https://bugs.webkit.org/show_bug.cgi?id=78409

Reviewed by Oliver Hunt.

Re-implement this as a regular accessor property.  This has three key benefits:
1) It makes it possible for objects to be given properties named __proto__.
2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

Source/JavaScriptCore: 

* parser/Parser.cpp:
(JSC::::parseFunctionInfo):
    - No need to prohibit functions named __proto__.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
    - Add __proto__ accessor to Object.prototype.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
    - Definition of the __proto__ accessor functions.
* runtime/JSGlobalObjectFunctions.h:
    - Declaration of the __proto__ accessor functions.
* runtime/JSObject.cpp:
(JSC::JSObject::put):
    - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
(JSC::JSObject::putDirectAccessor):
    - Track on the structure whether an object contains accessors other than one for __proto__.
(JSC::JSObject::defineOwnProperty):
    - No need to prohibit definition of own properties named __proto__.
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
    - Remove the special handling for __proto__.
(JSC::JSValue::get):
    - Remove the special handling for __proto__.
* runtime/JSString.cpp:
(JSC::JSString::getOwnPropertySlot):
    - Remove the special handling for __proto__.
* runtime/JSValue.h:
(JSValue):
    - Made synthesizePrototype public (this may be needed by the __proto__ getter).
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetPrototypeOf):
    - Perform the security check & call prototype() directly.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
    - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
* runtime/Structure.h:
(JSC::Structure::hasGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(Structure):
    - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

Source/WebCore: 

* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::allowsAccessFrom):
(WebCore):
    - expose allowsAccessFrom check to JSC.
* bindings/js/JSDOMWindowBase.h:
(JSDOMWindowBase):
    - expose allowsAccessFrom check to JSC.

LayoutTests: 

* fast/js/Object-getOwnPropertyNames-expected.txt:
* fast/js/cyclic-prototypes-expected.txt:
* fast/js/parser-syntax-check-expected.txt:
* fast/js/preventExtensions-expected.txt:
* fast/js/prototypes-expected.txt:
    - Update results
* fast/js/script-tests/Object-getOwnPropertyNames.js:
    - __proto__ is now a property of Object Prototype.
* fast/js/script-tests/cyclic-prototypes.js:
    - setting an object's prototype to null removes __proto__ setter, future usage won't set prototype.
* fast/js/script-tests/parser-syntax-check.js:
    - Allow functions named __proto__
* fast/js/script-tests/preventExtensions.js:
    - Setting __proto__ should not throw.
* fast/js/script-tests/prototypes.js:
    - Objects may contained own properties named __proto__, add new test cases.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108259 268f45cc-cd09-0410-ab3c-d52691b4dbfc