ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard

Published 20 hours ago verified publisher icon chakra-core

Array.prototype.pop doesn't trigger getter in __proto__

Open frto027 opened this issue 3 years ago • 0 comments

This poc will output different results in the JIT compiler.

let a = [1, 2, 3];
let proto = [];

Object.defineProperty(proto, 3, {
  get: function () {
    console.log("woops")
    return 2;
  }
});
a.__proto__ = proto;

function oops(){
  a.pop()
}

for(let i=0;i<10;i++){
  a.length = 4
  oops()
}

run with the following command:

Build\VcBuild\bin\x64_debug\ch.exe test.js -bgjit- -mic:5 -off:simplejit

output:

woops
woops
woops
woops
woops

but if run with the following command:

Build\VcBuild\bin\x64_debug\ch.exe test.js -bgjit- -mic:10 -off:simplejit

the output is:

woops
woops
woops
woops
woops
woops
woops
woops
woops
woops

frto027 avatar Jul 26 '22 14:07 frto027