Comment #2 on issue 1756 by mstarzin...@chromium.org: Make
defineObject(array, "length", ...) ES5 conform.
http://code.google.com/p/v8/issues/detail?id=1756
Fixed partially in r10149 and r10236.
Update: The one remaining issue is an illegal optimization in a StoreIC
which omits writability checks for length properties. It can be reproduced
with the following snippet.
var a = [1,2,3];
Object.defineProperty(a, 'length', {value:5, writable:false});
for (var i=1; i<=3; i++) {
var before = a.length;
a.length = i*10;
var after = a.length;
print('i=' + i + ', length=' + before + '->' + after);
}
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
