RESOLVED FIXED 205848
Implementation of the class "extends" clause incorrectly uses __proto__ for setting prototypes 
https://bugs.webkit.org/show_bug.cgi?id=205848
Summary Implementation of the class "extends" clause incorrectly uses __proto__ for s...
Claude Pache
Reported 2020-01-07 00:34:43 PST
Control case: Object.defineProperty(Object.prototype, '__proto__', { configurable: true , set(x) { Reflect.setPrototypeOf(this, x); } }) class A extends Array { } Reflect.getPrototypeOf(A) === Array // true Reflect.getPrototypeOf(A.prototype) === Array.prototype // true "push" in (new A) // true Things become weird as soon as someone is removing Object.prototype.__proto__: delete Object.prototype.__proto__ class B extends Array { } Reflect.getPrototypeOf(B) === Array // false Reflect.getOwnPropertyDescriptor(B, '__proto__').value === Array // true Reflect.getPrototypeOf(B.prototype) === Array.prototype // false "push" in (new B) // false Or, said more clearly: Object.defineProperty(Object.prototype, '__proto__', { configurable: true , set(x) { throw new EvalError("Your code is bitrotten!"); } }) class C extends Array { } // EvalError: Your code is bitrotten!
Attachments
Patch (14.28 KB, patch)
2020-08-24 15:48 PDT, Alexey Shvayka 		keith_miller: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Claude Pache
Comment 1 2020-01-07 00:44:11 PST
Related bug: #157972
Alexey Shvayka
Comment 2 2020-08-24 15:48:50 PDT
Created attachment 407145 [details] Patch
Keith Miller
Comment 3 2020-08-24 16:13:21 PDT
Comment on attachment 407145 [details] Patch r=me.
Alexey Shvayka
Comment 4 2020-08-25 00:45:04 PDT
Committed r266106: <https://trac.webkit.org/changeset/266106>
Radar WebKit Bug Importer
Comment 5 2020-08-25 00:46:18 PDT
<rdar://problem/67723992>
Note You need to log in before you can comment on or make changes to this bug.