Bug 66451

Summary: Assigning a value to an existing non-enumerable property of a built-in before accessing it change its [[Enumerable]] attribute to true
Product: WebKit Reporter: John-David Dalton <john.david.dalton>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: UNCONFIRMED ---    
Severity: Normal CC: c.hammer, erikcorry, ngockhanhlam87, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://dl.dropbox.com/u/513327/enum_bug.html
See Also: https://bugs.chromium.org/p/v8/issues/detail?id=1623

Description John-David Dalton 2011-08-17 22:41:44 PDT 
From the es-discuss posts:
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016290.html
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016293.html
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016298.html
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016306.html

Oliver wrote:
> I suspect that this only applies to builtin properties on objects, as I think JSC has a similar issue.
> 
> Speaking for JSC (but i wouldn't be surprised if V8 did something similar) we will delay the creation of the majority of builtin properties until they're actually used, eg. until you actually access Array.prototype.reduce we won't reify the property.  A side effect of this is that when you simply assign to the property we skip reification, and so the property attributes are the same as you would get if you were creating a new property.
> 
> A simple test would be to see if
> Array.prototype.reduce;
> Array.prototype.reduce = ...
>
> Results in the correct behavior.

I have created a test case here:
http://dl.dropbox.com/u/513327/enum_bug.html
Comment 1 John-David Dalton 2011-08-17 23:38:06 PDT 
Related V8 issue:
http://code.google.com/p/v8/issues/detail?id=1623