Control case: Object.defineProperty(Object.prototype, '__proto__', { configurable: true , set(x) { Reflect.setPrototypeOf(this, x); } }) class A extends Array { } Reflect.getPrototypeOf(A) === Array // true Reflect.getPrototypeOf(A.prototype) === Array.prototype // true "push" in (new A) // true Things become weird as soon as someone is removing Object.prototype.__proto__: delete Object.prototype.__proto__ class B extends Array { } Reflect.getPrototypeOf(B) === Array // false Reflect.getOwnPropertyDescriptor(B, '__proto__').value === Array // true Reflect.getPrototypeOf(B.prototype) === Array.prototype // false "push" in (new B) // false Or, said more clearly: Object.defineProperty(Object.prototype, '__proto__', { configurable: true , set(x) { throw new EvalError("Your code is bitrotten!"); } }) class C extends Array { } // EvalError: Your code is bitrotten!
Related bug: #157972
Created attachment 407145 [details] Patch
Comment on attachment 407145 [details] Patch r=me.
Committed r266106: <https://trac.webkit.org/changeset/266106>
<rdar://problem/67723992>