1 files changed, 10 insertions, 1 deletions

diff --git a/Source/JavaScriptCore/runtime/Operations.h b/Source/JavaScriptCore/runtime/Operations.h
index 30ba0b27d..01df7e98c 100644
--- a/Source/JavaScriptCore/runtime/Operations.h
+++ b/Source/JavaScriptCore/runtime/Operations.h
@@ -24,6 +24,7 @@
 
 #include "ExceptionHelpers.h"
 #include "Interpreter.h"
+#include "JSProxy.h"
 #include "JSString.h"
 #include "JSValueInlineMethods.h"
 
@@ -297,19 +298,24 @@ namespace JSC {
         return jsAddSlowCase(callFrame, v1, v2);
     }
 
+#define InvalidPrototypeChain (std::numeric_limits<size_t>::max())
+
     inline size_t normalizePrototypeChain(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier& propertyName, PropertyOffset& slotOffset)
     {
         JSCell* cell = base.asCell();
         size_t count = 0;
 
         while (slotBase != cell) {
+            if (cell->isProxy())
+                return InvalidPrototypeChain;
+            
             JSValue v = cell->structure()->prototypeForLookup(callFrame);
 
             // If we didn't find slotBase in base's prototype chain, then base
             // must be a proxy for another object.
 
             if (v.isNull())
-                return 0;
+                return InvalidPrototypeChain;
 
             cell = v.asCell();
 
@@ -332,6 +338,9 @@ namespace JSC {
     {
         size_t count = 0;
         while (1) {
+            if (base->isProxy())
+                return InvalidPrototypeChain;
+            
             JSValue v = base->structure()->prototypeForLookup(callFrame);
             if (v.isNull())
                 return count;