->IsJSGlobalProxy()) {
-    object = Handle<JSObject>(
-                 JSObject::cast(object->GetPrototype()), isolate_);
-    ASSERT(object->IsGlobalObject());
-  }
+  ASSERT(!object->IsJSGlobalProxy() && !object->IsGlobalObject());
 
   Append('{');
   bool comma = false;
-- 
2.7.4