<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Regression(r197648): JSObject::setPrototypeWithCycleCheck() allows for cycles but the rest of the code base does not"
href="https://bugs.webkit.org/show_bug.cgi?id=161534#c4">Comment # 4</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Regression(r197648): JSObject::setPrototypeWithCycleCheck() allows for cycles but the rest of the code base does not"
href="https://bugs.webkit.org/show_bug.cgi?id=161534">bug 161534</a>
from <span class="vcard"><a class="email" href="mailto:sbarati@apple.com" title="Saam Barati <sbarati@apple.com>"> <span class="fn">Saam Barati</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=161534#c3">comment #3</a>)
<span class="quote">> (In reply to <a href="show_bug.cgi?id=161534#c2">comment #2</a>)
> > > Yeah, we should teach the rest of the engine that it's OK to have cycles
> > > in the "getPrototypeDirect" chain.
> > > Currently, inside JSC itself, this will never happen. However, I guess we
> > > need to
> > > teach it this w.r.t the HTML spec.
> >
> > That's a pretty big change. Are we sure we need to allow cycles? What's the
> > expected behavior if you find a cycle? Is it specified?
>
> Note that even without my patch, it is fairly trivial to end up with an
> infinite loop since r197648 allows for cycles:
>
> <script>
> var target = {
> __proto__: null
> };
> var proxy = new Proxy(target, {});
> Object.prototype.__proto__ = {
> __proto__: proxy,
> };
>
> var a = {};
> a.test;
> </script>
>
> This seems to infinite loop for me on ToT, no DOM involved.</span >
I believe the bug here is having ProxyObject's structure's prototype field
be Object.prototype. That's wrong.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>