Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only
https://bugs.webkit.org/show_bug.cgi?id=101276

Reviewed by Gavin Barraclough.

Source/JavaScriptCore: 

Changed normalizePrototypeChain() to report an invalid prototype chain if any object is a proxy.
This catches cases where our prototype chain checks would have been insufficient to guard against
newly introduced properties, despecialized properties, or deleted properties in the chain of
objects involved in the access.

* dfg/DFGRepatch.cpp:
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::tryBuildGetByIDProtoList):
(JSC::DFG::tryCachePutByID):
(JSC::DFG::tryBuildPutByIdList):
* jit/JITStubs.cpp:
(JSC::JITThunks::tryCachePutByID):
(JSC::JITThunks::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Operations.h:
(JSC):
(JSC::normalizePrototypeChain):

LayoutTests: 

This test already covered this case, but only for method_check. Modified it to
also cover the get_by_id case.

* fast/js/toString-and-valueOf-override-expected.txt:
* fast/js/toString-and-valueOf-override.html:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133546 268f45cc-cd09-0410-ab3c-d52691b4dbfc