[Webkit-unassigned] [Bug 257774] New: __proto__ produce oldvalue after Object.prototype.__proto__ changes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 6 20:18:26 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=257774
Bug ID: 257774
Summary: __proto__ produce oldvalue after
Object.prototype.__proto__ changes
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: q602706150 at gmail.com
WebKit git commit:
fa67a26252252fec5d3f124b05398ce812cfdffc
run args:
./jsc --useConcurrentJIT=0 --jitPolicyScale=0.1 test.js
```
function opt(){
return Uint8Array.__proto__
}
noDFG(opt)
function test() {
for(let i=0;i<100;i++)
opt()
Object.defineProperty(Object.prototype, "__proto__", {
"get": function () { return "xxx" }
})
print(opt() == Uint8Array.__proto__)
}
noDFG(test)
test()
```
The test case should print `true`, however it prints `false`. Is this a bug about InlineCache?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230607/9843e4f2/attachment.htm>
More information about the webkit-unassigned
mailing list