Status: New
Owner: ----
New issue 2711 by erights: Array.prototype.push apparently no longer
honoring frozen
http://code.google.com/p/v8/issues/detail?id=2711
Works fine on Chrome 27. Apparently broken on Chrome 29.0.1529.3 Canary on
MacOSX 10.8.3. See the attached screenshots and visit
http://google-caja.googlecode.com/svn/trunk/src/com/google/caja/ses/explicit.html
The function in question is
function test_PUSH_IGNORES_FROZEN() {
var x = [1,2];
Object.freeze(x);
try {
x.push(3);
} catch (e) {
if (x.length !== 2) { return 'Unexpected modification of frozen
array'; }
if (x[0] === 1 && x[1] === 2) { return false; }
}
return (x.length !== 2 || x[0] !== 1 || x[1] !== 2);
However, the reason I write "apparently" is that when I try to reproduce
this standalone I do not see the bug. OTOH, if I set a breakpoint in the
function in repairES5.js above while visiting
http://google-caja.googlecode.com/svn/trunk/src/com/google/caja/ses/explicit.html,
reload, and then single step past the .push in the debugger, I see in the
debugger that x.length has been set to 3. Most puzzling. I have no idea why
it happens here but not standalone.
As you see from the screenshot, this bug causes Caja to classify Chrome 29
Canary as unsafe to run in ES5 mode.
Attachments:
Screen Shot 2013-06-05 at 10.28.35 PM.png 103 KB
Screen Shot 2013-06-05 at 10.28.26 PM.png 128 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
