Consider this (shell; in a browser, replace print with alert) testcase: var iter = [][Symbol.iterator](); var iterProto = Object.getPrototypeOf(iter); var oldNext = iterProto.next; function hackedNext() { var val = oldNext.call(this); if ("value" in val) { val.value++; } return val; } var arr = [1,,3]; Object.defineProperty(arr, 1, { get: function() { iterProto.next = hackedNext; return 2 } }); print([...arr]); This should print "1,2,4", and does in SpiderMonkey and V8. In JSC, at least as tested via Safari and WebKit nightlies, it prints "1,2,3". I believe that this is because isIteratorProtocolFastAndNonObservable() (as called from either operationSpreadGeneric or the slow_path_spread slow path) is true for this array when the spread operation starts. But it starts being false partway through, when the getter for the property at index 1 runs...