Bug 257774 - [JSC] __proto__ produces incorrect value after Object.prototype.__proto__ changes
Summary: [JSC] __proto__ produces incorrect value after Object.prototype.__proto__ cha...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-06-06 20:18 PDT by YuHao Hu
Modified: 2023-06-28 12:58 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description YuHao Hu 2023-06-06 20:18:26 PDT 
WebKit git commit:
fa67a26252252fec5d3f124b05398ce812cfdffc

run args:
./jsc --useConcurrentJIT=0 --jitPolicyScale=0.1 test.js

```
function opt(){
   return Uint8Array.__proto__
}
noDFG(opt)

function test() {    
    for(let i=0;i<100;i++)
        opt()
    Object.defineProperty(Object.prototype, "__proto__", {
        "get": function () { return "xxx" }
    })
    print(opt() == Uint8Array.__proto__)
}
noDFG(test)
test()
```

The test case should print `true`, however it prints `false`. Is this a bug about InlineCache?
Comment 1 Radar WebKit Bug Importer 2023-06-08 07:38:48 PDT 
<rdar://problem/110464460>
Comment 2 Alexey Shvayka 2023-06-23 10:46:01 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/15247
Comment 3 EWS 2023-06-28 12:58:56 PDT 
Committed 265594@main (667a7374f1dd): <https://commits.webkit.org/265594@main>

Reviewed commits have been landed. Closing PR #15247 and removing active labels.