Bug 257774

Summary: [JSC] __proto__ produces incorrect value after Object.prototype.__proto__ changes
Product: WebKit Reporter: YuHao Hu <q602706150>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Normal CC: ashvayka, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

Description YuHao Hu 2023-06-06 20:18:26 PDT 
WebKit git commit:
fa67a26252252fec5d3f124b05398ce812cfdffc

run args:
./jsc --useConcurrentJIT=0 --jitPolicyScale=0.1 test.js

```
function opt(){
   return Uint8Array.__proto__
}
noDFG(opt)

function test() {    
    for(let i=0;i<100;i++)
        opt()
    Object.defineProperty(Object.prototype, "__proto__", {
        "get": function () { return "xxx" }
    })
    print(opt() == Uint8Array.__proto__)
}
noDFG(test)
test()
```

The test case should print `true`, however it prints `false`. Is this a bug about InlineCache?
Comment 1 Radar WebKit Bug Importer 2023-06-08 07:38:48 PDT 
<rdar://problem/110464460>
Comment 2 Alexey Shvayka 2023-06-23 10:46:01 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/15247
Comment 3 EWS 2023-06-28 12:58:56 PDT 
Committed 265594@main (667a7374f1dd): <https://commits.webkit.org/265594@main>

Reviewed commits have been landed. Closing PR #15247 and removing active labels.