Bug 172572

It just accesses Structure's storedPrototype, which may not call the method table method. See: ``` // It may seem crazy to inline a function this large but it makes a big difference // since this is function very hot in variable lookup ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot) { VM& vm = exec->vm(); auto& structureIDTable = vm.heap.structureIDTable(); JSObject* object = this; while (true) { if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) { // If propertyName is an index then we may have missed it (as this loop is using // getOwnNonIndexPropertySlot), so we cannot safely call the overridden getOwnPropertySlot // (lest we return a property from a prototype that is shadowed). Check now for an index, // if so we need to start afresh from this object. if (std::optional<uint32_t> index = parseIndex(propertyName)) return getPropertySlot(exec, index.value(), slot); // Safe to continue searching from current position; call getNonIndexPropertySlot to avoid // parsing the int again. return object->getNonIndexPropertySlot(exec, propertyName, slot); } ASSERT(object->type() != ProxyObjectType); Structure* structure = structureIDTable.get(object->structureID()); if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot)) return true; JSValue prototype = structure->storedPrototype(); if (!prototype.isObject()) break; object = asObject(prototype); } if (std::optional<uint32_t> index = parseIndex(propertyName)) return getPropertySlot(exec, index.value(), slot); return false; } ```