Bug 257774

Summary:	[JSC] __proto__ produces incorrect value after Object.prototype.__proto__ changes
Product:	WebKit	Reporter:	GuY <q602706150>
Component:	JavaScriptCore	Assignee:	Alexey Shvayka <ashvayka>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	ashvayka, mark.lam, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Local Build
Hardware:	Unspecified
OS:	Unspecified

GuY

Reported 2023-06-06 20:18:26 PDT

WebKit git commit: fa67a26252252fec5d3f124b05398ce812cfdffc run args: ./jsc --useConcurrentJIT=0 --jitPolicyScale=0.1 test.js ``` function opt(){ return Uint8Array.__proto__ } noDFG(opt) function test() { for(let i=0;i<100;i++) opt() Object.defineProperty(Object.prototype, "__proto__", { "get": function () { return "xxx" } }) print(opt() == Uint8Array.__proto__) } noDFG(test) test() ``` The test case should print `true`, however it prints `false`. Is this a bug about InlineCache?

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-06-08 07:38:48 PDT

<rdar://problem/110464460>

Alexey Shvayka

Comment 2 2023-06-23 10:46:01 PDT

Pull request: https://github.com/WebKit/WebKit/pull/15247

EWS

Comment 3 2023-06-28 12:58:56 PDT

Committed 265594@main (667a7374f1dd): <https://commits.webkit.org/265594@main> Reviewed commits have been landed. Closing PR #15247 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.