...
Created attachment 371184 [details] Patch
<rdar://problem/51299504>
Comment on attachment 371184 [details] Patch Why? Won't this lead to use calling getPrototypeOf twice on proxy?
Comment on attachment 371184 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=371184&action=review Otherwise, as the test described (without this patch, it fails), object[10101010] = xxx; bypasses getPrototype (instead using getPrototypeDirect), which means that this [[Put]] access bypasses JSWindow::getPrototype. attemptToInterceptPutByIndexOnHoleForPrototype is not a side-effect free check. If put is intercepted, this function performs [[Put]]. > Source/JavaScriptCore/runtime/JSObject.cpp:2747 > if (current->type() == ProxyObjectType) { > + scope.release(); > ProxyObject* proxy = jsCast<ProxyObject*>(current); > putResult = proxy->putByIndexCommon(exec, thisValue, i, value, shouldThrow); > return true; For example, Proxy case goes into this path, and we actually performs [[Put]] here.
Comment on attachment 371184 [details] Patch Thanks
Comment on attachment 371184 [details] Patch Clearing flags on attachment: 371184 Committed r246040: <https://trac.webkit.org/changeset/246040>
All reviewed patches have been landed. Closing bug.
Committed r246084: <https://trac.webkit.org/changeset/246084>