RESOLVED FIXED257774
[JSC] __proto__ produces incorrect value after Object.prototype.__proto__ changes 
https://bugs.webkit.org/show_bug.cgi?id=257774
Summary [JSC] __proto__ produces incorrect value after Object.prototype.__proto__ cha...
GuY
Reported 2023-06-06 20:18:26 PDT
WebKit git commit: fa67a26252252fec5d3f124b05398ce812cfdffc run args: ./jsc --useConcurrentJIT=0 --jitPolicyScale=0.1 test.js ``` function opt(){ return Uint8Array.__proto__ } noDFG(opt) function test() { for(let i=0;i<100;i++) opt() Object.defineProperty(Object.prototype, "__proto__", { "get": function () { return "xxx" } }) print(opt() == Uint8Array.__proto__) } noDFG(test) test() ``` The test case should print `true`, however it prints `false`. Is this a bug about InlineCache?
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-06-08 07:38:48 PDT
<rdar://problem/110464460>
Alexey Shvayka
Comment 2 2023-06-23 10:46:01 PDT
Pull request: https://github.com/WebKit/WebKit/pull/15247
EWS
Comment 3 2023-06-28 12:58:56 PDT
Committed 265594@main (667a7374f1dd): <https://commits.webkit.org/265594@main> Reviewed commits have been landed. Closing PR #15247 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.