Comment #3 on issue 2379 by [email protected]: Assigning to an
out-of-bounds array index when length is non-writable should be rejected
http://code.google.com/p/v8/issues/detail?id=2379
Any plans to take care of this? Without fixing it, it's possible for V8 to
get into a really weird state where array.length !=
Object.getOwnPropertyDescriptor(array, 'length').value:
var array = [1, 2, 3];
Object.defineProperty(array, 'length', {writable: false, value: 2});
array.push(3);
array.length is now 3, but
Object.getOwnPropertyDescriptor(array, 'length').value is still 2.
FWIW, a similar problem exists with other Foreign accessors (e.g.,
Function's "prototype" property). But at least disallowing the push() would
prevent this from being noticeable.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
