```js
x = [];
x.unshift(0, 1);
y = [];
relazifyFunctions();
y[3] = [];
y.__proto__ = x;
for (let i = 0; i < 2; ++i) {
y.shift();
}
print(y);
```
```bash
$ ./js-dbg-64-dm-linux-x86_64-90234f4c094d --fuzzing-safe --ion-offthread-compile=off --ion-eager testcase.js
0,
```
```bash
$ ./js-dbg-64-dm-linux-x86_64-90234f4c094d --fuzzing-safe --ion-offthread-compile=off --no-baseline --no-ion testcase.js
1,
```
Tested this on m-c rev 90234f4c094d.
My configure flags are:
AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift
python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic" -r 90234f4c094d
I'm setting this as s-s because this is yet another __proto__ issue found after the pwn2own tweaks were made, to be safe.
Bug 1548063 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
```js
x = [];
x.unshift(0, 1);
y = [];
relazifyFunctions();
y[3] = [];
y.__proto__ = x;
for (let i = 0; i < 2; ++i) {
y.shift();
}
print(y);
```
```bash
$ ./js-dbg-64-dm-linux-x86_64-90234f4c094d --fuzzing-safe --ion-offthread-compile=off --ion-eager testcase.js
0,
```
```bash
$ ./js-dbg-64-dm-linux-x86_64-90234f4c094d --fuzzing-safe --ion-offthread-compile=off --no-baseline --no-ion testcase.js
1,
```
Tested this on m-c rev 90234f4c094d.
My configure flags are:
AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift
python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic" -r 90234f4c094d
I'm setting this as s-s because this is yet another `__proto__` issue found after the pwn2own tweaks were made, to be safe.